Clair, A Container Image Security Analyzer
Download as PPTX, PDF5 likes4,099 views
- Clair is an open source project for analyzing container images for known software vulnerabilities. It uses static analysis to detect vulnerabilities by examining the content of container images without running the containers. - Clair's analysis can be done once and reused to inform about current and future vulnerabilities. It also suggests fixes and notifies users about new vulnerabilities. - Clair is designed as an extensible framework, including detectors for vulnerabilities from different sources, datastores, updaters, notifiers and support for multiple container formats and operating systems. The presenter discusses current and potential future capabilities.
![Built as a framework
- Detectors
type FeaturesDetector interface {
GetRequiredFiles() []string
Detect(map[string][]byte) ([]database.FeatureVersion, error)
}
v1.1.0
type NamespaceDetector interface {
GetRequiredFiles() []string
Detect(map[string][]byte) *database.Namespace
}
type DataDetector interface {
Supported(path string, format string) bool
Detect(layerReader io.ReadCloser, toExtract []string, maxFileSize int64) (data map[string][]byte, err error)
}
22](https://image.slidesharecdn.com/clair-april19th2016-160421151610/85/Clair-A-Container-Image-Security-Analyzer-22-320.jpg)
![type Datastore interface {
ListNamespaces() ([]Namespace, error)
InsertLayer(Layer) error
FindLayer(name string, withFeatures, withVulnerabilities bool) (Layer, error)
DeleteLayer(name string) error
ListVulnerabilities(namespaceName string, limit int, page int) ([]Vulnerability, int, error)
InsertVulnerabilities(vulnerabilities []Vulnerability, createNotification bool) error
FindVulnerability(namespaceName, name string) (Vulnerability, error)
DeleteVulnerability(namespaceName, name string) error
InsertVulnerabilityFixes(vulnerabilityNamespace, vulnerabilityName string, fixes []FeatureVersion) error
DeleteVulnerabilityFix(vulnerabilityNamespace, vulnerabilityName, featureName string) error
GetAvailableNotification(renotifyInterval time.Duration) (VulnerabilityNotification, error)
GetNotification(name string, limit int, page PageNumber) (VulnerabilityNotification, PageNumber, error)
SetNotificationNotified(name string) error
DeleteNotification(name string) error
InsertKeyValue(key, value string) error
GetKeyValue(key string) (string, error)
Lock(name string, owner string, duration time.Duration, renew bool) (bool, time.Time)
Unlock(name, owner string)
FindLock(name string) (string, time.Time, error)
Ping() bool
Close()
}
Built as a framework
- Datastores
v1.1.024](https://image.slidesharecdn.com/clair-april19th2016-160421151610/85/Clair-A-Container-Image-Security-Analyzer-24-320.jpg)
Clair, A Container Image Security Analyzer
- 1. Quentin Machu @Quentin__M | quentin.machu@coreos.com Clair A Container Image Security Analyzer
- 2. We’re hiring in all departments! Email: careers@coreos.com Positions: coreos.com/ careers 90+ Projects on GitHub, 1,000+ Contributors OPEN SOURCE CoreOS.com - @coreoslinux - github/coreos Secure solutions, support plans, training + more ENTERPRISE sales@coreos.com - tectonic.com - quay.io CoreOS is Running the World’s Containers Secure the Internet MISSION 2
- 6. But … wait 6
- 8. A container in practice ... 8
- 9. Is that all ? 9
- 11. CVE-2015-0235 aka GHOST “GHOST is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code.” 11
- 12. CVE-2014-0160 aka Heartbleed “The TLS and DTLS implementations in OpenSSL do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read.” 12
- 14. How do we make this better for developers?
