- Clair is an open source project for analyzing container images for known software vulnerabilities. It uses static analysis to detect vulnerabilities by examining the content of container images without running the containers.
- Clair's analysis can be done once and reused to inform about current and future vulnerabilities. It also suggests fixes and notifies users about new vulnerabilities.
- Clair is designed as an extensible framework, including detectors for vulnerabilities from different sources, datastores, updaters, notifiers and support for multiple container formats and operating systems. The presenter discusses current and potential future capabilities.
2. We’re hiring in all departments! Email: careers@coreos.com Positions: coreos.com/ careers
90+ Projects on GitHub, 1,000+ Contributors
OPEN SOURCE
CoreOS.com - @coreoslinux - github/coreos
Secure solutions, support plans, training + more
ENTERPRISE
sales@coreos.com - tectonic.com - quay.io
CoreOS is Running the World’s Containers
Secure the Internet
MISSION
2
11. CVE-2015-0235
aka
GHOST
“GHOST is a buffer overflow bug affecting the gethostbyname() and
gethostbyname2() function calls in the glibc library. This vulnerability
allows a remote attacker that is able to make an application call to either of
these functions to execute arbitrary code.”
11
12. CVE-2014-0160
aka
Heartbleed
“The TLS and DTLS implementations in OpenSSL do not properly handle
Heartbeat Extension packets, which allows remote attackers to obtain
sensitive information from process memory via crafted packets that trigger
a buffer over-read.”
12
17. - Static analysis
- Do the job only once
- Suggest & Notify
- Built as a framework
Clair in a few points
17
18. Static analysis
CONTEXT
Millions of container images
- Running these containers is expensive
- Running any untrusted container is unsafe
- “We need to go deeper”
- Secure solutions can become pretty complex
- Several dynamic analysis tools exist
- Requires human input and guidance
18
19. - Extract and store enough to inform about both known
and future vulnerabilities
- Reuse analysis data as much as possible
Do the job only once
CONTEXT
Millions of container images
Over 15 new vulnerabilities / day
What happens when new vulnerabilities are published ?
19
20. “I read your security report about my container, but …
what can I actually do?”
Here, look, here’s what you can easily fix.
“I feel confident about my container now. I’m lazy though and
don’t want to check the report again. Tell me as soon as
there’s something new that I should be concerned about”
Sure. Where can I contact you?
Suggest & Notify
20
21. Built as a framework
Open Source and Extensibility
are the heart and soul of Clair
v1.1.021
22. Built as a framework
- Detectors
type FeaturesDetector interface {
GetRequiredFiles() []string
Detect(map[string][]byte) ([]database.FeatureVersion, error)
}
v1.1.0
type NamespaceDetector interface {
GetRequiredFiles() []string
Detect(map[string][]byte) *database.Namespace
}
type DataDetector interface {
Supported(path string, format string) bool
Detect(layerReader io.ReadCloser, toExtract []string, maxFileSize int64) (data map[string][]byte, err error)
}
22
23. Built as a frameworktype Fetcher interface {
FetchUpdate(database.Datastore) (FetcherResponse, error)
Clean()
}
Built as a framework
- Vulnerability Updaters / Notifiers
type Notifier interface {
Configure(config.NotifierConfig) (bool, error)
Send(database.VulnerabilityNotification) error
}
v1.1.023
28. Thank you!
We’re hiring in all departments! Email: careers@coreos.com Positions: coreos.com/ careers
Quentin Machu
@Quentin__M | quentin.machu@coreos.com
Editor's Notes
And that’s not all, NVD
Some of these vulns became so important that …
In one hand, we have fast-paced developers deploying all sort of containers, and in the other hand, we have thousands of vulnerabilities awaiting to be exploited and lead to critical data leak / loss.
With containerized applications and the rise of cluster managers, the way security assessment is realized changed. Dependency management shifted away from the op teams to the developers - and that bring them a new set of responsabilities. To help developers identifying the vulnerabilities that may threaten their containers, we recently built Clair.
Before explaining how it works, I would like to show you what insights Clair can provide through the demo of its integration with Quay, our secure container image registry.
I’ll describe Clair with 4 points
Basically it stores everything it can detect using the static analysis. And because of the immutable nature of container images, that knowledge can be crossmatched with vulnerability databases, now and in the future in order to determine the vulnerabilities that may affect these images.
Additionally, Clair does this for every layer that compose an image, which means that it could re-use analysis data across multiple images that may share the same layers.