Download - Docker and kernel security
“Some people make the mistake of thinking of containers as a better and faster way of running virtual machines. From a security point of
view, containers are much weaker.” – Dan Walsh, SELinux architect (?)
“There’s contentions all over the place that containers are not as secure as hypervisors. This is not actually true. Parallels and Virtuozo,
we’ve been running secure containers for at least 10 years.” – James Bottomley, Linux Maintainer and Parallels CTO
“Virtual Machines might be more secure today, but containers are definitely catching up. – Jerome Petazzoni, Senior Software Engineer at
Docker
“You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can’t write a operating system
or application without security holes, can then turn around and suddenly write virtualization layers without security holes” Theo de Raadt,
OpenBSD project lead https://fosdem.org/2015/schedule/event/zombieapocalypse/
“For Google I would say that security is probably the number one priority, for KVM it is the killer feature otherwise we could just sell people
Docker containers or just let them run on Linux processors. So the main thing that VMs actual provide it that isolation and all our VM’s are
on KVM.” - Andrew Honig, tech lead on the Cloud Security Team at Google https://youtu.be/L7ScFlkJEO8?t=33
“The inter-process isolation provided by a monolithic kernel such as Windows or Linux could never be compared to the inter-VM isolation
offered even by the most lousy hypervisors. This is simply because the sizes of the interfaces exposed to untrusted entities (processes in
case of a monolithic kernel; VMs in case of a hypervisor) are just incomparable. ” “ Sadly … we have finally came to the conclusion that
consumer Windows OS, with all those one-would-think sophisticated security mechanisms, is just not usable for any real-world domain
isolation. ” - Joanna Rutkowska – Security researcher & architect of Qubes OS http://blog.invisiblethings.org/2014/01/15/shattering-myths-
of-windows-security.html
Agenda
• Not about Docker security talk Adrian, 4/6
• Entropy
• History of Kernel Security
• Conclusion
https://youtu.be/04LOuMgNj9U
Entropy Peter Sewell, Cambridge @31C3
http://media.ccc.de/browse/congress/2014/31c3_-_6574_-_en_-_saal_1_-_201412301245_-_why_are_computers_so_and_what_can_we_do_about_it_-_peter_sewell.html
HW
OS OS OS
App
VIRT
App App App App App
Virt HW Virt HW Virt HW
HW
OS OS OS
App
VIRT
App App App
Virt HW Virt HW Virt HW
IAAS with HW virt
•AWS •Azure Infra •Google Com-pute Engine •Joyent
HWVIRT
Virt HW Virt HW Virt HW
OS OS OS
http://bit.ly/2014-cloud-mq
( )
App App
db web file etcmid.ware
App1
db web file etcmid.ware
App2 App3
PAAS
•EC3
•Azure App Service
•Google App Engine db web file etcmid.waredb web file etcmid.ware
App1 App2 App3
db web file etcmid.ware
App1 App2 App3
Jérôme Petazzoni explaining:
• The only difference between a-process-in-a-container and a-process-not-in-a-container is a few labels on top on a process that say this is in container X
• A context-switch between two containers is exactly the same as a context-switch between two processes
https://youtu.be/pUQ5ukrVaH4?t=600 https://youtu.be/pUQ5ukrVaH4?t=667
IAAS with OSvirt /Zones/Containers
HW
OS
ContainerVirt OS
AppLib
Lib
ContainerVirt OS
AppLib
Lib
ContainerVirt OS
AppLib
Lib
ContainerVirt OS
AppLib
Lib
Lib
Lib
HW
OS
ContainerVirt OS
AppLib
Lib
ContainerVirt OS
AppLib
Lib
? ?
