Linux Containers: Future or Fantasy? - TIB AV-Portal

Linux Containers: Future or Fantasy?

00:00

5

Grattafiori, Aaron

Formal Metadata

Title

Linux Containers: Future or Fantasy?

Alternative Title

101 Track

Title of Series

Number of Parts

109

Author

Grattafiori, Aaron

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/36326 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Linux Containers: Future or Fantasy? Aaron Grattafiori Principal Security Consultant, iSEC Partners/NCC Group Containers, a pinnacle of fast and secure deployment or a panacea of false security? In recent years Linux containers have developed from an insecure and loose collection of Linux kernel namespaces to a production-ready OS virtualization stack. In this talk, the audience will first learn the basics of how containers function, understanding namespaces, capabilities and cgroups in order to see how Linux containers and the supporting kernel features can offer an effective application and system sandboxing solution yet to be widely deployed or adopted. Understanding LXC or Docker use, weaknesses and security for PaaS and application sandboxing is only the beginning. Leveraging container technologies is rapidly becoming popular within the modern PaaS and devops world but little has been publicly discussed in terms of actual security risks or guarantees. Understanding prior container vulnerabilities or escapes, and current risks or pitfalls in major public platforms will be explored in this talk. I'll cover methods to harden containers against future attacks and common mistakes to avoid when using systems such as LXC and Docker. This will also include an analysis and discussion of techniques such as Linux kernel hardening, reduced capabilities, Mandatory Access Controls (MAC), the User kernel namespace and seccomp-bpf (syscall filtering); all of which help actually contain containers. The talk will end on some methods for creating minimal, highly-secure containers and end on where containers are going and why they might show up where you least expect them. Aaron Grattafiori (@dyn___) is a Principal Security Consultant and Research Lead with iSEC Partners/NCC Group. A jack-of-all-security, Aaron leads projects dealing with complex system analysis, mobile and web application security to network, protocol, and design reviews to red teams and other hybrid testing. With over nine years of security experience, Aaron utilizes a wide array of technology skills, historical research and security knowledge to consistently discover critical vulnerabilities. Aaron has spoke on a wide range of topics at security conferences such as Blackhat, DEF CON Kids, Toorcon:Seattle+SanDiego, ToorCamp, Source Seattle, EELive! and SecureWorld in addition to being a guest speaker at Stanford University. Prior to working at iSEC Partners, Aaron worked as a Security Consultant for Security Innovation and is a retired long time member of the Neg9 CTF team. This will be Aaron's 12th DEF CON, w00t! Twitter: @dyn___

Speech

Text

Image

00:00

Directory serviceLocal GroupInformation securityPlastikkarteSource codeInformation securityGroup actionComputer animation

00:35

Server (computing)DatabaseWordPlug-in (computing)Local GroupInformation securitySlide rule12 (number)Web applicationInternetworkingInformation securityCodeComputer animation

01:26

System programmingComplex (psychology)Maximum length sequenceMach's principleKolmogorov complexityTorvalds, LinusKernel (computing)Right angleRootInformation securityVulnerability (computing)Speech synthesisType theoryDifferent (Kate Ryan album)Goodness of fitTurbo-CodeSet (mathematics)CuboidModule (mathematics)Kernel (computing)Complex (psychology)Optical disc driveSystem programmingSerial portComputer animation

02:54

Kernel (computing)Read-only memoryVirtual realityProcess (computing)EmulationInformation securitySemiconductor memoryWordConfiguration managementComputer animation

03:33

Client (computing)Vector potentialSource codeGoogolMalwareInheritance (object-oriented programming)TrailCodeInformation securityComputer-assisted translationCryptographyWindowSource codeVector potentialMalwareRow (database)Library (computing)CalculationTrailSoftware bugRight angleMultiplication signWeb browserMeeting/InterviewComputer animation

04:12

CodeoutputInternet der DingeService (economics)ArmRouter (computing)Information securityRootComputing platformSlide ruleConnected spaceVirtualizationMultiplication signArmLinear programmingComputer animation

05:03

SurfaceException handlingInformation securityServer (computing)Service (economics)SurfaceGreatest elementIntegrated development environmentNormal (geometry)Insertion lossGraphical user interfaceException handlingRight angleComputer animation

05:46

Office suiteOpen sourceSet (mathematics)Meeting/Interview

06:21

Kernel (computing)Open setVirtualizationComputer hardwareKernel (computing)MehrplatzsystemMultiplication signCore dumpSystem programmingInformation securityVirtualizationComputer animation

07:11

Computer hardwareSoftwareEmulatorVirtualizationControl flowKernel (computing)Partition (number theory)Fundamental theorem of algebraInformation securityNamespacePower (physics)Single-precision floating-point formatNamespaceAreaKernel (computing)Computer animation

