We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Linux Containers: Future or Fantasy?

00:00

Formal Metadata

Title
Linux Containers: Future or Fantasy?
Alternative Title
101 Track
Title of Series
Number of Parts
109
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Linux Containers: Future or Fantasy? Aaron Grattafiori Principal Security Consultant, iSEC Partners/NCC Group Containers, a pinnacle of fast and secure deployment or a panacea of false security? In recent years Linux containers have developed from an insecure and loose collection of Linux kernel namespaces to a production-ready OS virtualization stack. In this talk, the audience will first learn the basics of how containers function, understanding namespaces, capabilities and cgroups in order to see how Linux containers and the supporting kernel features can offer an effective application and system sandboxing solution yet to be widely deployed or adopted. Understanding LXC or Docker use, weaknesses and security for PaaS and application sandboxing is only the beginning. Leveraging container technologies is rapidly becoming popular within the modern PaaS and devops world but little has been publicly discussed in terms of actual security risks or guarantees. Understanding prior container vulnerabilities or escapes, and current risks or pitfalls in major public platforms will be explored in this talk. I'll cover methods to harden containers against future attacks and common mistakes to avoid when using systems such as LXC and Docker. This will also include an analysis and discussion of techniques such as Linux kernel hardening, reduced capabilities, Mandatory Access Controls (MAC), the User kernel namespace and seccomp-bpf (syscall filtering); all of which help actually contain containers. The talk will end on some methods for creating minimal, highly-secure containers and end on where containers are going and why they might show up where you least expect them. Aaron Grattafiori (@dyn___) is a Principal Security Consultant and Research Lead with iSEC Partners/NCC Group. A jack-of-all-security, Aaron leads projects dealing with complex system analysis, mobile and web application security to network, protocol, and design reviews to red teams and other hybrid testing. With over nine years of security experience, Aaron utilizes a wide array of technology skills, historical research and security knowledge to consistently discover critical vulnerabilities. Aaron has spoke on a wide range of topics at security conferences such as Blackhat, DEF CON Kids, Toorcon:Seattle+SanDiego, ToorCamp, Source Seattle, EELive! and SecureWorld in addition to being a guest speaker at Stanford University. Prior to working at iSEC Partners, Aaron worked as a Security Consultant for Security Innovation and is a retired long time member of the Neg9 CTF team. This will be Aaron's 12th DEF CON, w00t! Twitter: @dyn___
Directory serviceLocal GroupInformation securityPlastikkarteSource codeInformation securityGroup actionComputer animation
Server (computing)DatabaseWordPlug-in (computing)Local GroupInformation securitySlide rule12 (number)Web applicationInternetworkingInformation securityCodeComputer animation
System programmingComplex (psychology)Maximum length sequenceMach's principleKolmogorov complexityTorvalds, LinusKernel (computing)Right angleRootInformation securityVulnerability (computing)Speech synthesisType theoryDifferent (Kate Ryan album)Goodness of fitTurbo-CodeSet (mathematics)CuboidModule (mathematics)Kernel (computing)Complex (psychology)Optical disc driveSystem programmingSerial portComputer animation
Kernel (computing)Read-only memoryVirtual realityProcess (computing)EmulationInformation securitySemiconductor memoryWordConfiguration managementComputer animation
Client (computing)Vector potentialSource codeGoogolMalwareInheritance (object-oriented programming)TrailCodeInformation securityComputer-assisted translationCryptographyWindowSource codeVector potentialMalwareRow (database)Library (computing)CalculationTrailSoftware bugRight angleMultiplication signWeb browserMeeting/InterviewComputer animation
CodeoutputInternet der DingeService (economics)ArmRouter (computing)Information securityRootComputing platformSlide ruleConnected spaceVirtualizationMultiplication signArmLinear programmingComputer animation
SurfaceException handlingInformation securityServer (computing)Service (economics)SurfaceGreatest elementIntegrated development environmentNormal (geometry)Insertion lossGraphical user interfaceException handlingRight angleComputer animation
Office suiteOpen sourceSet (mathematics)Meeting/Interview
Kernel (computing)Open setVirtualizationComputer hardwareKernel (computing)MehrplatzsystemMultiplication signCore dumpSystem programmingInformation securityVirtualizationComputer animation
