DOCSLIB.ORG

2018 NSFOCUS Technical Report on Container Security NSFOCUS Star Cloud Laboratory

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
2018 NSFOCUS Technical Report on Container Security NSFOCUS Star Cloud Laboratory 01010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101 2018 NSFOCUS Technical Report on Container Security NSFOCUS Star Cloud Laboratory © 2018 NSFOCUS About NSFOCUS NSFOCUS is an iconic internet and application security company with over 18 years of proven industry experience. Today, we are operating globally with 2000+ employees at two headquarters in Beijing, China and 40+ offices worldwide including the IBD HQ in Santa Clara, CA, USA. NSFOCUS protects four of the ten largest global telecommunications companies and four of the five largest global financial institutions. With its multi-tenant and distributed cloud security platform, NSFOCUS effectively moves security into the internet backbone by: operating in data centers around the world, enabling organizations to fully leverage the promise of cloud computing, providing unparalleled and uncompromising protection and performance, and empowering our partners to provide better security as a service in a smart and simple way. NSFOCUS delivers holistic, carrier-grade, hybrid DDoS and web security powered by industry leading threat intelligence. About NeuVector NeuVector is the first company to develop Docker/Kubernetes security products. It is the leader in container network security and delivers the first and only multivector container security platform. NeuVector has committed to guaranteeing the security of enterprise-level container platforms, with its products applicable to cloud, multi-cloud, and on-premises container production environments. NeuVector provides in-depth runtime visibility into the container network, monitors "east-west" container traffic, performs proactive isolation and protection, and ensures the security of hosts and within containers. Through seamless integration with container management platforms, it achieves automation of application-level container security. NeuVector customers include global leaders in financial services, healthcare, publishing, and emerging Internet enterprises, and NeuVector partners with AWS, Docker, Google, IBM, Rancher, Red Hat, Aliyun and others. Founded by industry veterans from Fortinet, VMware, Trend Micro, Symantec, and Juniper, NeuVector has developed patent-pending behavioral learning, network security, data security, and container security. 01010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101 2018 NSFOCUS Technical Report on Container Security 2018 NSFOCUS Technical Report on Container Security NSFOCUS Star Cloud Laboratory October 2018 CONTAINER SECURITY 2018 NSFOCUS Technical Report on Container Security Catalogue Preface ··················································································································1 01010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101 1. Overview ············································································································2 1.1 Container and Virtualization ·························································································· 3 01010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101.2 Evolutionary2018 History of Containerization ····································································· 4 1010101010101 1.3 Container Security ··········································································································NSFOCUS 5 Technical Report 2. Container Basics ·······························································································8 on Container2018 Security 2.1 Container Image ·············································································································NSFOCUS 9 2.1.1 What Is a Container Image? ································································································· 9 2.1.2 Characteristics of a ContainerTechnical Image ················································································· Report 9 2.1.3 Image Building ······················································································································on Container Security 10 2.1.4 Image Repository ················································································································· 11 2.1.5 Use of Images·······················································································································13 2.2 Container Storage ·········································································································14 2.2.1 Image Metadata ···················································································································14 2.2.2 Storage Driver ·······················································································································14 2.2.3 Data Volume ·························································································································15 2.3 Container Networking ··································································································16 2.3.1 Underlying Technologies of Container Networking ························································ 16 2.3.2 Host Networking ·················································································································· 18 2.3.3 Cluster Networking ·············································································································· 19 2.4 Container Management and Application ··································································23 2.4.1 Container Management ······································································································ 23 2.4.2 Container Usage Scenarios ································································································ 30 3. Vulnerability and Security Risk Analysis ·······················································35 3.1 Vulnerability and Security Risk Analysis ····································································36 3.1.1 Software Risks ······················································································································36 3.1.2 API Security ···························································································································39 3.1.3 Insecure Images ···················································································································43 3.1.4 Container Isolation Losing Effect ······················································································ 44 B 01010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101 2018 NSFOCUS Technical Report on Container Security 01010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101 2018 NSFOCUS Technical Report on Container Security 3.2 Security Threat Analysis ······························································································45 3.2.1 Container Escape Attack ····································································································· 45 3.2.2 Container Network Attack ··································································································· 45 3.2.3 Denial-of-Service (DoS) Attack ··························································································· 46 01010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101 3.3 Container Application Security Threat ·······································································47 3.3.1 Microservice Security ·········································································································· 47 3.3.2 DevOps Security ··················································································································· 47 2018 4. Container Security Protection ········································································49 NSFOCUS 4.1 Linux Kernel Security Mechanism ··············································································50 Technical Report 4.1.1 Kernel Namespace ··············································································································· 50 on Container Security 4.1.2 Control Groups ·····················································································································50 4.1.3 Linux Kernel Capabilities ····································································································· 51 4.1.4 Other Kernel Security Features ·························································································· 51 4.2 Container Service Security ··························································································53 4.3 Host Security ·················································································································54 4.3.1 Hardening of Basic Host Security ······················································································ 54 4.3.2 Hardening of Container-related
Load more

Recommended publications
  • Security Analysis of Docker Containers in a Production Environment
    Security analysis of Docker containers in a production environment Jon-Anders Kabbe Master of Science in Communication Technology Submission date: June 2017 Supervisor: Colin Alexander Boyd, IIK Co-supervisor: Audun Bjørkøy, TIND Technologies Norwegian University of Science and Technology Department of Information Security and Communication Technology Title: Security Analysis of Docker Containers in a Production Environment Student: Jon-Anders Kabbe Problem description: Deployment of Docker containers has achieved its popularity by providing an au- tomatable and stable environment serving a particular application. Docker creates a separate image of a file system with everything the application require during runtime. Containers run atop the regular file system as separate units containing only libraries and tools that particular application require. Docker containers reduce the attack surface, improves process interaction and sim- plifies sandboxing. But containers also raise security concerns, reduced segregation between the operating system and application, out of date or variations in libraries and tools and is still an unsettled technology. Docker containers provide a stable and static environment for applications; this is achieved by creating a static image of only libraries and tools the specific application needs during runtime. Out of date tools and libraries are a major security risk when exposing applications over the Internet, but availability is essential in a competitive market. Does Docker raise some security concerns compared to standard application deploy- ment such as hypervisor-based virtual machines? Is the Docker “best practices” sufficient to secure the container and how does this compare to traditional virtual machine application deployment? Responsible professor: Colin Alexander Boyd, ITEM Supervisor: Audun Bjørkøy, TIND Technologies Abstract Container technology for hosting applications on the web is gaining traction as the preferred mode of deployment.
    [Show full text]
  • CSA ガイダンス Version 4.0 を用いた クラウドセキュリティリファレンス (OSS マッピング 2019)
    CSA ガイダンス version 4.0 を用いた クラウドセキュリティリファレンス (OSS マッピング 2019) 一般社団法人 日本クラウドセキュリティアライアンス(CSA ジャパン) クラウドセキュリティワーキンググループ Copyright © 2019 Cloud Security Alliance Japan Chapter 目次 1. はじめに ................................................................................................................................................ 4 2. 検討指針 ................................................................................................................................................ 5 3. DOMAIN6 管理画面と事業継続 ............................................................................................................... 6 4. DOMAIN7 インフラストラクチャ・セキュリティ ................................................................................ 10 5. DOMAIN8 仮想化とコンテナ技術 ......................................................................................................... 18 6. DOMAIN10 アプリケーションセキュリティ ......................................................................................... 22 7. DOMAIN11 データセキュリティと暗号化 ............................................................................................ 30 8. DOMAIN12 アイデンティティ管理、権限付与管理、アクセス管理 (IAM) ......................................... 35 9. 参考 URL ............................................................................................................................................... 39 Copyright © 2019 Cloud Security Alliance Japan Chapter 2 l 本書執筆編集メンバー 氏名 所属 井上 淳 NTT テクノクロス株式会社 釜山 公徳 日本電気株式会社 福田 貢士 (個人会員) 森田 翔 (個人会員) ※五十音順 l 変更履歴 日付 版数 変更内容 2019 年 2 月 26 日 1.0 初版発行 l 著作権についての留意事項 本書の著作権は、CSA
    [Show full text]
  • Firecracker: Lightweight Virtualization for Serverless Applications
    Firecracker: Lightweight Virtualization for Serverless Applications Alexandru Agache, Marc Brooker, Andreea Florescu, Alexandra Iordache, Anthony Liguori, Rolf Neugebauer, Phil Piwonka, and Diana-Maria Popa, Amazon Web Services https://www.usenix.org/conference/nsdi20/presentation/agache This paper is included in the Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI ’20) February 25–27, 2020 • Santa Clara, CA, USA 978-1-939133-13-7 Open access to the Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI ’20) is sponsored by Firecracker: Lightweight Virtualization for Serverless Applications Alexandru Agache Marc Brooker Andreea Florescu Amazon Web Services Amazon Web Services Amazon Web Services Alexandra Iordache Anthony Liguori Rolf Neugebauer Amazon Web Services Amazon Web Services Amazon Web Services Phil Piwonka Diana-Maria Popa Amazon Web Services Amazon Web Services Abstract vantage over traditional server provisioning processes: mul- titenancy allows servers to be shared across a large num- Serverless containers and functions are widely used for de- ber of workloads, and the ability to provision new func- ploying and managing software in the cloud. Their popularity tions and containers in milliseconds allows capacity to be is due to reduced cost of operations, improved utilization of switched between workloads quickly as demand changes. hardware, and faster scaling than traditional deployment meth- Serverless is also attracting the attention of the research com- ods. The economics and scale of serverless applications de- munity [21,26,27,44,47], including work on scaling out video mand that workloads from multiple customers run on the same encoding [13], linear algebra [20, 53] and parallel compila- hardware with minimal overhead, while preserving strong se- tion [12].