07:46

NamespaceKernel (computing)CloningNamespacePlanningKernel (computing)SoftwareRadio-frequency identificationHeegaard splittingCloningContext awarenessEndomorphismenmonoidProcess (computing)Computer animation

08:21

NamespaceKernel (computing)Personal area networkProcess (computing)Computer fileMiniDiscAdditionPrincipal ideal domainView (database)Process (computing)InterprozesskommunikationFlagMultiplication signFile systemCloningNamespaceComputer animation

09:02

Information securitySuite (music)NamespaceComputer networkFlow separationTable (information)Firewall (computing)AdditionAreaKernel (computing)Active contour modelContext awarenessAreaKernel (computing)System programmingTable (information)SoftwareNamespaceVulnerability (computing)Right angleSpacetimeOcean currentComputer animation

09:53

Gastropod shellSpherical capShift operatorRootAreaRight angleSet (mathematics)Tracing (software)SoftwareKeyboard shortcutComputer animation

10:32

Kernel (computing)Data modelSample (statistics)BitRoutingAsynchronous Transfer ModeGodRight angleEndliche ModelltheorieProcess (computing)RootMathematicsRaw image formatKeyboard shortcutGame controllerComputer animation

11:17

Network socketMilitary operationNamespaceMultiplication signInternet forumOptical disc driveSurfaceRootSocket-SchnittstelleRaw image formatBitSet (mathematics)Operator (mathematics)Vulnerability (computing)Binary codeLetterpress printingGastropod shellRight angleComputer animation

12:27

WeightSpherical capRight angleRaw image formatGame controllerModule (mathematics)Kernel (computing)Control systemData managementComputer animation

13:03

Boundary value problemCodeControl flowGroup actionGUI widgetBefehlsprozessorComputer networkSpherical capLink (knot theory)System administratorRoutingRootGame controllerGroup actionProcess (computing)PhysicalismBit rateSoftwareSemiconductor memorySystem programmingBefehlsprozessorSet (mathematics)Computer animation

14:00

BefehlsprozessorSubgroupNamespaceVirtual realityFile systemNamespaceGroup actionBitFile systemDirectory serviceSound effectComputer fileTesselationSocial classComputer animation

14:52

Computing platformNamespaceComputer hardwareLimit (category theory)Kernel (computing)Element (mathematics)VirtualizationOverlay-NetzComputer configurationNamespaceComputing platformData managementElement (mathematics)Kernel (computing)Online helpGroup actionOverlay-NetzFile systemRootDirectory serviceMereologyComputer configurationComputer animation

15:42

System programmingGoogolClient (computing)NamespaceGraphical user interfaceWeb browserGoogle App EngineGraphical user interfaceDistribution (mathematics)Android (robot)Electronic mailing listSystem programmingService (economics)Computing platformServer (computing)Client (computing)NP-hardComputer animation

16:25

TwitterCompilation albumInformation securityTemplate (C++)Computer configurationMobile appComputer animation

17:02

Kernel (computing)SurfaceRootNamespaceRight angleSurfaceKernel (computing)System callPoint (geometry)Mobile appComputer animation

17:49

System programmingMechanism designKernel (computing)SurfaceSystem callDigital filterSet (mathematics)Compilation albumMobile appSurfaceBoundary value problemOpen setSystem callParameter (computer programming)Computer fileFlagNumberProcess (computing)Filter <Stochastik>CuboidRight angleComputer animation

19:17

Process (computing)Operations researchDigital filterNumberProcess (computing)System callAsynchronous Transfer ModeFlagGame controllerFirewall (computing)Compilation albumComputer programmingFaculty (division)Direction (geometry)Formal languageComputer animation

20:02

Web browserGoogle ChromeGoogolCore dumpCompilation albumDefault (computer science)Goodness of fitGraphical user interfaceInformation securityMaxima and minimaSystem programmingInheritance (object-oriented programming)Service (economics)Core dumpComputer animation

21:04

Dependent and independent variablesProcess (computing)Asynchronous Transfer ModeService (economics)Library (computing)Software developerInformation securityComputer fileFocus (optics)Computer animation

22:08

DemonRootDemonRepresentational state transferRootDefault (computer science)Library (computing)Network socketComputer animation

22:52

Computer-generated imageryTelecommunicationData managementFlow separationTelecommunicationMedical imagingWordData managementException handlingDistanceMobile appCore dumpComputer animation

23:41

Default (computer science)Mobile appOrder (biology)Game controllerFunctional (mathematics)Right angleSystem programmingComputer animation

24:27

NP-hardBit rateComputer networkCore dumpNP-hardDisk read-and-write headAsynchronous Transfer ModeSoftwareProcess (computing)Different (Kate Ryan album)Computer animation

25:13

Latent heatFile systemDevice driverCodeComputer networkCommunications protocolKernel (computing)Drop (liquid)Game theoryKernel (computing)DampingBus (computing)Device driverServer (computing)File systemVulnerability (computing)VirtualizationCodeCASE <Informatik>System administratorDifferent (Kate Ryan album)Game controllerForcing (mathematics)Module (mathematics)Computer animation