Computer hardwareSoftwareEmulatorVirtualizationControl flowKernel (computing)Partition (number theory)Fundamental theorem of algebraInformation securityNamespacePower (physics)Single-precision floating-point formatNamespaceAreaKernel (computing)Computer animation
NamespaceKernel (computing)CloningNamespacePlanningKernel (computing)SoftwareRadio-frequency identificationHeegaard splittingCloningContext awarenessEndomorphismenmonoidProcess (computing)Computer animation
NamespaceKernel (computing)Personal area networkProcess (computing)Computer fileMiniDiscAdditionPrincipal ideal domainView (database)Process (computing)InterprozesskommunikationFlagMultiplication signFile systemCloningNamespaceComputer animation
Information securitySuite (music)NamespaceComputer networkFlow separationTable (information)Firewall (computing)AdditionAreaKernel (computing)Active contour modelContext awarenessAreaKernel (computing)System programmingTable (information)SoftwareNamespaceVulnerability (computing)Right angleSpacetimeOcean currentComputer animation
Gastropod shellSpherical capShift operatorRootAreaRight angleSet (mathematics)Tracing (software)SoftwareKeyboard shortcutComputer animation
Kernel (computing)Data modelSample (statistics)BitRoutingAsynchronous Transfer ModeGodRight angleEndliche ModelltheorieProcess (computing)RootMathematicsRaw image formatKeyboard shortcutGame controllerComputer animation
Network socketMilitary operationNamespaceMultiplication signInternet forumOptical disc driveSurfaceRootSocket-SchnittstelleRaw image formatBitSet (mathematics)Operator (mathematics)Vulnerability (computing)Binary codeLetterpress printingGastropod shellRight angleComputer animation
WeightSpherical capRight angleRaw image formatGame controllerModule (mathematics)Kernel (computing)Control systemData managementComputer animation
Boundary value problemCodeControl flowGroup actionGUI widgetBefehlsprozessorComputer networkSpherical capLink (knot theory)System administratorRoutingRootGame controllerGroup actionProcess (computing)PhysicalismBit rateSoftwareSemiconductor memorySystem programmingBefehlsprozessorSet (mathematics)Computer animation
BefehlsprozessorSubgroupNamespaceVirtual realityFile systemNamespaceGroup actionBitFile systemDirectory serviceSound effectComputer fileTesselationSocial classComputer animation
Computing platformNamespaceComputer hardwareLimit (category theory)Kernel (computing)Element (mathematics)VirtualizationOverlay-NetzComputer configurationNamespaceComputing platformData managementElement (mathematics)Kernel (computing)Online helpGroup actionOverlay-NetzFile systemRootDirectory serviceMereologyComputer configurationComputer animation
System programmingGoogolClient (computing)NamespaceGraphical user interfaceWeb browserGoogle App EngineGraphical user interfaceDistribution (mathematics)Android (robot)Electronic mailing listSystem programmingService (economics)Computing platformServer (computing)Client (computing)NP-hardComputer animation
TwitterCompilation albumInformation securityTemplate (C++)Computer configurationMobile appComputer animation
Kernel (computing)SurfaceRootNamespaceRight angleSurfaceKernel (computing)System callPoint (geometry)Mobile appComputer animation
System programmingMechanism designKernel (computing)SurfaceSystem callDigital filterSet (mathematics)Compilation albumMobile appSurfaceBoundary value problemOpen setSystem callParameter (computer programming)Computer fileFlagNumberProcess (computing)Filter <Stochastik>CuboidRight angleComputer animation
Process (computing)Operations researchDigital filterNumberProcess (computing)System callAsynchronous Transfer ModeFlagGame controllerFirewall (computing)Compilation albumComputer programmingFaculty (division)Direction (geometry)Formal languageComputer animation
Web browserGoogle ChromeGoogolCore dumpCompilation albumDefault (computer science)Goodness of fitGraphical user interfaceInformation securityMaxima and minimaSystem programmingInheritance (object-oriented programming)Service (economics)Core dumpComputer animation
Dependent and independent variablesProcess (computing)Asynchronous Transfer ModeService (economics)Library (computing)Software developerInformation securityComputer fileFocus (optics)Computer animation
DemonRootDemonRepresentational state transferRootDefault (computer science)Library (computing)Network socketComputer animation
Computer-generated imageryTelecommunicationData managementFlow separationTelecommunicationMedical imagingWordData managementException handlingDistanceMobile appCore dumpComputer animation
Default (computer science)Mobile appOrder (biology)Game controllerFunctional (mathematics)Right angleSystem programmingComputer animation
NP-hardBit rateComputer networkCore dumpNP-hardDisk read-and-write headAsynchronous Transfer ModeSoftwareProcess (computing)Different (Kate Ryan album)Computer animation
