SlideShare a Scribd company logo
1 of 117
Download to read offline
The Golden Ticket: Docker
and High Security
Microservices
Aaron Grattafiori
Technical Director
whoami(1)
Longtime Hacker,
Pentester, and Linux geek
Wrote a few things about
Linux Containers…
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
a disclaimer…
Microservices are not for everyone
Microservices can be hard
Microservices often distribute complexity
Agenda
You’ve seen Microservices before
You’ve seen Microservices before
“Worker bees can leave.
Even drones can fly away.
The Queen is their slave.”
You’ve seen Microservices before
You’ve seen Microservices before
You’ve seen Microservices before
You’ve seen Microservices before
int main() {
printf(“foon”);
return 0;
}
void DoSomething() {
printf (“foon”);
}
int main() {
DoSomething();
return 0;
}
Your Legacy Application
What the sales team
sees…
What the developers see
What ops/sysadmins see
What hackers see…
What hackers think
Applied Security
Principles
A layered defense…
Shrink attack surfaces and present
harden those which remain
The Principle of Defense in Depth
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Monolithic applications make this difficult
and Microservices make this easy
Key: not having a single point of security failure
The Principle of Defense in Depth
“Absolute power corrupts absolutely”
“Avoid running as root” is about
shrinking trust boundaries.
Monoliths make this difficult and
Microservices make this easier
The Principle of Least Privilege
#
“Sane defaults, Isolate by trust”
The Principle of Least Surprise
“Access provided on a need to know basis”
Military security, Mafia management,
database connections, defense in depth, …
The Principle of Least Access
This will be become a theme, a war against excess and
complexity…
Microservices have complexity “at scale”
Microservices still reduce overall complexity
“Least” is Common to all…
1)Establish trust boundaries
2)Identify, minimize and harden attack surfaces
3)Reduce scope and access
4)Layer protections / defenses
See “Stop Buying Security Prescriptions” by Justin Schuh of Google
.. Because “Least” is a Good Idea!
Compare and
Contrast
Upsides of Monolith AppSec
Building and Standing it up is a “known known”
Architecture is quite simple
Existing culture of dev/business/compliance/sales
Downsides of Monolith AppSec
Compromise of a single point often means compromise
of the entire application or network
Authentication requirements/creds are global in scope
Simple to build, but security is hard to tailor
Upsides of Microservices AppSec
UNIX model works well
Highly application/function specific containers permit
highly application specific security
Establishing a Trusted Computing Base (TCB)
Upsides of Microservices AppSec
Least privilege and app-specific security is much easier
Greatly reduced attack surfaces
Independent patching/updates/versions
Downsides of Microservices AppSec
A “Known unknown”
Requires good understanding of application
Legacy applications are not easily adapted
Downsides of Microservices AppSec
May require devops and other culture changes
Complexity breeds insecurity
“Requires” dumb pipes networking architecture
Exploring
Architectures
Exploring Real World Compromise
“Imagetragick” RCE
“Shellshock” RCE
General Command Injection
General LFI/LFR
Denial of Service
Exploring Real World Compromise
Exploring Real World Compromise
API Web Service
Front-end
Presentation
Back-end
Application
Database
LB
Exploring Real World Compromise
API Web Service
Front-end
Presentation
Back-end
Application
Database
Exploring Real World Compromise
API Web Service
Front-end
Presentation
Back-end
Application
Database
Exploring Real World Compromise
API Web Service
Front-end
Presentation
Back-end
Application
Database
Relationship Status: “Its Complicated”
Exploring Real World Solutions
API Web Service
Front-end Presentation
Back-end Application
Database
Enforcing Security Boundaries
API Web Service
Front-end Presentation
Back-end Application
Database
LB
Breaking Up Again
Back-end Application
Payments
AuthZ
Uploads
Cache
Legacy
Limit Compromises
Payments
AuthZ
Uploads
Cache
Legacy
Nope
Nope
Nope
Limited
Limit Compromises: OSI Edition
Layer 7 Authentication: Application
Layer 4/5 (7) Authentication: TLS
Layer 3 Authentication: IPSEC
Thinking about it another way
What’s the attack surface of:
an SSL VPN using username+pw auth
vs.
an SSL VPN using TLS client certs
vs.
an IPSEC-only endpoint using key-based auth ?
Thinking about it another way
Layer 7 Authentication/Encryption? aka XML
Encryption or HTTP Header auth
Or Layer 4/5 Authentication/Encryption? aka TLS/mTLS
Or Layer 3 Authentication/Encryption? aka IPSEC
In general…
Layer 7 authentication should be required
Less than layer 7 authentication is highly desirable
Don’t forget Authentication != Authorization
Don’t forget about transport security
Containers Map to Microservices
Container Model Microservices Model
Root Capabilities Capability based security
Different network namespaces Overlay networks or SDN
One application per container One core function per application
… …
A Few Attacks of Container Systems
Cross Container Attacks on Host
Cross Container Attacks on Network
Exploiting Vulnerable Application
Exploiting Vulnerable Library
Exploiting Out of Date Docker Engine
Exploiting Host Kernel
Targeting Container Configuration
Poisoning Service Discovery
Targeting Docker API Configuration
Attacking Container Management
Pruning The Attack Tree
Application attack? Container itself,
capabilities, immutable files, mount flags,
MAC, read-only rootfs, defensive coding, etc.
Kernel/syscall exploit ?
Seccomp and kernel hardening
Seccomp weakness?
Manditory Access Control
Pruning The Attack Tree
Compromised kernel/host OS?
Network hardening, isolation on trust,
logging, least privilege, least access
Compromised employee credentials?
Least access, least privilege, key-based
authentication
Microservices in
Docker or runc
Why Docker / runc ?
Helps with standardization, testing, security
Strong security defaults (seccomp, caps) and options (user namespace)
App containers help follow and develop the Microservice model
Why use runC for MS?
Lightweight and minimal!
Open Container Initiative
Docker’s libcontainer
Why not runC ?
Lightweight and minimal/manual
Weak documentation/examples/debugging
Warning: Apparmor not a default build tag and Apparmor
support / User namespace support not enabled by default
Security starts with the base OS
Minimal Distro (CoreOS/RancherOS/etc)?
Plain old Ubuntu Server?
Clear Linux?
… Unikernel?
Minimal: Distro
Security starts with the base OS
It’s important to understand how a distribution:
handles updates,
binary package compilation,
security defaults (MAC),
default kernel options,
sysctl settings, ….
Minimal: Kernel
Common sense configuration
make menuconfig: configuration, modules
grsecurity
Minimal Container?
… Why stop at shrinking just the host?
Don’t we want least access? Less updates?
Minimal: Container Images
docker-nginx mongo
FROM debian:jesse FROM debian:wheezy
redis node
FROM debian:jesse FROM buildpack-deps:jessie
Minimal: Container Images
So what exactly is FROM debian:jesse ?
FROM scratch
ADD rootfs.tar.xz /
CMD ["/bin/bash"]
= 137 MB
Minimal: Container Images
So what about FROM debian:wheezy ?
97 MB!
So what about Jenkins? ElasticSearch? Postgres?
FROM debian:jesse
Not Minimal Enough!
Even before an apt-get, there are still tons of libraries,
executables, perl, even language files our process doesn’t need!
That’s more patching, disk space, attack surface and post-
exploitation utilities we don’t need
General idea for Docker
$ cat Dockerfile
FROM scratch
ADD stuff
CMD [“/stuff”]
$ docker build
General idea for runC
$ mkdir rootfs
$ cp stuff rootfs/
$ runc spec
$ sudo runc run foo
Reality for runC (and Docker)
$ ldd /path/to/program
$ mkdir –p rootfs /usr /lib # … etc
