Is Docker Secure?
1 like1,081 views
This document summarizes a presentation on the security of Docker containers. It begins with introductions and then outlines the container pipeline and risk areas. It discusses security issues related to images, the container runtime, and approaches for enterprises. It presents a holistic view of the container security pipeline and risks at different stages. It concludes by taking questions and providing references for further information.
Is Docker Secure?
- 1. Is Docker Secure? Grehack’16 @France Manideep K Carnegie Mellon University
- 2. 2 Shameless Bragging • Masters Student + Security Researcher at Carnegie Mellon, Cylab • Authored a book on Info Sec & Ethical Hacking at the age of 20 • Featured in INDIA’s largest news papers and news channels • Trained 15,000+ people in Infosec including corporates, students & cyber cops • 10 certifications : ISO 27001:2013 ISMS LA, CCNA, CEH, JNCIP-SEC etc. • Ex Team Lead – Core Security & Data Analytics at TCS • Interest areas : Container Security, Application Security etc. More details about me on www.manideepk.com
- 3. 3 What am I upto with Containers? • Co-Authored CIS Docker 1.12 Benchmark • Cloud Security Research Intern @Adobe • Extensive research at Carnegie Mellon
- 4. 4 Before we start • How many of you know what containers are? • How many of you used containers? Personal / Enterprise development or production • How many of you did not adopt containers because of security issues?
- 5. 5 6-7 months research in 30 minutes Tough task but we will do it
- 6. 6 What are we doing for next 30 mins? Intro • Containers in 60 seconds • Container Pipeline and Risk Areas Sec…Security • Images • Container runtime • Hello enterprises Holistic pipeline view Wrap up
- 7. 7 What are we doing for next 30 mins? Intro • Containers in 60 seconds • Container Pipeline and Risk Areas Sec…Security • Images • Container runtime • Hello enterprises Holistic pipeline view Wrap up
- 8. 8 Quick “60 second” Intro Containers? Lightweight Application centric No more - “it works on my machine” Micro-services Namespaces : Isolation (PID, User, Network, IPC, Mount, UTS) Cgroups : Isolates, limits and accounts resource usage (CPU, memory etc.) BUZZ……….! Are containers brand new? Img Ref: www.docker.com Containers in 60 seconds
- 9. 9 Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Container Pipeline & Risk Areas Ref: Modified version of image on www.docker.com
- 10. 10 What are we doing for next 30 mins? Intro • Containers in 60 seconds • Container Pipeline and Risk Areas Sec…Security • Images • Container runtime • Hello enterprises Holistic pipeline view Wrap up
- 11. 11 Containers do not contain 53% of decision makers are worried about security of containers* Containers are not production-ready Container Security (Docker) developed “a lot” in the past two years, is still developing and has lot of scope Docker containers are now “production-ready**” . Google spins up more than 2 billion containers per week Containers are the “FUTURE” * Forrester/Red Hat Report , January 2015 ** You have to make them secure
- 12. 12 “Images” Security Lifecycle of An Image • Where can I get Images? - Docker hub public - Docker Private Store (Beta) • Can I use them (directly)? - No! Not Docker hub (at least general images) for enterprises (personal?) - How about Docker Private store? • Official images are scanned with Nautilus (general images are not) - Reports can be seen by opening tags on Hub
- 13. 13 My Analysis with Images • Downloaded 50 images from hub & the first image analyzed has XSS, CSRF vulns www.vulnerability-lab.com/get_content.php?id=1802 www.vulnerability-lab.com/get_content.php?id=1803 • Some others (which includes official images) are using vulnerable versions of OpenSSL, glibc, tar, bash etc. and are vulnerable to Heartbleed, Shellshock etc. • Manual and also analyzed with Twistlock tool
- 14. 14 Quick Facts from Banyanops 2015 Analysis report* 30% official images are vulnerable 70% general images are vulnerable How well the stats of the report stay good today? * Ref: https://banyanops.com/blog/analyzing-docker-hub/
- 15. 15 Manideep, What to do now? Enterprises - Build your own in-house registry by referring CIS Docker 1.12 doc • Write Dockerfiles securely (version pinning mechanisms, creating user etc.) • Maintain, Consume them securely (Docker content trust, frequent scanning etc.) Personal users - HMM….HMm...Hmm..mmm (Private store?)
- 16. 16 Container Runtime - Messy Slide, Sorry! • Breakout of container and attack host / other containers • Major problem is “shared kernel” • Beware & Fix bizarre Docker defaults (few below) else you will be in big trouble a) Containers can consume entire memory causing DOS b) Containers can communicate with each other leading to sniffing etc. c) Containers are on the same bridge leading to ARP spoofing, MITM etc. d) Containers have no fork limit causing fork bomb e) Containers run as root – do you still want to know the impact? f) Docker daemon access users have effective root privileges • Isolation / Security Namespaces - Beware of non-namespaced kernel keyring, SYS_TIME etc. and do not share namespaces unless and until needed Seccomp - How a single vulnerability in a system call ripped off / torn apart containers (Linux vulnerability but impacted Docker – Cansecwest’16) LSM’s - SELinux and Apparmor Capabilities - Do not use privileged containers and try to set flag for not acquiring any additional privileges
- 17. 17 Hello enterprises (applies for personal users too) • Use tools (Ex: Twistlock, Scalock, Nautilus) which allow you to (not all of them do every task) a) Use only signed/ XYZ images b) Scan images “efficiently” and frequently c) Automatic container profiling etc. • Tune CIS benchmark as per your org requirements and adhere to it - Seccomp profiles, Apparmor/Selinux modules, SIEM/monitoring etc. • Group containers on VM (basing on trust, operational categories etc.) • Employ separate patch management, vulnerability assessment etc. procedures for containers
- 18. 18 What’s next? Intro • Containers in 60 seconds • Container Pipeline and Risk Areas Sec…Security • Images • Container runtime • Hello enterprises Holistic pipeline view Wrap up
- 19. 19 Container pipeline (Holistic View) Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Img Ref: Modified version of image on www.docker.com * *
- 20. 20 What’s next? Intro • Containers in 60 seconds • Container Pipeline and Risk Areas Sec…Security • Images • Container runtime • Hello enterprises Holistic pipeline view Wrap up
- 21. 21 So, what did you learn today? Docker Containers are not secure, you have to make them secure…!
- 22. 22 It’s not good to keep questions in your mind Throw them out and I am here to catch
- 23. 23 References 1. CIS Docker Benchmark 1.12 2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf 3. www.oreilly.com/webops-perf/free/files/docker-security.pdf 4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf 5. http://www.slideshare.net/Docker/docker-security-workshop-slides 6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231 7. https://docs.docker.com/engine/security/ 8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
- 24. 24TCS Confidential Hope you enjoyed…! Reach me on www.manideepk.com for any questions