26:11

Drop (liquid)ForceMultiplication sign1 (number)Acoustic shadowEndliche ModelltheorieForcing (mathematics)Computer fileSpeech synthesisSystem callSpherical capCASE <Informatik>Computer animation

27:08

System programmingNamespaceLine (geometry)Kernel (computing)Data bufferMobile appRule of inferenceRootNamespaceLine (geometry)Control systemData managementBridging (networking)Kernel (computing)Default (computer science)System programmingFirewall (computing)SurfaceNumberRight angleType theorySoftwareMessage passingComputer animation

28:47

Read-only memoryMiniDiscEntropie <Informationstheorie>Functional (mathematics)StapeldateiBookmark (World Wide Web)Cartesian coordinate systemSystem programmingLibrary (computing)Vulnerability (computing)Multiplication signComputer animation

29:34

Integrated development environmentGUI widgetKernel (computing)Default (computer science)Computer networkSystem programmingGame controllerDifferent (Kate Ryan album)Kernel (computing)Software bugForm (programming)Mobile appSpeech synthesisProcess (computing)DemonEndliche ModelltheorieDefault (computer science)SoftwareComputer animation

30:29

Default (computer science)AuthenticationDemonBootingSpherical capWeightDrop (liquid)Interface (computing)Computer-generated imageryInformation securityNamespace1 (number)Computer fileCodeMobile appDefault (computer science)Multiplication signWechselseitige InformationMedical imagingRandomizationBridging (networking)Spherical capRoutingNetwork socketNumberWeightNamespaceProcess (computing)Information securityException handlingLine (geometry)Firewall (computing)Data centerDrop (liquid)Interface (computing)Group actionRepresentational state transferAuthenticationPoint (geometry)Compilation albumSystem programmingKeyboard shortcutFiber bundleServer (computing)RootComputer animation

33:34

NamespaceSoftware maintenanceSoftware maintenanceRootSpeech synthesisPOKENamespaceBitHacker (term)Limit (category theory)Computer animation

34:15

NamespaceDrop (liquid)Medical imagingCuboidPoint (geometry)RootLevel (video gaming)Drop (liquid)DemonNamespaceComputer animation

34:49

Limit (category theory)BootingImplementationLimit (category theory)RootMultiplication signSoftware bugProcess (computing)Mobile appSystem programmingImplementationComputer animation

35:28

Open setImplementationProjective planeOpen setLibrary (computing)Computer fileLatent heatSystem programmingComputer animation

36:18

Slide ruleAreaLevel (video gaming)Message passingComputer animation

36:56

NP-hardKernel (computing)Modul <Datentyp>Drop (liquid)Rollenbasierte ZugriffskontrolleDefault (computer science)Kernel (computing)Server (computing)Information securityDevice driverLaptopComputer hardwareDrop (liquid)SubsetProfil (magazine)Mobile appLimit (category theory)Default (computer science)Set (mathematics)System programmingArmComputer animation

38:13

Latent heatDrop (liquid)NamespaceComputer-generated imageryRootMultiplication signProjective planeMedical imagingKeyboard shortcutWeightInformation securitySpherical capTable (information)RoutingService (economics)Computer animation

39:04

GUI widgetLimit (category theory)Normal (geometry)System programmingSurfaceExtension (kinesiology)Attribute grammarInformation securityFirewall (computing)Kolmogorov complexityComputer networkInterface (computing)SurfaceMobile appSystem callCompilation albumKernel (computing)Service (economics)Electronic mailing listNormal (geometry)System programmingInterface (computing)DataflowProcess (computing)Core dumpDifferent (Kate Ryan album)SoftwareComputer animation

39:50

Computer fileSystem programmingCartesian coordinate systemDatabaseNamespaceFlow separationInformation securityUser interfaceComputer hardwareDebuggerRight angleVirtual machineMaxima and minimaCompilation album

40:45

System programmingNamespaceIntelParameter (computer programming)Mechanism designHeegaard splittingDifferent (Kate Ryan album)CuboidWhiteboardAuthorizationService (economics)Rule of inferenceCASE <Informatik>VirtualizationEndliche ModelltheorieDatabaseInformation securityGraphical user interfaceSystem programmingMaxima and minimaComputer hardwareNamespaceServer (computing)BitOffice suiteComputer animation

42:57

Information securityArchitectureSystem programmingData modelHeegaard splittingMessage passingQueue (abstract data type)Endliche ModelltheorieSystem programmingInformation securityPerfect groupNumberMultiplication signSoftware testingComputer architectureProgram flowchartComputer animation

43:56

Covering spaceEmailTwitterAreaTwitterPoint (geometry)Computer fileComputer animation

Transcript: English(auto-generated)