    [Show full text]
  • Demystifying Internet of Things Security Successful Iot Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M
    Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security: Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Chandler, AZ, USA Chandler, AZ, USA Ned Smith David M. Wheeler Beaverton, OR, USA Gilbert, AZ, USA ISBN-13 (pbk): 978-1-4842-2895-1 ISBN-13 (electronic): 978-1-4842-2896-8 https://doi.org/10.1007/978-1-4842-2896-8 Copyright © 2020 by The Editor(s) (if applicable) and The Author(s) This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this book are included in the book’s Creative Commons license, unless indicated otherwise in a credit line to the material.
    [Show full text]
  • The Business of Free Software: Enterprise Incentives, Investment, and Motivation in the Open Source Community
    07-028 The Business of Free Software: Enterprise Incentives, Investment, and Motivation in the Open Source Community Dr. Marco Iansiti, Ph.D. Gregory L. Richards Marco Iansiti David Sarnoff Professor of Business Administration Harvard Business School Gregory L. Richards Managing Director Keystone Strategy, Inc. Copyright © 2006 by Dr. Marco Iansiti, Ph.D. and Gregory L. Richards Working papers are in draft form. This working paper is distributed for purposes of comment and discussion only. It may not be reproduced without permission of the copyright holder. Copies of working papers are available from the author. Harvard Business School Working Paper Series, No. 07-028, 2006 _______________________________________ The Business of Free Software: Enterprise Incentives, Investment, and Motivation in the Open Source Community _______________________________________ Marco Iansiti, David Sarnoff Professor of Business Administration, Harvard Business School Gregory L. Richards, Managing Director, Keystone Strategy, Inc. Boston, MA 02163, USA October 9, 2006 PRELIMINARY DRAFT – COMMENTS WELCOME ACKNOWLEDGEMENTS: We are grateful to Geoff Allan, Lester Chen, Mark McCormick, Boris Perlin, Alan MacCormack, and Karim Lakhani, who provided many valuable inputs and suggestions. 2 ABSTRACT In this paper, we examine the motivations of large information technology (“IT”) vendors, to invest in open source software (“OSS”). What drives companies with large, proprietary software portfolios to invest hundreds of millions of dollars in OSS? We approach this question by grouping a sample of OSS projects into clusters and examining vendors’ motivations for each cluster. We find one cluster has received almost no investment. Contributions to projects in this cluster are confined to the voluntary effort of the vendors’ employees, and vendors are likely altruistically motivated.
    [Show full text]
  • Essnet SCFE DELIVERABLE D5-4 Guidelines and Recommendations for Development of Training Materials and for Open Source Solutions and Projects
    ESSnet SCFE DELIVERABLE D5-4 Guidelines and recommendations for development of training materials and for open source solutions and projects Project acronym: SCFE Project title: “Sharing common functionalities in the ESS” Name(s), title(s) and organization or the auhor(s): Joaquim Machado, Dr. ([email protected]) José Carlos Martins, Eng. ([email protected]) Instituto Nacional de Estatítica Tel: +351 218 426 100 Fax: +351 218 454 083 e-mail: [email protected] This document is licensed under a Creative Commons License: Date: 29 Dec. 2017 Attribution-ShareAlike 4.0 International Table of Contents Introduction.............................................................................................................................1 Guidelines and recommendations.........................................................................................2 Open source solutions and projects.............................................................................2 What is Open Source?........................................................................................2 Why Open Source is good for business..............................................................6 How to make an Open Source Project..............................................................10 Development of training materials..............................................................................18 Sharing and re-using training materials............................................................18 Creating training materials................................................................................18
    [Show full text]
  • Uporaba Odprte Kode Kot Osnova Za Razvoj Programske Opreme
    Univerza v Ljubljani Fakulteta za računalništvo in informatiko Univerzitetni študij Diplomska naloga Uporaba odprte kode kot osnova za razvoj programske opreme Peter Primožič Mentor: prof. dr. Franc Solina, univ. dipl. ing. Ljubljana, februar 2005 Kazalo POVZETEK .............................................................................................................................VI 1 UVOD ................................................................................................................................ 1 2 FENOMEN ODPRTE KODE............................................................................................ 3 2.1 Zgodovina odprte kode............................................................................................... 3 2.1.1 GNU projekt....................................................................................................... 3 2.1.2 Linux .................................................................................................................. 5 2.1.3 Današnji čas........................................................................................................ 6 2.2 Definicija prostega programja in odprte kode............................................................ 7 2.2.1 Prosto programje ................................................................................................ 7 2.2.2 Odprta koda........................................................................................................ 9 2.3 Licenčni modeli prostega programja.......................................................................