$ cp /path/to/program rootfs/
$ cp /path/to/lib.so.0 rootfs/lib/
$ *cross fingers*
Minimal Container Images: Go + Docker
https://blog.codeship.com/building-minimal-
docker-containers-for-go-applications/http://blog.xebia.com/create-the-smallest-possible-docker-container/
Golang wiki server example
$ ls -l rootfs
rootfs/wiki
rootfs/usr/lib/libpthread.so.0
rootfs/usr/lib/libc.so.6
rootfs/lib64/ld-linux-x86-64.so.2
$ du –hs rootfs
7.3M
Minimal Container Images: Nginx + Docker
Roughly 32 libs + /usr/sbin/nginx + a few config
files and dirs…
= 15 MB!
“Make things as simple as
possible, but not simpler.”
— Albert Einstein
nanosleep(2)
Minimal (hardened) Host OS: ✔
Minimal (hardened) Root FS: ✔
Minimal (hardened) Kernel: ✔
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Mandatory Access Control
MAC as a Linux Security Module (LSM)-
AppArmor, SELinux, etc. Grsecurity RBAC is also
nice
OSX uses TrustedBSD, Microsoft has MIC
Mandatory Access Control
Default Docker AppArmor policy is very good
Monolithic MAC policy must include a large number of
files, permission grants, complexity
Microservices again allow for specific security
Nested AppArmor
Profile /bin/bash {
/bin/cat Px,
profile /bin/cat {
/etc/hosts r,
}
}
Going back to Golang HTTPd PoC
Profile /wiki {
network inet stream,
/usr/lib/* mr,
/lib64/* mr,
/wiki mixr,
}
Custom AppArmor Profiles
Generating profiles with aa-genprof
Understanding/using application
is key, profiling is still required
Custom AppArmor Profiles
Common mistakes/problems:
- Providing too much access
- Dealing with wildcards
- Path-based ACLs
Custom AppArmor Profiles
Easier Mode for Docker/runC: Using Bane for profiles
by Jessie Frazelle
Hard Mode: FullSystemPolicy
Avoid deny lists
AppArmor Profile Gotchas
Profiles must be loaded by AppArmor first
Abstractions may be more verbose than you would like
Exercise your app is key, run unit/QA/regression tests
Profiling is difficult within a container itself
Seccomp BPF
Seccomp Profiles
MAC is vulnerable to kernel attacks… kernel is huge attack surface
Seccomp default filter enabled in Docker Engine >= 1.10 !!
Seccomp is widely used in security, recently now with BPF
Putting the BPF into Seccomp BPF
General BPF pseudocode:
1) Check architecture
2) Get syscall number
N) ALLOW or DENY syscall
N+1) KILL, TRAP, TRACE, ALLOW process
Why Custom Profiles?
Default seccomp filter permits 304 syscalls :/
Minimal applications need minimal syscall set
We want to practice least privilege!
Methods for Generating Seccomp Profiles
1) strace/ltrace
2) Kernel help (sysdig or systemtap)
3) Auditd/auditctl
4) Seccomp itself w/ SECCOMP_RET_TRACE and
PTRACE_O_TRACESECCOMP
Seccomp Profiles using strace
strace via ptrace(2)
Weird timing bugs can occur, count will miss some calls
Tracing outside of Docker should be fine
Some programs just don’t want to be traced
strace (and also ltrace –S)
$ strace –f /bin/ls
execve("/bin/ls", ["ls"], [/* 21 vars */]) = 0
brk(0) = 0x8c31000
mmap2(NULL, 8192, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb78c7000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No
such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=65354, ...}) = 0
…
Seccomp Profiles using sysdig
Sysdig is cool! Really cool
Requires a kernel module :/
But it’s really cool!
sysdig
$ sysdig evt.type=open and proc.name=niginx
$ sysdig –p “%evt.type” proc.name=niginx
$ sysdig –p “%evt.type” | sort –u > 
nginix.syscalls.txt
Seccomp Profiles using auditd
Auditd is a nice system for… auditing
Requires a daemon and complex-ish config
Very cool power built-in but not ideal for this!
(Could collect calls over time )
Seccomp Profiles using Seccomp
Basic C example by Kees Cook and Will Drewry:
(https://outflux.net/teach-seccomp/)
– Profiling via SECCOMP_RET_TRAP is slow going
Using SECCOMP_RET_TRACE is better!
Seccomp Profiles using Seccomp
But why?
ALLOW, TRAP, TRACE, KILL, ERRNO are limited,
all of them block the call except for TRACE
(and default ALLOW is not a good model)
Seccomp Profiles using Seccomp
- Create a given syscall whitelist
- Set the default action to SECCOMP_RET_TRACE
- use ptrace(2) with PTRACE_O_TRACESECCOMP
- Log appropriate info
- Repeat until no soft-failures!
Ptrace PoC
$ seccomp-trace –f filter.txt /path/to/program
...
called sycall # 157 : prctl
called sycall # 157 : prctl
SECCOMP WOULD BLOCK 56
called sycall # 56 : clone
SECCOMP WOULD BLOCK 14
SECCOMP WOULD BLOCK 13
called sycall # 14 : rt_sigprocmask
called sycall # 13 : rt_sigaction
General Seccomp Pitfalls
Profiles are fragile!
Profiles are architecture dependent- limiting
container portability
Seccomp in Docker
Default (large) whitelist or:
--security-opt seccomp=<profile>
"seccomp": {
"defaultAction": "SCMP_ACT_KILL",
"architectures": [ "SCMP_ARCH_X86" ],
"syscalls": [
{ "name": "getcwd",
"action": "SCMP_ACT_ALLOW"
}
]
}
Seccomp in runC
Part of the default build!
"seccomp": {
"defaultAction": "SCMP_ACT_KILL",
"architectures": [ "SCMP_ARCH_X86" ],
"syscalls": [
{ "name": "getcwd",
"action": "SCMP_ACT_ALLOW"
}
]
}
Seccomp notes
Remember that seccomp filters are not sandboxes
Libseccomp is nice and has Go bindings
see also: oz sandbox train mode by Subgraph OS
Be careful implementing it from scratch, blacklists
/denylists are risky! (don’t allow ptrace!)
Seccomp Pro Tips for Docker/runC
https://github.com/konstruktoid/Docker/blob/master/
Scripts/genSeccomp.sh can save time or JSON pain !
You can always confirm Seccomp by looking in:
grep Seccomp /proc/<PID>/status
nanosleep(2)
Minimal (hardened) Host OS: ✔
Minimal (hardened) Root FS: ✔
Minimal (hardened) Kernel: ✔
Minimal AppArmor/SELinux: ✔
Minimal Seccomp whitelist: ✔
Security
Recommendations
High Security Docker Microservices
- Enable User namespace
- Use app specific AppArmor if possible
- Use app specific Seccomp whitelist if possible
- Harden host system
- Restrict host access
- Consider network security
High Security runC Microservices
- Configure user namespace
- Enable AppArmor + use app specific if possible
- Use app specific Seccomp whitelist if possible
- Harden host system
- Restrict host access
- Consider network security
The Problem of Managing Secrets
Avoid environment variables/flat files
– Why? … because execve()
Use temporary secret “injection”
– Temp bind mount, load into mem-only, unmount
Vault | Keywiz
Immutable Containers also Help
Extending the basic idea of non-executable memory
pages or OpenBSD’s W^X
- data-only containers, app-only containers
Frustrating vulnerability exploitation and limiting
system post-exploitation
Networking and AuthN/AuthZ
TLS. TLS. TLS.
It’s 2016 and all network traffic should be encrypted
(and authenticated) Just do it.
Authentication/Access at the lowest possible layer. Network
access controls go against “dumb pipes” but they’re important!
Networking and AuthN/AuthZ
But I want dumb pipes!?
Then use SDN / Overlay networks on top…
Beware of cross-container networking / multi-tenant
risks with a single bridge interface
Other Security Recommendations
Have a specification / Dockumentation
Generate application-specific and overall threat models
Don’t forget about application security itself (containers and
MS can’t help if your app itself is still vulnerable)
Other Security Recommendations
Orchestration / Service Discovery things… Use security
Generate application-specific and overall threat models
Don’t forget about application security itself (containers and
MS can’t help if your app itself is still vulnerable)
Other Security Recommendations
Microservice logging and accountability is important, collect and
keep logs centrally (and actually look at them once in while)
Security is much easier to do if you make it part of your lifecycle
in the beginning “build it in don’t patch it on”
Checkout my whitepaper for more general container security info
and more info on many of the topics covered here.
Thank you!
Aaron.Grattafiori /at/ nccgroup dot trust
@dyn___