DEV Performance Security
PAAS
Containers
IAAS
Hypervisor
App
HW
OSVirtHW
AppOS
VirtHW
Kernel
Container
App
HW
db
Code1
web
2
?
https://en.wikipedia.org/wiki/Operating-system-level_virtualization#Implementations
Docker v0.9 and up
DOCKER_OPTS="-e lxc" During install, libcontainer : Setting up lxc-docker-1.x.0
https://blog.docker.com/2014/03/docker-0-9-introducing-execution-drivers-and-libcontainer/ http://blog.docker.com/2015/06/runc/
Kernel
Lib-container
App
HW
Lib
Lib
Docker
Kernel
LXC
App
HW
Docker
Kernel
runC
App
HW
Docker
Announced june15: runC replaces Libcontainer
Kernel
App
HW
Lib
Lib
libCSystem Calls
GO: nolibc
GO does system calls manually, without relying on libc or anything else - Aram Hăvărnanu https://archive.fosdem.org/2014/schedule/event/porting_go_to_new_platforms/ https://youtu.be/tnXOeHRuyyA?t=1322
User (ring3)
Kernel (ring0)
KernelHW
Lib
LibSystem Calls
GOapp
Building Docker Images for Static Go Binaries
Statically Linked, with syscall 'package'
https://medium.com/@kelseyhightower/optimizing-docker-images-for-static-binaries-b5696e26eb07
FROM scratch MAINTAINER Kelsey Hightower <[email protected]> ADD contributors contributors ENV PORT 80 EXPOSE 80 ENTRYPOINT ["/contributors"]
Total size of image: 6MB
Triton
• LX: run Linux on Solaris
• Docker on Illumos
• Joyent
SolarisKernel
AppLib
Lib
libCLinux Syscalls
Container
Solaris Syscalls
https://www.joyent.com/blog/triton-docker-and-the-best-of-all-worlds
Mirage OS - Cambridge
• unikernel
• Stat. linked kernel
• No Firewall needed
• defense: limit interfaces (including Xen)
• 20ms startup http://media.ccc.de/browse/congress/2014/31c3_-_6443_-_en_-_saal_2_-_201412271245_-_trustworthy_secure_modular_operating_system_engineering_-_hannes_-_david_kaloper.html
Some kernel
HW
Lib
LibOCaml
Xen Hypervisor
Dom0
Qubes - Joanna Rutkowska
• with a GUI
• multilayer defense
https://www.qubes-os.org/
Microsoft
• OneCore
– 64bit only
– refactoring
– base for Win10, Server, Phone & Nano server
• Containers
Docker support https://channel9.msdn.com/Events/Build/2015/2-704 https://channel9.msdn.com/Events/Build/2015/2-683
Microsoft Containers Server Core Nano Server
Born in the cloud applications Traditional Applications
Highly Compatible Highly Optimized
Microsoft’s Container Runtimes Windows Server Container
HIGHLY
AUTOMATED EFFICIENT
SCALABLE
AND ELASTIC
Hyper-V Container
HIGHLY
AUTOMATED EFFICIENT
SCALABLE
AND ELASTIC
PUBLIC
MULTI-
TEANCY
SHARED
HOSTING
SECURE
SECURE
HOSTING
TRUSTED
MULTI-TENANCY
REGULATED
WORKLOADS
Nano Server: reverse forwarders
• Additional packages
– WoW64 for backward compatibility
– Hyper-V host
– Replicated File services
https://channel9.msdn.com/Events/Ignite/2015/BRK2461
What runs today with the Reverse Forwarders? • Chef
• PHP • Nginx • Python 3.5 • Node.js • GO • Redis • MySQL • OpenSSL • Java (OpenJDK) • Ruby (2.1.5) • SQLite
Intel: Clear Linux
• 1000 VM/host
• 200ms startup
http://www.theregister.co.uk/2015/05/21/intel_wants_containers_to_be_alone_together_naturally/ http://www.infoworld.com/article/2925038/linux/intel-takes-on-coreos-with-its-own-container-based-linux.html http://lwn.net/Articles/644675/
Gartner IAAS MQ 2015
Gartner also recommends cloud buyers adopt a bimodal strategy that allows them to maintain critical IT operations while innovating on agile development platforms.
http://www.crn.com/slide-shows/cloud/300076877/heres-who-made-gartners-2015-cloud-iaas-magic-quadrant.htm