    [Show full text]
  • Referência Debian I
    Referência Debian i Referência Debian Osamu Aoki Referência Debian ii Copyright © 2013-2021 Osamu Aoki Esta Referência Debian (versão 2.85) (2021-09-17 09:11:56 UTC) pretende fornecer uma visão geral do sistema Debian como um guia do utilizador pós-instalação. Cobre muitos aspetos da administração do sistema através de exemplos shell-command para não programadores. Referência Debian iii COLLABORATORS TITLE : Referência Debian ACTION NAME DATE SIGNATURE WRITTEN BY Osamu Aoki 17 de setembro de 2021 REVISION HISTORY NUMBER DATE DESCRIPTION NAME Referência Debian iv Conteúdo 1 Manuais de GNU/Linux 1 1.1 Básico da consola ................................................... 1 1.1.1 A linha de comandos da shell ........................................ 1 1.1.2 The shell prompt under GUI ......................................... 2 1.1.3 A conta root .................................................. 2 1.1.4 A linha de comandos shell do root ...................................... 3 1.1.5 GUI de ferramentas de administração do sistema .............................. 3 1.1.6 Consolas virtuais ............................................... 3 1.1.7 Como abandonar a linha de comandos .................................... 3 1.1.8 Como desligar o sistema ........................................... 4 1.1.9 Recuperar uma consola sã .......................................... 4 1.1.10 Sugestões de pacotes adicionais para o novato ................................ 4 1.1.11 Uma conta de utilizador extra ........................................ 5 1.1.12 Configuração
    [Show full text]
  • A Reliable Booting System for Zynq Ultrascale+ Mpsoc Devices
    A reliable booting system for Zynq Ultrascale+ MPSoC devices An embedded solution that provides fallbacks in different parts of the Zynq MPSoC booting process, to assure successful booting into a Linux operating system. A thesis presented for the Bachelor of Science in Electrical Engineering at the University of Applied Sciences Utrecht Name Nekija Dˇzemaili Student ID 1702168 University supervisor Corn´eDuiser CERN supervisors Marc Dobson & Petr Zejdlˇ Field of study Electrical Engineering (embedded systems) CERN-THESIS-2021-031 17/03/2021 February 15th, 2021 Geneva, Switzerland A reliable booting system for Zynq Ultrascale+ MPSoC devices Disclaimer The board of the foundation HU University of Applied Sciences in Utrecht does not accept any form of liability for damage resulting from usage of data, resources, methods, or procedures as described in this report. Duplication without consent of the author or the college is not permitted. If the graduation assignment is executed within a company, explicit consent of the company is necessary for duplication or copying of text from this report. Het bestuur van de Stichting Hogeschool Utrecht te Utrecht aanvaardt geen enkele aansprakelijkheid voor schade voortvloeiende uit het gebruik van enig gegeven, hulpmiddel, werkwijze of procedure in dit verslag beschreven. Vermenigvuldiging zonder toestemming van de auteur(s) en de school is niet toegestaan. Indien het afstudeerwerk in een bedrijf is verricht, is voor vermenigvuldiging of overname van tekst uit dit verslag eveneens toestemming van het bedrijf vereist. N. Dˇzemaili page 1 of 110 A reliable booting system for Zynq Ultrascale+ MPSoC devices Preface This thesis was written for the BSc Electrical Engineering degree of the HU University of Applied Sciences Utrecht, the Netherlands.