More Related Content

What's hot

DCSF19 CMD and Conquer: Containerizing the Monolith
DCSF19 CMD and Conquer: Containerizing the Monolith  DCSF19 CMD and Conquer: Containerizing the Monolith
DCSF19 CMD and Conquer: Containerizing the Monolith Docker, Inc.
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.
 
DockerCon SF 2015: Enabling Microservices @Orbitz
DockerCon SF 2015: Enabling Microservices @OrbitzDockerCon SF 2015: Enabling Microservices @Orbitz
DockerCon SF 2015: Enabling Microservices @OrbitzDocker, Inc.
 
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...Docker, Inc.
 
Amazon Web Services and Docker
Amazon Web Services and DockerAmazon Web Services and Docker
Amazon Web Services and DockerPaolo latella
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...Docker, Inc.
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerJeff Anderson
 
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...Docker, Inc.
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Docker serverless v1.0
Docker serverless v1.0Docker serverless v1.0
Docker serverless v1.0Thomas Chacko
 
DockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with DockerDockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with DockerDocker, Inc.
 
Comprehensive Monitoring for Docker
Comprehensive Monitoring for DockerComprehensive Monitoring for Docker
Comprehensive Monitoring for DockerChristian Beedgen
 
Docker Container As A Service - March 2016
Docker Container As A Service - March 2016Docker Container As A Service - March 2016
Docker Container As A Service - March 2016Patrick Chanezon
 
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...Docker, Inc.
 
DockerCon EU 2015: Stop Being Lazy and Test Your Software!
DockerCon EU 2015: Stop Being Lazy and Test Your Software!DockerCon EU 2015: Stop Being Lazy and Test Your Software!
DockerCon EU 2015: Stop Being Lazy and Test Your Software!Docker, Inc.
 
DCSF19 How Docker Simplifies Kubernetes for the Masses
DCSF19 How Docker Simplifies Kubernetes for the Masses  DCSF19 How Docker Simplifies Kubernetes for the Masses
DCSF19 How Docker Simplifies Kubernetes for the Masses Docker, Inc.
 
