Linux Container Security

23 Oct 2014 08:44 am
[personal profile] mjg59
First, read these slides. Done? Good.

Hypervisors present a smaller attack surface than containers. This is somewhat mitigated in containers by using seccomp, selinux and restricting capabilities in order to reduce the number of kernel entry points that untrusted code can touch, but even so there is simply a greater quantity of privileged code available to untrusted apps in a container environment when compared to a hypervisor environment[1].

Does this mean containers provide reduced security? That's an arguable point. In the event of a new kernel vulnerability, container-based deployments merely need to upgrade the kernel on the host and restart all the containers. Full VMs need to upgrade the kernel in each individual image, which takes longer and may be delayed due to the additional disruption. In the event of a flaw in some remotely accessible code running in your image, an attacker's ability to cause further damage may be restricted by the existing seccomp and capabilities configuration in a container. They may be able to escalate to a more privileged user in a full VM.

I'm not really compelled by either of these arguments. Both argue that the security of your container is improved, but in almost all cases exploiting these vulnerabilities would require that an attacker already be able to run arbitrary code in your container. Many container deployments are task-specific rather than running a full system, and in that case your attacker is already able to compromise pretty much everything within the container. The argument's stronger in the Virtual Private Server case, but there you're trading that off against losing some other security features - sure, you're deploying seccomp, but you can't use selinux inside your container, because the policy isn't per-namespace[2].

So that seems like kind of a wash - there's maybe marginal increases in practical security for certain kinds of deployment, and perhaps marginal decreases for others. We end up coming back to the attack surface, and it seems inevitable that that's always going to be larger in container environments. The question is, does it matter? If the larger attack surface still only results in one more vulnerability per thousand years, you probably don't care. The aim isn't to get containers to the same level of security as hypervisors, it's to get them close enough that the difference doesn't matter.

I don't think we're there yet. Searching the kernel for bugs triggered by Trinity shows plenty of cases where the kernel screws up from unprivileged input[3]. A sufficiently strong seccomp policy plus tight restrictions on the ability of a container to touch /proc, /sys and /dev helps a lot here, but it's not full coverage. The presentation I linked to at the top of this post suggests using the grsec patches - these will tend to mitigate several (but not all) kernel vulnerabilities, but there's tradeoffs in (a) ease of management (having to build your own kernels) and (b) performance (several of the grsec options reduce performance).

But this isn't intended as a complaint. Or, rather, it is, just not about security. I suspect containers can be made sufficiently secure that the attack surface size doesn't matter. But who's going to do that work? As mentioned, modern container deployment tools make use of a number of kernel security features. But there's been something of a dearth of contributions from the companies who sell container-based services. Meaningful work here would include things like:

  • Strong auditing and aggressive fuzzing of containers under realistic configurations
  • Support for meaningful nesting of Linux Security Modules in namespaces
  • Introspection of container state and (more difficult) the host OS itself in order to identify compromises

These aren't easy jobs, but they're important, and I'm hoping that the lack of obvious development in areas like this is merely a symptom of the youth of the technology rather than a lack of meaningful desire to make things better. But until things improve, it's going to be far too easy to write containers off as a "convenient, cheap, secure: choose two" tradeoff. That's not a winning strategy.

[1] Companies using hypervisors! Audit your qemu setup to ensure that you're not providing more emulated hardware than necessary to your guests. If you're using KVM, ensure that you're using sVirt (either selinux or apparmor backed) in order to restrict qemu's privileges.
[2] There's apparently some support for loading per-namespace Apparmor policies, but that means that the process is no longer confined by the sVirt policy
[3] To be fair, last time I ran Trinity under Docker under a VM, it ended up killing my host. Glass houses, etc.

(no subject)

23 Oct 2014 09:32 am
oursin: Brush the Wandering Hedgehog by the fire (Default)
[personal profile] oursin
Happy birthday, [personal profile] chalcedony_cat, [personal profile] diony, and [personal profile] em_h!
[syndicated profile] amusingplanet_feed

Posted by Kaushik

Moss Balls or marimo (Japanese for "ball seaweed"), also known by various names such as Cladophora ball and Lake ball, is a species of filamentous green algae named Aegagropila linnaei that grow into large green balls with a velvety appearance. These balls grow to sizes of 12 to 30 cm across, depending on where you find them. Marimos are rare and is known to occur only in Iceland, Scotland and Japan, primarily Lake Akan in Japan and Lake Mývatn in Iceland. Recently, moss balls appeared in a large numbers on Dee Why Beach, in Sydney, the first such spotting of this algae in the southern hemisphere.