    [Show full text]
  • Snapshots of Open Source Project Management Software
    International Journal of Economics, Commerce and Management United Kingdom ISSN 2348 0386 Vol. VIII, Issue 10, Oct 2020 http://ijecm.co.uk/ SNAPSHOTS OF OPEN SOURCE PROJECT MANAGEMENT SOFTWARE Balaji Janamanchi Associate Professor of Management Division of International Business and Technology Studies A.R. Sanchez Jr. School of Business, Texas A & M International University Laredo, Texas, United States of America [email protected] Abstract This study attempts to present snapshots of the features and usefulness of Open Source Software (OSS) for Project Management (PM). The objectives include understanding the PM- specific features such as budgeting project planning, project tracking, time tracking, collaboration, task management, resource management or portfolio management, file sharing and reporting, as well as OSS features viz., license type, programming language, OS version available, review and rating in impacting the number of downloads, and other such usage metrics. This study seeks to understand the availability and accessibility of Open Source Project Management software on the well-known large repository of open source software resources, viz., SourceForge. Limiting the search to “Project Management” as the key words, data for the top fifty OS applications ranked by the downloads is obtained and analyzed. Useful classification is developed to assist all stakeholders to understand the state of open source project management (OSPM) software on the SourceForge forum. Some updates in the ranking and popularity of software since
    [Show full text]
  • Tomoyo Linux
    Tomoyo Linux June 2017 OLUG by Aaron Grothe What is Tomoyo? From Wikipedia: Tomoyo is a feminine Japanese given name is a variant transcription of the name Tomoko. The name means wise era or worldly wisdom What is Tomoyo Linux? ● Tomoyo Linux is a Linux Security package that provides MAC for Linux. It also can do some very cool things in terms of training, generating policies, monitoring systems, etc. What is MAC? To describe MAC we’ll start with DAC (Discretionary Access Control). You already live with DAC. The basic idea here is that the owner of a resource. E.g. Chad can control who has access to it. In general linux terms this is owner, group, and world privs Mac Cont’d MAC is Mandatory Access Control it is similar to DAC except there is a concept of the security administrator. E.g. I have an Excel file. The security administrator could create a policy that would not be able to be overwrite to say whether or not I can hand access to this file to other people. I can’t override it. MAC can depending on implementation even prevent root from doing things. Thought experiment can God microwave a burrito so hot God couldn’t eat it? History of Tomoyo LInux ● Tomoyo Linux was launched in 2003 and was sponsored by NTT until 2012 ● There are three distinct versions of Tomoyo to consider ○ Tomoyo 1.x - this version is a set of patches to the kernel and tools, not part of the Linux kernel source code ○ Tomoyo 2.x - not as full-featured implemented as a LSM along with (AppArmor, Smack, and SeLinux), integrated with the Linux kernel source code ○ Akari working towards bringing all the Tomoyo 1.x features to Tomoyo 2.x Why Tomoyo Linux Tomoyo Linux runs in four interesting modes ● Learning - you can dynamically create a policy - figure out what you webserver is and isn’t allowed to do ● Disabled - won’t do anything to your system allows normal operation ● Permissive - will allow all operations, but not add the requests to your policy ● Enforcing - applying a policy to the system, operations not explicitly allowed are denied.
    [Show full text]
  • Flexible and Fine-Grained Mandatory Access Control on Android For
    Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies Sven Bugiel, Saarland University; Stephan Heuser, Fraunhofer SIT; Ahmad-Reza Sadeghi, Technische Universität Darmstadt and Center for Advanced Security Research Darmstadt This paper is included in the Proceedings of the 22nd USENIX Security Symposium. August 14–16, 2013 • Washington, D.C., USA ISBN 978-1-931971-03-4 Open access to the Proceedings of the 22nd USENIX Security Symposium is sponsored by USENIX Flexible and Fine-Grained Mandatory Access Control on Android for Diverse Security and Privacy Policies Sven Bugiel Stephan Heuser [email protected][email protected] Saarland University, Germany Fraunhofer SIT, Germany Ahmad-Reza Sadeghi [email protected] Technische Universität Darmstadt / CASED, Germany Abstract Android’s vulnerabilities. Android has been shown to be vulnerable to a number of different In this paper we tackle the challenge of providing attacks such as malicious apps and libraries that mis- a generic security architecture for the Android OS use their privileges [57, 40, 25] or even utilize root- that can serve as a flexible and effective ecosystem exploits [55, 40] to extract security and privacy sen- to instantiate different security solutions. In con- sitive information; taking advantage of unprotected trast to prior work our security architecture, termed interfaces [14, 12, 53, 32] and files [49]; confused FlaskDroid, provides mandatory access control si- deputy attacks [16]; and collusion attacks [46, 34]. multaneously on both Android’s middleware and kernel layers. The alignment of policy enforcement Solutions. On the other hand, Android’s open- on these two layers is non-trivial due to their com- source nature has made it very appealing to academic pletely different semantics.
    [Show full text]