Security in Docker?!

Transcript

1. Security in Docker?! Linuxwochen 2018 1

2. $whoami • Martin Schmiedecker • PhD in computer science from

   TU Wien • Teaching “Digital Forensics” and “Privacy Enhancing Technologies” • Certified expert witness Private: • Member of C3Wien • Meme artist • @fr333k (private) 2

3. Outline • What is Docker? • Howto secure Docker? 1.

   Host System 2. Platform 3. (3rd party) containers 3

4. What is Docker?

5. All about Microservices 5

6. VMs vs. Container 6

7. My first Contact • 3 years ago • Great student

   of mine, used Docker to ship things • “Funky” setup of 3 services • Didn’t listen, didn’t get it 7

8. My second Contact • Blog post about how Docker breaks

   everything in production use • Backwards compatibility is really a thing! • Spoiler: posted an update half a year later • Read them here 8

9. What is Docker? • A way to publish & run

   applications • Often used for webapps, but can be anything • Run it, kill it, no persistency by design Fast-paced software development: • Part of CI/CD: continuous integration & delivery • Commit, build, ship • Canary testing • Software used: Jenkins, git(lab), and more 9

10. What is Docker? “Alternatives” == predecessors: • chroot (1982) •

    vserver (2001) • OpenVZ (2005) • KVM (2007) • LXC (2008) • Borg, then lmctfy by Google (2013) • Docker (2013) 10

11. What is Docker? Mostly: • Collection of tools for containers

    • Freemium business model • Docker hub as registry for images Docker, Inc.: • Unicorn company • Next big thing since blockchains 11

12. Where is Docker? Local: • Easy as sudo apt-get install

    docker-ce Cloud providers: • Azure Container Service (ACS) • Amazon Elastic Container Service (ECS) • Google Cloud Platform • OpenShift & CoreOS by Red Hat • … 12

13. What is Docker? “Alternatives” == successors? • rkt by CoreOS

    • runc by the Open Containers Initiative (OCI) • Container Linux based on ChromeOS • CoreOS Tectonic • containerd by Docker as CLI-interface, Moby, … • Clear Containers aka KataContainers, by Intel 13

14. What is Docker? Things get worse in the probable future:

    • snaps by Canonical • Windows Server Containers && Hyper-V Isolation • SGX Enclave execution • … 14

15. Docker Who? • It all starts with docker build •

    Downloads base image • Copies stuff into container • Executes stuff in the container • Exposes stuff over the network • Done! Or: $ docker run --name some- nginx -v /some/content:/usr/share/ nginx/html:ro -d nginx 15

16. What is Docker? Design goals: • Quick: can spawn much

    quicker than VMs • Lightweight: roughly 10 MB for a basic container • Space-efficient: using overlayfs • Non-persistent: containers die, and all is gone (by default) • Easily scalable: run with a load balancer • Secure: of course, why not!? 16

17. What is Docker? Security: • Docker uses namespaces and cgroups:

    • good stuff! • namespaces control what a process can see. • cgroups control what a process can use. • Separated by the kernel Additionally: • Limited capabilities! • “Sandbox-ish” 17

18. What is Docker? Capabilities: • Old concept of the Linux

    kernel • Ease the pain of binary root/non-root permissions • Docker is secure “for the 99%” 18

19. What is Docker? Security downsides: • Daemon runs as root!

    • Docker permission is like root • Separation not enforced by hardware (as in VMs) • One kernel exploit to rule them all • Not helping against Meltdown & Spectre 19

20. What is Docker? Escaping containers is rather hard • Just

    19 CVE numbers, 2014-2019: https://www.cvedetails.com/vendor/13534/Docker.html “Security non-events”: • By default many mitigated vulns: https://docs.docker.com/engine/security/non-events/ 20

21. What is NOT Docker? Example: SubgraphOS • Hardened kernel with

    grsec/Pax • oz sandboxes • Application firewall • All on top of Tor Browser But: • Micah Lee is not happy • Nautilus is not sandboxed, .desktop files nuke it from orbit • Qubes for example uses Xen, not Docker 21

22. Howto: securing the base system

23. Secure the base system Docker does not touch the base

    system!!! Usual stuff applies: • ssh with pubkey auth, possibly TOTP or U2F/GPG • Secure passwords, user management, sudo, … • Firewall • Patch early, patch often 23