Marimo doesn’t grow around a core, such as a pebble. Instead, the algal filaments grow in all directions from the centre of the ball, continuously branching and thereby laying the foundation for the spherical form. Surprisingly, the ball is green all through, although light only reaches very short distance into the ball. The chlorophyll inside the ball remains dormant in the dark, but becomes active when exposed to light if the ball breaks apart. Moss balls are found submerged in the lake’s bed where the gentle wave action frequently turns them over maintaining its spherical shape, at the same time ensuring that they can photosynthesize no matter which side is turned upwards.


Marimo in a tank in Hokkaido, Japan. Photo credit

Read more »
goodbyebird: Captain America: Bucky in uniform, mountains int he background. (Avengers strike down on me)
[personal profile] goodbyebird
Well. The Age of Ultron trailer is online. Have now closed twitter, because I'm damn sure something spoilery will happen there. Now my days will be dull indeed. I've really been enjoying geeking out with people on twitter :/

Please please pleeeease don't post anything about it outside of a cut?

*goes back to daydreaming about the possibility of a CA3 thing happening in the end credits scene*
[syndicated profile] b92_feed

Na Brankovom mostu oko 9 sati dogodio se lančani sudar u kojem su učestvovala četiri vozila.

Sudar se desio u pravcu ka Novom Beogradu. Prema prvim informacijama nema povređenih, a pričinjena je manja materijalna šteta.

[syndicated profile] b92_feed

Kina je rasporedila više od 1.200 vojnika, avione i helikoptere zbog neovlašćenog leta blizu aerodroma u Pekingu, koji je, kako se posle ispostavilo, bio dron.

Dron je služio za istraživanje i mapiranje, javili su danas kineski državni mediji. Protiv trojice muškaraca podignuta je optužnica zbog incidenta, prenela je agencija AFP. Kina je, pošto se na radaru pojavila letelica, odmah uputila na akciju 1.226 vojnika, 123 vojna vozila, 26 radarskih tehničara, dva borbena aviona i dva helikoptera.

[syndicated profile] b92_feed

Bivši politički zatvorenik u Rusiji Igor Sutjagin smatra da je sukob proruskih i ukrajinskih snaga oko Donjecka stvorio situaciju kašmirske krize u Evropi.

“Usred Evrope imamo jedan Kašmir. Sukoba će biti s vremena na vreme, verujem da se zaraćene strane neće tako lako povući“, istakao je Sutjagin.

[syndicated profile] b92_feed

U jakoj eksploziji gasa koja je jutros demolirala stambenu zgradu u Katovicama u Poljskoj, petoro stanara se vode kao nestali, a petoro ljudi je povređeno.

U zgradi u centru Katovica eksplodirao je najverovatnije gas, izjavio je za poljske medije gradonačelnik Katovica Pjotr Ušoka. Eksplozija je srušila fasadu i tri sprata u delu te manje stambene zgrade, požar nakon eksplozije zahvatio je i susednu zgradu, a oštećeni su i neki automobili na ulici.

[syndicated profile] b92_feed

U jakoj eksploziji gasa koja je jutros demolirala stambenu zgradu u Katovicama u Poljskoj, petoro stanara se vode kao nestali, a petoro ljudi je povređeno.

U zgradi u centru Katovica eksplodirao je najverovatnije gas, izjavio je za poljske medije gradonačelnik Katovica Pjotr Ušoka. Eksplozija je srušila fasadu i tri sprata u delu te manje stambene zgrade, požar nakon eksplozije zahvatio je i susednu zgradu, a oštećeni su i neki automobili na ulici.

Bandiću godinu dana pritvora?

23 Oct 2014 06:43 am
[syndicated profile] b92_feed

Gradonačelnik Zagreba Milan Bandić mogao bi da provede u istražnom pritvoru godinu dana, zbog velikog broja svedoka koji treba da budu ispitani.

Navodi se da je u slučaju bivše županice Marine Lovrić Merzel ispitano 110 svedoka i da je ceo postupak trajao pet meseci, što dovodi do zaključka da bi zagrebački gradonačelnik mogao da bude u pritvoru bar 10 meseci.

[syndicated profile] b92_feed

Rusko državno tužilaštvo je naložilo privođenje još četiri radnika moskovskog aerodroma "Vnukovo", posle nesreće u kojoj je poginuo direktor francuskog "Totala"

Odmah nakon nesreće ruski istražitelji su odredili pritvor vozaču mašine za čišćenje snega Vladimiru Matvinenku, koji je navodno izazvao avionsku nesreću sudarivši se sa privatnim avionom "Falkon-50" u kojem su bili Kristof de Maržeri i još troje ljudi, preneo je Rojters.