Networking Overview for Docker Platform
Networking Overview for Docker PlatformNetworking Overview for Docker Platform
Networking Overview for Docker PlatformAditya Patawari
 
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, DockerGlobal Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, DockerDocker, Inc.
 

What's hot (20)

DCSF19 CMD and Conquer: Containerizing the Monolith
DCSF19 CMD and Conquer: Containerizing the Monolith  DCSF19 CMD and Conquer: Containerizing the Monolith
DCSF19 CMD and Conquer: Containerizing the Monolith
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
 
DockerCon SF 2015: Enabling Microservices @Orbitz
DockerCon SF 2015: Enabling Microservices @OrbitzDockerCon SF 2015: Enabling Microservices @Orbitz
DockerCon SF 2015: Enabling Microservices @Orbitz
 
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
 
Amazon Web Services and Docker
Amazon Web Services and DockerAmazon Web Services and Docker
Amazon Web Services and Docker
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support Engineer
 
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Docker serverless v1.0
Docker serverless v1.0Docker serverless v1.0
Docker serverless v1.0
 
DockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with DockerDockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with Docker
 
Comprehensive Monitoring for Docker
Comprehensive Monitoring for DockerComprehensive Monitoring for Docker
Comprehensive Monitoring for Docker
 
Docker Container As A Service - March 2016
Docker Container As A Service - March 2016Docker Container As A Service - March 2016
Docker Container As A Service - March 2016
 
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
 
DockerCon EU 2015: Stop Being Lazy and Test Your Software!
DockerCon EU 2015: Stop Being Lazy and Test Your Software!DockerCon EU 2015: Stop Being Lazy and Test Your Software!
DockerCon EU 2015: Stop Being Lazy and Test Your Software!
 
DCSF19 How Docker Simplifies Kubernetes for the Masses
DCSF19 How Docker Simplifies Kubernetes for the Masses  DCSF19 How Docker Simplifies Kubernetes for the Masses
DCSF19 How Docker Simplifies Kubernetes for the Masses
 
Networking Overview for Docker Platform
Networking Overview for Docker PlatformNetworking Overview for Docker Platform
Networking Overview for Docker Platform
 
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, DockerGlobal Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
 

Viewers also liked

Containerd: Building a Container Supervisor by Michael Crosby
Containerd: Building a Container Supervisor by Michael CrosbyContainerd: Building a Container Supervisor by Michael Crosby
Containerd: Building a Container Supervisor by Michael CrosbyDocker, Inc.
 
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Docker, Inc.
 
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...Docker, Inc.
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...Docker, Inc.
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Docker, Inc.
 
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...Docker, Inc.
 
Docker for Ops: Extending Docker with APIs, Drivers and Plugins by Arnaud Por...
Docker for Ops: Extending Docker with APIs, Drivers and Plugins by Arnaud Por...Docker for Ops: Extending Docker with APIs, Drivers and Plugins by Arnaud Por...
Docker for Ops: Extending Docker with APIs, Drivers and Plugins by Arnaud Por...Docker, Inc.
 
Cloning Running Servers with Docker and CRIU by Ross Boucher
Cloning Running Servers with Docker and CRIU by Ross BoucherCloning Running Servers with Docker and CRIU by Ross Boucher
Cloning Running Servers with Docker and CRIU by Ross BoucherDocker, Inc.
 
Docker for Mac and Windows: The Insider's Guide by Justin Cormack
Docker for Mac and Windows: The Insider's Guide by Justin CormackDocker for Mac and Windows: The Insider's Guide by Justin Cormack
Docker for Mac and Windows: The Insider's Guide by Justin CormackDocker, Inc.
 
Unikernels and docker from revolution to evolution — unikernels and docker ...
Unikernels and docker  from revolution to evolution — unikernels and docker  ...Unikernels and docker  from revolution to evolution — unikernels and docker  ...
Unikernels and docker from revolution to evolution — unikernels and docker ...Docker, Inc.
 
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...Windows Server and Docker - The Internals Behind Bringing Docker and Containe...
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...Docker, Inc.
 
DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1Docker, Inc.
 
DockerCon 16 General Session Day 2
DockerCon 16 General Session Day 2 DockerCon 16 General Session Day 2
DockerCon 16 General Session Day 2 Docker, Inc.
 
Prometheus design and philosophy
Prometheus design and philosophy   Prometheus design and philosophy
Prometheus design and philosophy Docker, Inc.
 
Docker Roadshow 2016
Docker Roadshow 2016Docker Roadshow 2016
Docker Roadshow 2016Docker, Inc.
 
Docker for Developers - Part 2 by Borja Burgos and Fernando Mayo
Docker for Developers - Part 2 by Borja Burgos and Fernando MayoDocker for Developers - Part 2 by Borja Burgos and Fernando Mayo
Docker for Developers - Part 2 by Borja Burgos and Fernando MayoDocker, Inc.
 
Docker and the Linux Kernel
Docker and the Linux KernelDocker and the Linux Kernel
Docker and the Linux KernelDocker, Inc.
 
Docker for Developers - Part 1 by David Gageot
Docker for Developers - Part 1 by David GageotDocker for Developers - Part 1 by David Gageot
Docker for Developers - Part 1 by David GageotDocker, Inc.
 
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...Docker, Inc.
 
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...Docker, Inc.
 

Viewers also liked (20)

Containerd: Building a Container Supervisor by Michael Crosby
Containerd: Building a Container Supervisor by Michael CrosbyContainerd: Building a Container Supervisor by Michael Crosby
Containerd: Building a Container Supervisor by Michael Crosby
 
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
 
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
 
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
 
Docker for Ops: Extending Docker with APIs, Drivers and Plugins by Arnaud Por...
Docker for Ops: Extending Docker with APIs, Drivers and Plugins by Arnaud Por...Docker for Ops: Extending Docker with APIs, Drivers and Plugins by Arnaud Por...
Docker for Ops: Extending Docker with APIs, Drivers and Plugins by Arnaud Por...
 
