Christo Goosen - Google gvisor container runtime sandbox

Transcript

1. Google’s gvisor

2. Container Runtime Sandbox

3. whoami Christo Goosen

4. Whoami | grep work ME Chief Technology Officer at CTRL

   Technologies Ctrl Tech: Insurance Tech Company Website: takectrl.co.za Stack: • Python 3.7 asyncio • Ionic, Angular 5 + Typescript

5. Whoami | grep other ME Tech, tech for good, politics,

   hiking. Studying: MSC Information Security OWASP Cape Town Open Web Application Security Project. Non profit for advancing security in web applications and other. Regular Meetups, all welcome ! • https://www.owasp.org/index.php/C ape_Town • http://www.meetup.com/OWASP-C ape-Town-Chapter-Meetup/ BSides Cape Town Community Driven Security (hacker/ conference. http://www.bsidescapetown.co.za/ • Volunteer! • Tickets! • Badges

6. BSIDES CPT 2016 & 2017

7. Sandboxing 1

8. 1

9. Before 1

10. Now 1

11. 1

12. After (sandboxing) 1

13. Gvisor architecture 1

14. Gvisor architecture 1 • Implements around 200 of the 400~+

    Linux syscalls • The Gofer acts as a file system proxy by opening host files on behalf of the application, and passing them to the Sentry process, which has no host file access itself • Sentry runs in an empty user namespace, and the system calls made by gVisor to the host are restricted using seccomp filters • The Sentry implements its own network stack (also written in Go) called netstack • Allows network passthrough

15. Docker Add a shim/golang vm 2

16. Docker daemon config { "debug" : true, "experimental" : true,

    "runtimes" : { "runsc" : { "path" : "/usr/local/bin/runsc", "runtimeArgs" : [ "--debug-log-dir=/tmp/runsc", "--debug", "--strace" ] }

17. Kubernetes 3

18. Kubernetes (WIP) 3

19. 3 • gVisor can run sandboxed containers in a Kubernetes

    cluster with cri-o (runtime) • Any Pod without the io.kubernetes.cri-o.TrustedSandbox annotation (or with the annotation set to false) will be run with runsc • Current support is for 1 container to a pod. Working on support for multiple containers in a pod.

20. Supported Applications 4

21. 3 • elasticsearch • golang • httpd • java8 •

    jenkins • mariadb • memcached • mongo • mysql • nginx • node • php • prometheus • python • redis • registry • tomcat • wordpress Supported Applications

22. Sandboxing Malware 5

23. 5 gVisor supports checkpointing and restoring containers. A container’s state

    can be checkpointed and later restored into one or more containers. This can be used to save work and time in cases of failure and allow for container migration. A single container can perform slower setup tasks and then be checkpointed so that many containers with the same task can be “restored” and started more quickly. runsc checkpoint/restore

24. 5 Sanbox malware

25. Thanks! Any questions? You can find me at: ◇ @owasp_cpt

    ◇ christo<at>christogoosen.co.za ◇ christo.goosen<at>takectrl.co.za ◇ christo.goosen<at>owasp.org ◇ github.com/c-goosen

26. Projects, libraries and examples: • https://github.com/google/gvisor • https://www.zdnet.com/article/google-open-sources-gvisor-a-sandb oxed-container-runtime/ •

    https://www.infoq.com/news/2018/05/gvisor-container-sandbox • https://twitter.com/remco_verhoef/status/1004020497745575936 • https://docs.docker.com/engine/security/security/ • https://thenewstack.io/interview-google-gvisor-and-the-challenge-of -securing-multitenant-containers/ • http://blog.nigelpoulton.com/gvisor-containers/ • https://medium.com/@remco_verhoef/sandboxing-with-gvisor-b9979 bd424b9 • Sources