Latent heatFile systemDevice driverCodeComputer networkCommunications protocolKernel (computing)Drop (liquid)Game theoryKernel (computing)DampingBus (computing)Device driverServer (computing)File systemVulnerability (computing)VirtualizationCodeCASE <Informatik>System administratorDifferent (Kate Ryan album)Game controllerForcing (mathematics)Module (mathematics)Computer animation
Drop (liquid)ForceMultiplication sign1 (number)Acoustic shadowEndliche ModelltheorieForcing (mathematics)Computer fileSpeech synthesisSystem callSpherical capCASE <Informatik>Computer animation
System programmingNamespaceLine (geometry)Kernel (computing)Data bufferMobile appRule of inferenceRootNamespaceLine (geometry)Control systemData managementBridging (networking)Kernel (computing)Default (computer science)System programmingFirewall (computing)SurfaceNumberRight angleType theorySoftwareMessage passingComputer animation
Read-only memoryMiniDiscEntropie <Informationstheorie>Functional (mathematics)StapeldateiBookmark (World Wide Web)Cartesian coordinate systemSystem programmingLibrary (computing)Vulnerability (computing)Multiplication signComputer animation
Integrated development environmentGUI widgetKernel (computing)Default (computer science)Computer networkSystem programmingGame controllerDifferent (Kate Ryan album)Kernel (computing)Software bugForm (programming)Mobile appSpeech synthesisProcess (computing)DemonEndliche ModelltheorieDefault (computer science)SoftwareComputer animation
Default (computer science)AuthenticationDemonBootingSpherical capWeightDrop (liquid)Interface (computing)Computer-generated imageryInformation securityNamespace1 (number)Computer fileCodeMobile appDefault (computer science)Multiplication signWechselseitige InformationMedical imagingRandomizationBridging (networking)Spherical capRoutingNetwork socketNumberWeightNamespaceProcess (computing)Information securityException handlingLine (geometry)Firewall (computing)Data centerDrop (liquid)Interface (computing)Group actionRepresentational state transferAuthenticationPoint (geometry)Compilation albumSystem programmingKeyboard shortcutFiber bundleServer (computing)RootComputer animation
NamespaceSoftware maintenanceSoftware maintenanceRootSpeech synthesisPOKENamespaceBitHacker (term)Limit (category theory)Computer animation
NamespaceDrop (liquid)Medical imagingCuboidPoint (geometry)RootLevel (video gaming)Drop (liquid)DemonNamespaceComputer animation
Limit (category theory)BootingImplementationLimit (category theory)RootMultiplication signSoftware bugProcess (computing)Mobile appSystem programmingImplementationComputer animation
Open setImplementationProjective planeOpen setLibrary (computing)Computer fileLatent heatSystem programmingComputer animation
Slide ruleAreaLevel (video gaming)Message passingComputer animation
NP-hardKernel (computing)Modul <Datentyp>Drop (liquid)Rollenbasierte ZugriffskontrolleDefault (computer science)Kernel (computing)Server (computing)Information securityDevice driverLaptopComputer hardwareDrop (liquid)SubsetProfil (magazine)Mobile appLimit (category theory)Default (computer science)Set (mathematics)System programmingArmComputer animation
Latent heatDrop (liquid)NamespaceComputer-generated imageryRootMultiplication signProjective planeMedical imagingKeyboard shortcutWeightInformation securitySpherical capTable (information)RoutingService (economics)Computer animation
GUI widgetLimit (category theory)Normal (geometry)System programmingSurfaceExtension (kinesiology)Attribute grammarInformation securityFirewall (computing)Kolmogorov complexityComputer networkInterface (computing)SurfaceMobile appSystem callCompilation albumKernel (computing)Service (economics)Electronic mailing listNormal (geometry)System programmingInterface (computing)DataflowProcess (computing)Core dumpDifferent (Kate Ryan album)SoftwareComputer animation
Computer fileSystem programmingCartesian coordinate systemDatabaseNamespaceFlow separationInformation securityUser interfaceComputer hardwareDebuggerRight angleVirtual machineMaxima and minimaCompilation album
System programmingNamespaceIntelParameter (computer programming)Mechanism designHeegaard splittingDifferent (Kate Ryan album)CuboidWhiteboardAuthorizationService (economics)Rule of inferenceCASE <Informatik>VirtualizationEndliche ModelltheorieDatabaseInformation securityGraphical user interfaceSystem programmingMaxima and minimaComputer hardwareNamespaceServer (computing)BitOffice suiteComputer animation
Information securityArchitectureSystem programmingData modelHeegaard splittingMessage passingQueue (abstract data type)Endliche ModelltheorieSystem programmingInformation securityPerfect groupNumberMultiplication signSoftware testingComputer architectureProgram flowchartComputer animation
Covering spaceEmailTwitterAreaTwitterPoint (geometry)Computer fileComputer animation
Transcript: English(auto-generated)