24. Secure the base system Really: patch early, patch often! •

    Especially kernel (=reboots) • Apply Microcode Updates (Spectre/Meltdown)? Advanced base system security: • Runtime hardening: AppArmor, SELinux, … • Kernel hardening: PaX, grsecurity! • CoreOS == minimal ChromeOS! • Allows TPM & dm-verity for secure boot 24

25. Howto: securing the platform

26. Small, fictional example • Make platform for running apps, in

    containers • Devs upload Docker images • Much like any commercial Docker hosting platform 26

27. Example Checklist 27

28. Only use official container • 3.800 official, 350k community images

    • Take away: better do not do community images • Or: run your own registry, keep images uptodate (€€) 28

29. Data Encryption Imagine a world where everything is encrypted: •

    Encrypt data at rest • Database(s) • User management • API & authentication • Communication • … 29

30. Communication Encryption • TLS-only 1.2+, for everything • API is

    key • Kubernetes and Docker swarm can do this • Devil is in the details 30

31. Encrypting Data at Rest Encrypting data-at-rest: • Spoiler: no optimal

    solution available! • Encrypted file system (OPAL, Bitlocker, LUKS): protects only against offline, physical access • Encrypted database on shards: might do it? • Encryption in the DB: not in PostgreSQL, only others & $$$ • Encryption in the application: tricky, but can work. Penalizes DB performance! 31

32. Data Encryption Commercial solutions: • MongoDB Enterprise: Encrypted Storage Engine

    • SQL Server: Transparent Data Encryption (TDE) • Oracle 12c: TDE • MySQL Enterprise: TDE • SQLite: Encryption Extension • … 32

33. Data Encryption Choices for encrypting PostgreSQL data store: 1. Ext4

    encryption! • Used by Android • One folder per datastore • e4crypt + Docker secrets • Then (maybe?) using pg_tablespaces Alternatives: 1. LUKS + dm-crypt 2. Application layer 33

34. Data Encryption Out-of-band encryption: • Use glusterFS • Encrypt shards

    • Maybe the way to go? • Got least number of drawbacks Source: https://gluster.org 34

35. (Funky) Data Encryption TLS 1.2+: • Go funky with the

    SSL library: • Googles BoringSSL? • Amazons s2n? • OpenSSL 1.1.1 for TLS 1.3? • Perfect forward secrecy? • Certificate pinning? CAA entry? • HSTS? HSTS-preloading? • Server (&& client certificate) checking • Docker EE does client certificates & automatic rotation 35

36. Other Security Features Rate limiting: • All (API-) interfaces should

    employ rate limiting • Prevention of e.g. brute-force attacks • Logging for “normal” usage 36

37. Other Security Features Central logging: • Some form of outlier

    detection? • Prometheus.io? Syscall Monitoring? Further restriction of capabilities? • PaX/grsecurity Incident response: • Playbooks & detailed post-mortems 37

38. Howto: securing 3rd party containers

39. Increase Application Security No way to ensure security in external

    code! • SQLi, XSS, command injection, … Ideas: • Secure templates / tutorials • Bug Bounties 39

40. Epic List of No-Can-Go! • Detect and prevent execution of

    --privileged containers • Detect and prevent host driver for network connectivity • Detect and prevent –v Docker control socket • Remote login disabled However: • Will not work! • Always ways to drop a shell 40

41. Static Image Analysis Clair: • https://github.com/coreos/clair • Static analysis for

    known vulnerabilities (CVEs, mostly) • Only against packages in images • Does not check dynamically installed things, e.g. using apt-get install • Does not check if package is used in any way 41

42. Static Image Analysis • Docker Datacenter edition has Clair built

    in ($$) • Docker Bench for Security: https://github.com/docker/docker-bench-security Plenty of other tools are out there: • Peekr • Twistlock • Atomic Scan • … 42

43. Dynamic Image Analysis • Watch the network • Between containers

    • With the internet • Watch the syscalls • Better watch everything? 43

44. Summary • Docker is reasonably secure by default • There

    are {easy|medium|hard} steps for increasing security • Depends on the your actual use case • Nothing is as easy as docker build 44

45. Thank you for your attention!