Cloning Running Servers with Docker and CRIU by Ross Boucher
Cloning Running Servers with Docker and CRIU by Ross BoucherCloning Running Servers with Docker and CRIU by Ross Boucher
Cloning Running Servers with Docker and CRIU by Ross Boucher
 
Docker for Mac and Windows: The Insider's Guide by Justin Cormack
Docker for Mac and Windows: The Insider's Guide by Justin CormackDocker for Mac and Windows: The Insider's Guide by Justin Cormack
Docker for Mac and Windows: The Insider's Guide by Justin Cormack
 
Unikernels and docker from revolution to evolution — unikernels and docker ...
Unikernels and docker  from revolution to evolution — unikernels and docker  ...Unikernels and docker  from revolution to evolution — unikernels and docker  ...
Unikernels and docker from revolution to evolution — unikernels and docker ...
 
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...Windows Server and Docker - The Internals Behind Bringing Docker and Containe...
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...
 
DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1
 
DockerCon 16 General Session Day 2
DockerCon 16 General Session Day 2 DockerCon 16 General Session Day 2
DockerCon 16 General Session Day 2
 
Prometheus design and philosophy
Prometheus design and philosophy   Prometheus design and philosophy
Prometheus design and philosophy
 
Docker Roadshow 2016
Docker Roadshow 2016Docker Roadshow 2016
Docker Roadshow 2016
 
Docker for Developers - Part 2 by Borja Burgos and Fernando Mayo
Docker for Developers - Part 2 by Borja Burgos and Fernando MayoDocker for Developers - Part 2 by Borja Burgos and Fernando Mayo
Docker for Developers - Part 2 by Borja Burgos and Fernando Mayo
 
Docker and the Linux Kernel
Docker and the Linux KernelDocker and the Linux Kernel
Docker and the Linux Kernel
 
Docker for Developers - Part 1 by David Gageot
Docker for Developers - Part 1 by David GageotDocker for Developers - Part 1 by David Gageot
Docker for Developers - Part 1 by David Gageot
 
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
 
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
 

Similar to The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori

DockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon HykesDockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon HykesDocker, Inc.
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapPatrick Chanezon
 
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...Docker, Inc.
 
DockerCon - The missing piece : when Docker networking unleashes software arc...
DockerCon - The missing piece : when Docker networking unleashes software arc...DockerCon - The missing piece : when Docker networking unleashes software arc...
DockerCon - The missing piece : when Docker networking unleashes software arc...Laurent Grangeau
 
The missing piece : when Docker networking and services finally unleashes so...
 The missing piece : when Docker networking and services finally unleashes so... The missing piece : when Docker networking and services finally unleashes so...
The missing piece : when Docker networking and services finally unleashes so...Adrien Blind
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiatedKevin Lee
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
Docker Deep Dive Understanding Docker Engine Docker for DevOps
Docker Deep Dive Understanding Docker Engine Docker for DevOpsDocker Deep Dive Understanding Docker Engine Docker for DevOps
Docker Deep Dive Understanding Docker Engine Docker for DevOpsMehwishHayat3
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerRonak Kogta
 
Docker - Der Wal in der Kiste
Docker - Der Wal in der KisteDocker - Der Wal in der Kiste
Docker - Der Wal in der KisteUlrich Krause
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725miguel dominguez
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725MortazaJohari
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
 

Similar to The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori (20)

DockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon HykesDockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon Hykes
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
 
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
 
Hack the whale
Hack the whaleHack the whale
Hack the whale
 
DockerCon - The missing piece : when Docker networking unleashes software arc...
DockerCon - The missing piece : when Docker networking unleashes software arc...DockerCon - The missing piece : when Docker networking unleashes software arc...
DockerCon - The missing piece : when Docker networking unleashes software arc...
 
The missing piece : when Docker networking and services finally unleashes so...
 The missing piece : when Docker networking and services finally unleashes so... The missing piece : when Docker networking and services finally unleashes so...
The missing piece : when Docker networking and services finally unleashes so...
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
Docker Deep Dive Understanding Docker Engine Docker for DevOps
Docker Deep Dive Understanding Docker Engine Docker for DevOpsDocker Deep Dive Understanding Docker Engine Docker for DevOps
Docker Deep Dive Understanding Docker Engine Docker for DevOps
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
 
Docker - Der Wal in der Kiste
Docker - Der Wal in der KisteDocker - Der Wal in der Kiste
Docker - Der Wal in der Kiste
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
 

More from Docker, Inc.

Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Docker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSDocker, Inc.
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXDocker, Inc.
 
How To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeHow To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeDocker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDocker, Inc.
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubDocker, Inc.
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices WorldDocker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...Docker, Inc.
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with DockerDocker, Inc.
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeDocker, Inc.
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryDocker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Docker, Inc.
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog ScaleDocker, Inc.
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels Docker, Inc.
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSDocker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...Docker, Inc.
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDocker, Inc.
 

More from Docker, Inc. (20)

Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker Build
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINX
 
How To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeHow To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and Compose
 
Hands-on Helm
Hands-on Helm Hands-on Helm
Hands-on Helm
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at Salesforce
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker Hub
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices World
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with Docker
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio Code
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container Registry
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog Scale
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
 

Recently uploaded

activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 

Recently uploaded (20)

activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 

The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori

  • 1. The Golden Ticket: Docker and High Security Microservices Aaron Grattafiori Technical Director
  • 2. whoami(1) Longtime Hacker, Pentester, and Linux geek Wrote a few things about Linux Containers…
  • 4. a disclaimer… Microservices are not for everyone Microservices can be hard Microservices often distribute complexity
  • 7. You’ve seen Microservices before “Worker bees can leave. Even drones can fly away. The Queen is their slave.”
  • 11. You’ve seen Microservices before int main() { printf(“foon”); return 0; } void DoSomething() { printf (“foon”); } int main() { DoSomething(); return 0; }
  • 13. What the sales team sees…
  • 19. A layered defense… Shrink attack surfaces and present harden those which remain The Principle of Defense in Depth
  • 21. Monolithic applications make this difficult and Microservices make this easy Key: not having a single point of security failure The Principle of Defense in Depth
  • 22. “Absolute power corrupts absolutely” “Avoid running as root” is about shrinking trust boundaries. Monoliths make this difficult and Microservices make this easier The Principle of Least Privilege #
  • 23. “Sane defaults, Isolate by trust” The Principle of Least Surprise
  • 24. “Access provided on a need to know basis” Military security, Mafia management, database connections, defense in depth, … The Principle of Least Access
  • 25. This will be become a theme, a war against excess and complexity… Microservices have complexity “at scale” Microservices still reduce overall complexity “Least” is Common to all…
  • 26. 1)Establish trust boundaries 2)Identify, minimize and harden attack surfaces 3)Reduce scope and access 4)Layer protections / defenses See “Stop Buying Security Prescriptions” by Justin Schuh of Google .. Because “Least” is a Good Idea!
  • 28. Upsides of Monolith AppSec Building and Standing it up is a “known known” Architecture is quite simple Existing culture of dev/business/compliance/sales
  • 29. Downsides of Monolith AppSec Compromise of a single point often means compromise of the entire application or network Authentication requirements/creds are global in scope Simple to build, but security is hard to tailor
  • 30. Upsides of Microservices AppSec UNIX model works well Highly application/function specific containers permit highly application specific security Establishing a Trusted Computing Base (TCB)
  • 31. Upsides of Microservices AppSec Least privilege and app-specific security is much easier Greatly reduced attack surfaces Independent patching/updates/versions
  • 32. Downsides of Microservices AppSec A “Known unknown” Requires good understanding of application Legacy applications are not easily adapted
  • 33. Downsides of Microservices AppSec May require devops and other culture changes Complexity breeds insecurity “Requires” dumb pipes networking architecture
  • 35. Exploring Real World Compromise “Imagetragick” RCE “Shellshock” RCE General Command Injection General LFI/LFR Denial of Service
  • 36. Exploring Real World Compromise
  • 37. Exploring Real World Compromise API Web Service Front-end Presentation Back-end Application Database LB
  • 38. Exploring Real World Compromise API Web Service Front-end Presentation Back-end Application Database
  • 39. Exploring Real World Compromise API Web Service Front-end Presentation Back-end Application Database
  • 40. Exploring Real World Compromise API Web Service Front-end Presentation Back-end Application Database
  • 41. Relationship Status: “Its Complicated”
  • 42. Exploring Real World Solutions API Web Service Front-end Presentation Back-end Application Database
  • 43. Enforcing Security Boundaries API Web Service Front-end Presentation Back-end Application Database LB
  • 44. Breaking Up Again Back-end Application Payments AuthZ Uploads Cache Legacy
  • 47. Layer 7 Authentication: Application
  • 48. Layer 4/5 (7) Authentication: TLS
  • 50. Thinking about it another way What’s the attack surface of: an SSL VPN using username+pw auth vs. an SSL VPN using TLS client certs vs. an IPSEC-only endpoint using key-based auth ?
  • 51. Thinking about it another way Layer 7 Authentication/Encryption? aka XML Encryption or HTTP Header auth Or Layer 4/5 Authentication/Encryption? aka TLS/mTLS Or Layer 3 Authentication/Encryption? aka IPSEC
  • 52. In general… Layer 7 authentication should be required Less than layer 7 authentication is highly desirable Don’t forget Authentication != Authorization Don’t forget about transport security
  • 53. Containers Map to Microservices Container Model Microservices Model Root Capabilities Capability based security Different network namespaces Overlay networks or SDN One application per container One core function per application … …
  • 54. A Few Attacks of Container Systems Cross Container Attacks on Host Cross Container Attacks on Network Exploiting Vulnerable Application Exploiting Vulnerable Library Exploiting Out of Date Docker Engine Exploiting Host Kernel Targeting Container Configuration Poisoning Service Discovery Targeting Docker API Configuration Attacking Container Management
  • 55. Pruning The Attack Tree Application attack? Container itself, capabilities, immutable files, mount flags, MAC, read-only rootfs, defensive coding, etc. Kernel/syscall exploit ? Seccomp and kernel hardening Seccomp weakness? Manditory Access Control
  • 56. Pruning The Attack Tree Compromised kernel/host OS? Network hardening, isolation on trust, logging, least privilege, least access Compromised employee credentials? Least access, least privilege, key-based authentication
  • 58. Why Docker / runc ? Helps with standardization, testing, security Strong security defaults (seccomp, caps) and options (user namespace) App containers help follow and develop the Microservice model
  • 59. Why use runC for MS? Lightweight and minimal! Open Container Initiative Docker’s libcontainer
  • 60. Why not runC ? Lightweight and minimal/manual Weak documentation/examples/debugging Warning: Apparmor not a default build tag and Apparmor support / User namespace support not enabled by default
  • 61. Security starts with the base OS Minimal Distro (CoreOS/RancherOS/etc)? Plain old Ubuntu Server? Clear Linux? … Unikernel?
  • 63. Security starts with the base OS It’s important to understand how a distribution: handles updates, binary package compilation, security defaults (MAC), default kernel options, sysctl settings, ….
  • 64. Minimal: Kernel Common sense configuration make menuconfig: configuration, modules grsecurity
  • 65. Minimal Container? … Why stop at shrinking just the host? Don’t we want least access? Less updates?
  • 66. Minimal: Container Images docker-nginx mongo FROM debian:jesse FROM debian:wheezy redis node FROM debian:jesse FROM buildpack-deps:jessie
  • 67. Minimal: Container Images So what exactly is FROM debian:jesse ? FROM scratch ADD rootfs.tar.xz / CMD ["/bin/bash"] = 137 MB
  • 68. Minimal: Container Images So what about FROM debian:wheezy ? 97 MB! So what about Jenkins? ElasticSearch? Postgres? FROM debian:jesse
  • 69. Not Minimal Enough! Even before an apt-get, there are still tons of libraries, executables, perl, even language files our process doesn’t need! That’s more patching, disk space, attack surface and post- exploitation utilities we don’t need
  • 70. General idea for Docker $ cat Dockerfile FROM scratch ADD stuff CMD [“/stuff”] $ docker build
  • 71. General idea for runC $ mkdir rootfs $ cp stuff rootfs/ $ runc spec $ sudo runc run foo
  • 72. Reality for runC (and Docker) $ ldd /path/to/program $ mkdir –p rootfs /usr /lib # … etc $ cp /path/to/program rootfs/ $ cp /path/to/lib.so.0 rootfs/lib/ $ *cross fingers*
  • 73. Minimal Container Images: Go + Docker https://blog.codeship.com/building-minimal- docker-containers-for-go-applications/http://blog.xebia.com/create-the-smallest-possible-docker-container/