[syndicated profile] b92_feed

Evropski komesar za susedstvo i pregovore o proširenju Johanes Han ističe da mu je cilj da kandidati za članstvo u EU budu i ekonomski spremni za pristupanje.

"Moj cilj je, pored čisto formalnih pregovora, da doprinesem razvoju ekonomskih kapaciteta zemalja kandidata. Kandidati treba i ekonomski u vreme pristupanja biti spremne da budu punopravne članice. To povećava prihvatanje širenja u aktuelnim državama članice", uveren je Han.

ceares: kitty in a lap (Default)
[personal profile] ceares posting in [community profile] fanart_recs
Fandom:due South
Characters/Pairing/Other Subject: Ray Kowalski and Benton Fraser
Content Notes/Warnings: none
Medium: traditional, pen and ink
Artist on DW/LJ:n/a
Artist Website/Gallery: tootsiemuppet on DA
Why this piece is awesome: gorgeous, vibrant style
Link: Ray and Benton

Daily Happiness

22 Oct 2014 11:28 pm
torachan: arale from dr slump dressed in a penguin suit and smiling (arale penguin)
[personal profile] torachan
1. There is an amazing new live version of Actual Cannibal Shia LaBeouf.

2. We went down to the Promenade this afternoon to look at the new retina iMacs. The difference wasn't as immediately noticeable to me with a large screen as it is with a phone or tablet, but it definitely looks pretty spiffy.

3. We had Trader Joe's pumpkin ravioli tonight for dinner and it was so great! (Sadly, Irene didn't like it, but on the other hand, that means more for me!)

4. I went out to lunch with my mom today and went back to her house afterwards to help with her husband's computer, which turned out to be a much larger/more annoying job than I was expecting. BUT, since it ended up taking so long, she gave me $100 off next month's rent for helping out. (And I did get everything fixed, so yay.)
[syndicated profile] b92_feed

U Srbiji je jutros najhladnije na Kopaoniku, gde su u sedam časova izmerena minus četiri stepena, a u pojedinim mestima trenutno padaju sneg, susnežica i kiša.

U Sjenici je izmeren sneg visine 16 centimetara, na Kopaoniku je snežni pokrivač visok 13, a na Zlatiboru 12 centimetara, objavljeno je na sajtu Republičkog hidrometeorološkog zavoda.

[syndicated profile] b92_feed

Kanadski zvaničnici potvrdili su da je u napad na parlament izvršio džihadista koji je i ranije bio osuđivan, a nedavno je prihvatio islamsku veru.

Od početka nedelje to je drugi napad radikalnih islamista, pošto je prethodno u ponedeljak u Kvebeku pucnjima iz automobila ubijen jedan, a ranjen drugi pripadnik kanadske vojske.

Children's Books on Death

23 Oct 2014 01:15 am
ysabetwordsmith: Cartoon of me in Wordsmith persona (Default)
[personal profile] ysabetwordsmith
Here are some children's books about death. This season is a good time to open a topic that everyone needs to know about, in ways that are not too scary.

One of my favorites is The Hobbit. It's not primarily about death, but it has a lot of very thoughtful ideas about mortality and the utter foolishness of war. Among my best-loved bits is the parting between Thorin and Bilbo:

"Farewell, good thief," he said. "I go now to the halls of waiting to sit beside my fathers, until the world is renewed. Since I leave now all gold and silver, and go where it is of little worth, I wish to part in friendship from you, and I would take back my words and deeds at the Gate."

"There is more in you of good than you know, child of the kindly West. Some courage and some wisdom, blended in measure. If more of us valued food and cheer and song above hoarded gold, it would be a merrier world. But sad or merry, I must leave it now. Farewell!"

-- Thorin Oakenshield in The Hobbit by J.R.R. Tolkien

superboyprime: (Default)
[personal profile] superboyprime posting in [community profile] scans_daily

"I'd like to do a New Mutants book, but that's not what Marvel is interested in, and to be frank, not where the money is for me." - Jonathan Hickman

Sunspot: Leader )


kaigou: this is what I do, darling (Default)
锴 angry fishtrap 狗

to remember

"When you make the finding yourself— even if you're the last person on Earth to see the light— you'll never forget it." —Carl Sagan

September 2014

1415 1617181920
212223242526 27


No cut tags