- 15. Open source project for the static analysis of vulnerabilities in appc and docker containers. github.com/coreos/clair 15
- 16. Showtime()
- 17. - Static analysis - Do the job only once - Suggest & Notify - Built as a framework Clair in a few points 17
- 18. Static analysis CONTEXT Millions of container images - Running these containers is expensive - Running any untrusted container is unsafe - “We need to go deeper” - Secure solutions can become pretty complex - Several dynamic analysis tools exist - Requires human input and guidance 18
- 19. - Extract and store enough to inform about both known and future vulnerabilities - Reuse analysis data as much as possible Do the job only once CONTEXT Millions of container images Over 15 new vulnerabilities / day What happens when new vulnerabilities are published ? 19
- 20. “I read your security report about my container, but … what can I actually do?” Here, look, here’s what you can easily fix. “I feel confident about my container now. I’m lazy though and don’t want to check the report again. Tell me as soon as there’s something new that I should be concerned about” Sure. Where can I contact you? Suggest & Notify 20
- 21. Built as a framework Open Source and Extensibility are the heart and soul of Clair v1.1.021
- 22. Built as a framework - Detectors type FeaturesDetector interface { GetRequiredFiles() []string Detect(map[string][]byte) ([]database.FeatureVersion, error) } v1.1.0 type NamespaceDetector interface { GetRequiredFiles() []string Detect(map[string][]byte) *database.Namespace } type DataDetector interface { Supported(path string, format string) bool Detect(layerReader io.ReadCloser, toExtract []string, maxFileSize int64) (data map[string][]byte, err error) } 22
- 23. Built as a frameworktype Fetcher interface { FetchUpdate(database.Datastore) (FetcherResponse, error) Clean() } Built as a framework - Vulnerability Updaters / Notifiers type Notifier interface { Configure(config.NotifierConfig) (bool, error) Send(database.VulnerabilityNotification) error } v1.1.023
- 24. type Datastore interface { ListNamespaces() ([]Namespace, error) InsertLayer(Layer) error FindLayer(name string, withFeatures, withVulnerabilities bool) (Layer, error) DeleteLayer(name string) error ListVulnerabilities(namespaceName string, limit int, page int) ([]Vulnerability, int, error) InsertVulnerabilities(vulnerabilities []Vulnerability, createNotification bool) error FindVulnerability(namespaceName, name string) (Vulnerability, error) DeleteVulnerability(namespaceName, name string) error InsertVulnerabilityFixes(vulnerabilityNamespace, vulnerabilityName string, fixes []FeatureVersion) error DeleteVulnerabilityFix(vulnerabilityNamespace, vulnerabilityName, featureName string) error GetAvailableNotification(renotifyInterval time.Duration) (VulnerabilityNotification, error) GetNotification(name string, limit int, page PageNumber) (VulnerabilityNotification, PageNumber, error) SetNotificationNotified(name string) error DeleteNotification(name string) error InsertKeyValue(key, value string) error GetKeyValue(key string) (string, error) Lock(name string, owner string, duration time.Duration, renew bool) (bool, time.Time) Unlock(name, owner string) FindLock(name string) (string, time.Time, error) Ping() bool Close() } Built as a framework - Datastores v1.1.024
- 25. - Image format: appc, Docker - Operating systems: Debian, Ubuntu, CentOS - Detection: package managers (dpkg, rpm) - Vulnerability sources: Distribution-specific - Database: PostgresSQL 9.4+ - Notification: Webhook What does it currently support ? v1.1.025
- 26. - Revisit database implementation - MySQL Support (Huawei) - Improve release distribution - Embed migrations - Address client UX - Integrate a solid command-line tool (Wemanity) - Expand detection capabilities - Add Alpine Linux support (goo.gl/TSkCxM) - Implement npm (Huawei), python, OWASP - Anything you’d like to see! What’s next? v1.1.026
- 27. coreos.com/fest - @coreosfest May 9 & 10, 2016 - Berlin, Germany
- 28. Thank you! We’re hiring in all departments! Email: careers@coreos.com Positions: coreos.com/ careers Quentin Machu @Quentin__M | quentin.machu@coreos.com
Editor's Notes
- #14: And that’s not all, NVD Some of these vulns became so important that … In one hand, we have fast-paced developers deploying all sort of containers, and in the other hand, we have thousands of vulnerabilities awaiting to be exploited and lead to critical data leak / loss.
- #15: With containerized applications and the rise of cluster managers, the way security assessment is realized changed. Dependency management shifted away from the op teams to the developers - and that bring them a new set of responsabilities. To help developers identifying the vulnerabilities that may threaten their containers, we recently built Clair.
- #17: Before explaining how it works, I would like to show you what insights Clair can provide through the demo of its integration with Quay, our secure container image registry.
- #18: I’ll describe Clair with 4 points
- #20: Basically it stores everything it can detect using the static analysis. And because of the immutable nature of container images, that knowledge can be crossmatched with vulnerability databases, now and in the future in order to determine the vulnerabilities that may affect these images. Additionally, Clair does this for every layer that compose an image, which means that it could re-use analysis data across multiple images that may share the same layers.
- #21: … Clair also recognizes that people are lazy.