  • 74. Golang wiki server example $ ls -l rootfs rootfs/wiki rootfs/usr/lib/libpthread.so.0 rootfs/usr/lib/libc.so.6 rootfs/lib64/ld-linux-x86-64.so.2 $ du –hs rootfs 7.3M
  • 75. Minimal Container Images: Nginx + Docker Roughly 32 libs + /usr/sbin/nginx + a few config files and dirs… = 15 MB!
  • 76. “Make things as simple as possible, but not simpler.” — Albert Einstein
  • 77. nanosleep(2) Minimal (hardened) Host OS: ✔ Minimal (hardened) Root FS: ✔ Minimal (hardened) Kernel: ✔
  • 79. Mandatory Access Control MAC as a Linux Security Module (LSM)- AppArmor, SELinux, etc. Grsecurity RBAC is also nice OSX uses TrustedBSD, Microsoft has MIC
  • 80. Mandatory Access Control Default Docker AppArmor policy is very good Monolithic MAC policy must include a large number of files, permission grants, complexity Microservices again allow for specific security
  • 81. Nested AppArmor Profile /bin/bash { /bin/cat Px, profile /bin/cat { /etc/hosts r, } }
  • 82. Going back to Golang HTTPd PoC Profile /wiki { network inet stream, /usr/lib/* mr, /lib64/* mr, /wiki mixr, }
  • 83. Custom AppArmor Profiles Generating profiles with aa-genprof Understanding/using application is key, profiling is still required
  • 84. Custom AppArmor Profiles Common mistakes/problems: - Providing too much access - Dealing with wildcards - Path-based ACLs
  • 85. Custom AppArmor Profiles Easier Mode for Docker/runC: Using Bane for profiles by Jessie Frazelle Hard Mode: FullSystemPolicy Avoid deny lists
  • 86. AppArmor Profile Gotchas Profiles must be loaded by AppArmor first Abstractions may be more verbose than you would like Exercise your app is key, run unit/QA/regression tests Profiling is difficult within a container itself
  • 88. Seccomp Profiles MAC is vulnerable to kernel attacks… kernel is huge attack surface Seccomp default filter enabled in Docker Engine >= 1.10 !! Seccomp is widely used in security, recently now with BPF
  • 89. Putting the BPF into Seccomp BPF General BPF pseudocode: 1) Check architecture 2) Get syscall number N) ALLOW or DENY syscall N+1) KILL, TRAP, TRACE, ALLOW process
  • 90. Why Custom Profiles? Default seccomp filter permits 304 syscalls :/ Minimal applications need minimal syscall set We want to practice least privilege!
  • 91. Methods for Generating Seccomp Profiles 1) strace/ltrace 2) Kernel help (sysdig or systemtap) 3) Auditd/auditctl 4) Seccomp itself w/ SECCOMP_RET_TRACE and PTRACE_O_TRACESECCOMP
  • 92. Seccomp Profiles using strace strace via ptrace(2) Weird timing bugs can occur, count will miss some calls Tracing outside of Docker should be fine Some programs just don’t want to be traced
  • 93. strace (and also ltrace –S) $ strace –f /bin/ls execve("/bin/ls", ["ls"], [/* 21 vars */]) = 0 brk(0) = 0x8c31000 mmap2(NULL, 8192, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb78c7000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=65354, ...}) = 0 …
  • 94. Seccomp Profiles using sysdig Sysdig is cool! Really cool Requires a kernel module :/ But it’s really cool!
  • 95. sysdig $ sysdig evt.type=open and proc.name=niginx $ sysdig –p “%evt.type” proc.name=niginx $ sysdig –p “%evt.type” | sort –u > nginix.syscalls.txt
  • 96. Seccomp Profiles using auditd Auditd is a nice system for… auditing Requires a daemon and complex-ish config Very cool power built-in but not ideal for this! (Could collect calls over time )
  • 97. Seccomp Profiles using Seccomp Basic C example by Kees Cook and Will Drewry: (https://outflux.net/teach-seccomp/) – Profiling via SECCOMP_RET_TRAP is slow going Using SECCOMP_RET_TRACE is better!
  • 98. Seccomp Profiles using Seccomp But why? ALLOW, TRAP, TRACE, KILL, ERRNO are limited, all of them block the call except for TRACE (and default ALLOW is not a good model)
  • 99. Seccomp Profiles using Seccomp - Create a given syscall whitelist - Set the default action to SECCOMP_RET_TRACE - use ptrace(2) with PTRACE_O_TRACESECCOMP - Log appropriate info - Repeat until no soft-failures!
  • 100. Ptrace PoC $ seccomp-trace –f filter.txt /path/to/program ... called sycall # 157 : prctl called sycall # 157 : prctl SECCOMP WOULD BLOCK 56 called sycall # 56 : clone SECCOMP WOULD BLOCK 14 SECCOMP WOULD BLOCK 13 called sycall # 14 : rt_sigprocmask called sycall # 13 : rt_sigaction
  • 101. General Seccomp Pitfalls Profiles are fragile! Profiles are architecture dependent- limiting container portability
  • 102. Seccomp in Docker Default (large) whitelist or: --security-opt seccomp=<profile> "seccomp": { "defaultAction": "SCMP_ACT_KILL", "architectures": [ "SCMP_ARCH_X86" ], "syscalls": [ { "name": "getcwd", "action": "SCMP_ACT_ALLOW" } ] }
  • 103. Seccomp in runC Part of the default build! "seccomp": { "defaultAction": "SCMP_ACT_KILL", "architectures": [ "SCMP_ARCH_X86" ], "syscalls": [ { "name": "getcwd", "action": "SCMP_ACT_ALLOW" } ] }
  • 104. Seccomp notes Remember that seccomp filters are not sandboxes Libseccomp is nice and has Go bindings see also: oz sandbox train mode by Subgraph OS Be careful implementing it from scratch, blacklists /denylists are risky! (don’t allow ptrace!)
  • 105. Seccomp Pro Tips for Docker/runC https://github.com/konstruktoid/Docker/blob/master/ Scripts/genSeccomp.sh can save time or JSON pain ! You can always confirm Seccomp by looking in: grep Seccomp /proc/<PID>/status
  • 106. nanosleep(2) Minimal (hardened) Host OS: ✔ Minimal (hardened) Root FS: ✔ Minimal (hardened) Kernel: ✔ Minimal AppArmor/SELinux: ✔ Minimal Seccomp whitelist: ✔
  • 108. High Security Docker Microservices - Enable User namespace - Use app specific AppArmor if possible - Use app specific Seccomp whitelist if possible - Harden host system - Restrict host access - Consider network security
  • 109. High Security runC Microservices - Configure user namespace - Enable AppArmor + use app specific if possible - Use app specific Seccomp whitelist if possible - Harden host system - Restrict host access - Consider network security
  • 110. The Problem of Managing Secrets Avoid environment variables/flat files – Why? … because execve() Use temporary secret “injection” – Temp bind mount, load into mem-only, unmount Vault | Keywiz
  • 111. Immutable Containers also Help Extending the basic idea of non-executable memory pages or OpenBSD’s W^X - data-only containers, app-only containers Frustrating vulnerability exploitation and limiting system post-exploitation
  • 112. Networking and AuthN/AuthZ TLS. TLS. TLS. It’s 2016 and all network traffic should be encrypted (and authenticated) Just do it. Authentication/Access at the lowest possible layer. Network access controls go against “dumb pipes” but they’re important!
  • 113. Networking and AuthN/AuthZ But I want dumb pipes!? Then use SDN / Overlay networks on top… Beware of cross-container networking / multi-tenant risks with a single bridge interface
  • 114. Other Security Recommendations Have a specification / Dockumentation Generate application-specific and overall threat models Don’t forget about application security itself (containers and MS can’t help if your app itself is still vulnerable)
  • 115. Other Security Recommendations Orchestration / Service Discovery things… Use security Generate application-specific and overall threat models Don’t forget about application security itself (containers and MS can’t help if your app itself is still vulnerable)
  • 116. Other Security Recommendations Microservice logging and accountability is important, collect and keep logs centrally (and actually look at them once in while) Security is much easier to do if you make it part of your lifecycle in the beginning “build it in don’t patch it on” Checkout my whitepaper for more general container security info and more info on many of the topics covered here.
  • 117. Thank you! Aaron.Grattafiori /at/ nccgroup dot trust @dyn___

