TU Wien • Teaching “Digital Forensics” and “Privacy Enhancing Technologies” • Certified expert witness Private: • Member of C3Wien • Meme artist • @fr333k (private) 2
applications • Often used for webapps, but can be anything • Run it, kill it, no persistency by design Fast-paced software development: • Part of CI/CD: continuous integration & delivery • Commit, build, ship • Canary testing • Software used: Jenkins, git(lab), and more 9
docker-ce Cloud providers: • Azure Container Service (ACS) • Amazon Elastic Container Service (ECS) • Google Cloud Platform • OpenShift & CoreOS by Red Hat • … 12
• runc by the Open Containers Initiative (OCI) • Container Linux based on ChromeOS • CoreOS Tectonic • containerd by Docker as CLI-interface, Moby, … • Clear Containers aka KataContainers, by Intel 13
Downloads base image • Copies stuff into container • Executes stuff in the container • Exposes stuff over the network • Done! Or: $ docker run --name some- nginx -v /some/content:/usr/share/ nginx/html:ro -d nginx 15
quicker than VMs • Lightweight: roughly 10 MB for a basic container • Space-efficient: using overlayfs • Non-persistent: containers die, and all is gone (by default) • Easily scalable: run with a load balancer • Secure: of course, why not!? 16
• good stuff! • namespaces control what a process can see. • cgroups control what a process can use. • Separated by the kernel Additionally: • Limited capabilities! • “Sandbox-ish” 17
• Docker permission is like root • Separation not enforced by hardware (as in VMs) • One kernel exploit to rule them all • Not helping against Meltdown & Spectre 19
grsec/Pax • oz sandboxes • Application firewall • All on top of Tor Browser But: • Micah Lee is not happy • Nautilus is not sandboxed, .desktop files nuke it from orbit • Qubes for example uses Xen, not Docker 21
solution available! • Encrypted file system (OPAL, Bitlocker, LUKS): protects only against offline, physical access • Encrypted database on shards: might do it? • Encryption in the DB: not in PostgreSQL, only others & $$$ • Encryption in the application: tricky, but can work. Penalizes DB performance! 31
encryption! • Used by Android • One folder per datastore • e4crypt + Docker secrets • Then (maybe?) using pg_tablespaces Alternatives: 1. LUKS + dm-crypt 2. Application layer 33
--privileged containers • Detect and prevent host driver for network connectivity • Detect and prevent –v Docker control socket • Remote login disabled However: • Will not work! • Always ways to drop a shell 40
known vulnerabilities (CVEs, mostly) • Only against packages in images • Does not check dynamically installed things, e.g. using apt-get install • Does not check if package is used in any way 41
in ($$) • Docker Bench for Security: https://github.com/docker/docker-bench-security Plenty of other tools are out there: • Peekr • Twistlock • Atomic Scan • … 42