is docker secure?
TRANSCRIPT
Is Docker Secure?
Grehack’16 @France
Manideep K
Carnegie Mellon University
2
Shameless Bragging
• Masters Student + Security Researcher at Carnegie Mellon, Cylab
• Authored a book on Info Sec & Ethical Hacking at the age of 20
• Featured in INDIA’s largest news papers and news channels
• Trained 15,000+ people in Infosec including corporates, students & cyber cops
• 10 certifications : ISO 27001:2013 ISMS LA, CCNA, CEH, JNCIP-SEC etc.
• Ex Team Lead – Core Security & Data Analytics at TCS
• Interest areas : Container Security, Application Security etc.
More details about me on www.manideepk.com
3
What am I upto with Containers?
• Co-Authored CIS Docker 1.12 Benchmark
• Cloud Security Research Intern @Adobe
• Extensive research at Carnegie Mellon
4
Before we start
• How many of you know what containers are?
• How many of you used containers?
Personal / Enterprise development or production
• How many of you did not adopt containers because of security issues?
5
6-7 months research in 30 minutes
Tough task but we will do it
6
What are we doing for next 30 mins?
Intro
• Containers in 60 seconds
• Container Pipeline and Risk Areas
Sec…Security
• Images
• Container runtime
• Hello enterprises
Holistic pipeline view
Wrap up
7
What are we doing for next 30 mins?
Intro
• Containers in 60 seconds
• Container Pipeline and Risk Areas
Sec…Security
• Images
• Container runtime
• Hello enterprises
Holistic pipeline view
Wrap up
8
Quick “60 second” Intro
Containers?
Lightweight
Application centric
No more - “it works on my machine” Micro-services
Namespaces : Isolation (PID, User, Network, IPC,
Mount, UTS)
Cgroups : Isolates, limits and accounts resource
usage (CPU, memory etc.)
BUZZ……….! Are containers
brand new?
Img Ref: www.docker.com
Containers in 60 seconds
9
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline & Risk Areas
Ref: Modified version of image on www.docker.com
10
What are we doing for next 30 mins?
Intro
• Containers in 60 seconds
• Container Pipeline and Risk Areas
Sec…Security
• Images
• Container runtime
• Hello enterprises
Holistic pipeline view
Wrap up
11
Containers do not contain
53% of decision makers are worried about security of containers*
Containers are not production-ready
Container Security (Docker) developed “a lot” in the past two years, is still developing and has lot of scope
Docker containers are now “production-ready**” . Google spins up more than 2 billion containers per week
Containers are the “FUTURE”
* Forrester/Red Hat Report , January 2015 ** You have to make them secure
12
“Images” Security
Lifecycle of An Image
• Where can I get Images?
- Docker hub public
- Docker Private Store (Beta)
• Can I use them (directly)?
- No! Not Docker hub (at least general images) for enterprises (personal?)
- How about Docker Private store?
• Official images are scanned with Nautilus (general images are not)
- Reports can be seen by opening tags on Hub
13
My Analysis with Images
• Downloaded 50 images from hub & the first image analyzed has XSS, CSRF vulns www.vulnerability-lab.com/get_content.php?id=1802
www.vulnerability-lab.com/get_content.php?id=1803
• Some others (which includes official images) are using vulnerable versions of
OpenSSL, glibc, tar, bash etc. and are vulnerable to Heartbleed, Shellshock etc.
• Manual and also analyzed with Twistlock tool
14
Quick Facts from Banyanops 2015 Analysis report*
30% official images are vulnerable
70% general images are vulnerable
How well the stats of the report stay good today?
* Ref: https://banyanops.com/blog/analyzing-docker-hub/
15
Manideep, What to do now?
Enterprises - Build your own in-house registry by referring CIS Docker 1.12 doc
• Write Dockerfiles securely (version pinning mechanisms, creating user etc.)
• Maintain, Consume them securely (Docker content trust, frequent scanning etc.)
Personal users - HMM….HMm...Hmm..mmm (Private store?)
16
Container Runtime - Messy Slide, Sorry!
• Breakout of container and attack host / other containers
• Major problem is “shared kernel”
• Beware & Fix bizarre Docker defaults (few below) else you will be in big trouble
a) Containers can consume entire memory causing DOS
b) Containers can communicate with each other leading to sniffing etc.
c) Containers are on the same bridge leading to ARP spoofing, MITM etc.
d) Containers have no fork limit causing fork bomb
e) Containers run as root – do you still want to know the impact?
f) Docker daemon access users have effective root privileges
• Isolation / Security
Namespaces - Beware of non-namespaced kernel keyring, SYS_TIME etc.
and do not share namespaces unless and until needed
Seccomp - How a single vulnerability in a system call ripped off / torn apart
containers (Linux vulnerability but impacted Docker – Cansecwest’16)
LSM’s - SELinux and Apparmor
Capabilities - Do not use privileged containers and try to set flag for not
acquiring any additional privileges
17
Hello enterprises (applies for personal users too)
• Use tools (Ex: Twistlock, Scalock, Nautilus) which allow you to (not all of them do every task)
a) Use only signed/ XYZ images
b) Scan images “efficiently” and frequently
c) Automatic container profiling etc.
• Tune CIS benchmark as per your org requirements and adhere to it
- Seccomp profiles, Apparmor/Selinux modules, SIEM/monitoring etc.
• Group containers on VM (basing on trust, operational categories etc.)
• Employ separate patch management, vulnerability assessment etc. procedures for
containers
18
What’s next?
Intro
• Containers in 60 seconds
• Container Pipeline and Risk Areas
Sec…Security
• Images
• Container runtime
• Hello enterprises
Holistic pipeline view
Wrap up
19
Container pipeline (Holistic View)
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security
Daemon security
Containers Images
Img Ref: Modified version of image on www.docker.com
*
*
20
What’s next?
Intro
• Containers in 60 seconds
• Container Pipeline and Risk Areas
Sec…Security
• Images
• Container runtime
• Hello enterprises
Holistic pipeline view
Wrap up
21
So, what did you learn today?
Docker Containers are not secure, you have to make them secure…!
22
It’s not good to keep questions in your mind
Throw them out and I am here to catch
23
References
1. CIS Docker Benchmark 1.12
2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf
3. www.oreilly.com/webops-perf/free/files/docker-security.pdf
4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf
5. http://www.slideshare.net/Docker/docker-security-workshop-slides
6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231
7. https://docs.docker.com/engine/security/
8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
24 TCS Confidential
Hope you enjoyed…!
Reach me on www.manideepk.com for any questions