Editor's Notes

  1. THANKS FOR SKIPPING LUNCH
  2. Make bad things happen to good software -Has been called the “War and Peace” of Linux container security
  3. Distributed Responsibility/Redundancy
  4. iOS Seatbelt splits up applications Android User Sandbox and permissions limit each specific application
  5. Adobe Reader and Google Chrome, among others, use specific IPC Calls and mini-sandboxed workers to isolate and reduce attack surfaces Drawing a line in the sand because of complexity, code quality, etc…
  6. Even your programs split features into different classes or functions For reasons of simplicity, organization, easy re-use and error handling
  7. Looks kinda like this… maybe you’ve shoved in into a container, maybe you want to but haven’t yet…
  8. This is sales, sorry if any of you are in the audience, but it’s true. They love the monolith…
  9. Maybe this is more accurate … A careful balance.
  10. A huge pile of crap… and they need to take care of it somehow….
  11. Hackers see a large attack surface… Many possible holes
  12. They love the dinosaur!
  13. Also known as “With great power comes great responsibility”
  14. Also known as “With great power comes great responsibility” This recommendation applies to more than just user accounts…
  15. Monoliths make this difficult Microservices again make this easy
  16. Architecture is a well understood solution Compliance is easier with a traditional architecture….
  17. Do one thing and do it well… Chain together for benifits
  18. THE WORST CASE SCENARIOS
  19. LOTS OF CROSS COMMUNICATION YOU DON’T ALWAYS UNDERSTAND IT
  20. EVEN A SECOND LARGE SERVER
  21. THE BREAKUP
  22. COMMUNICATION BECOMES MORE CLEAR SECURITY CAN BE BETTER ENFORCED
  23. COMMUNICATION BECOMES MORE CLEAR SECURITY CAN BE BETTER ENFORCED
  24. Legacy code gets compromised Even given a Container Escape … Sandbox All The Things!
  25. SECURITY RARELY INCLUDED
  26. SECURITY RARELY INCLUDED AT LOWER LAYERS Application level authentication exposes a much larger attack surface!
  27. Mutual TLS lets us take this even further Speed is rarely if ever a real concern. AES-NI helped this.
  28. SECURITY RARELY INCLUDED
  29. “all the way down” Caution: no magic bullets…
  30. Configuration often involves tracing down a missing curley brace in your JSON config
  31. This is basically a “minbase” debbootstrap This is all BEFORE A GREEDY APT-GET
  32. This is all BEFORE A GREEDY APT-GET
  33. Think back to least access
  34. Obviously we’re assuming a dynamic executable here Some dynamic libs will need other libs!
  35. The go compiler will build static if we’re using pure Golang !
  36. Removing empty directories we have 4 files in our container If we build this with pure go, we’d have a statically linked binary and could even have just a single file in our container
  37. LETS GO BACK TO 1998….
  38. Microsoft of course did what Microsoft does best … Renamed a standard and wrote something themselves. They dropped the MIC so to speak.
  39. but focused on container escape not inner-container limits…
  40. SHE NAMED IT BANE ON PURPOSE
  41. Maybe on the order of 25-50…
  42. Seccomp return values are not friendly
  43. TRACE doesn’t explicitly indicate it allows the system call
  44. Here is the basic idea…
  45. If using blacklist, make sure to disallow X86 system calls!! https://gist.github.com/thejh/c5b670a816bbb9791a6d
  46. If using blacklist, make sure to disallow X86 system calls!! https://gist.github.com/thejh/c5b670a816bbb9791a6d
  47. Logs are append only Local data cannot be executed
  48. Client Certificates are quite nice!! Nothing is stopping you from doing TLS and Layer 7 Authentication
  49. Client Certificates are quite nice!! Nothing is stopping you from doing TLS and Layer 7 Authentication SDN- compromise can be global in scope….