Clair: A container image security analyzer

Transcript

1. Clair: A Container Image Security Analyzer Josh Wood DocOps at

   CoreOS @joshixisjosh9
2. None

3. We’re hiring in all departments! Email: [email protected] Positions: coreos.com/ careers

   90+ Projects on GitHub, 1,000+ Contributors OPEN SOURCE CoreOS.com - @coreoslinux - github/coreos Secure solutions, support plans, training + more ENTERPRISE [email protected] - tectonic.com - quay.io CoreOS Runs the World’s Containers

4. The smartest way to run your container infrastructure. tectonic.com @tectonic

5. Build, Store and Distribute your Containers quay.io

6. None

7. Clair - A container image security analyzer - Not heuristic

   AV - Based on distro, package, container layer - REST HTTP API - Open source - Apache License - Base of Quay container image analysis features

8. Insecurities • Security vulnerabilities today affect an increasing number of

   systems Source: https://www.cvedetails.com/browse-by-date.php

9. Security before containers Operating System Package Manager Package A Package

   B Package C Application Code

10. Security before containers Operating System Package Manager Package A Package

    B Package C Application Code Developers Ops

11. Containers and Security • Applications today are being moved into

    containers • Applications run multiple microservices, each with its own container • Each container has its full compliment of packages and dependencies

12. Containers and Security Operating System Container Runtime Container Container Container

    Container Container Developers Ops

13. Containers and Security Operating System Package Manager Package A Package

    B Package C Microservice code Container Runtime Package Manager Package A Package D Package C Microservice code

14. Vulnerabilities inside container images How common is it really?

15. ORIGINAL PHOTO (CC) BY IAN KLUFT CVE-2015-0235 aka GHOST “GHOST

    is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code.”

16. ORIGINAL PHOTO (CC) BY IAN KLUFT CVE-2015-0235 aka GHOST “GHOST

    is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code.” 66.6 % of analyzed images on Quay.io Coincidence? I think not !

17. CVE-2014-0160 aka Heartbleed “The TLS and DTLS implementations in OpenSSL

    do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read.” ORIGINAL PHOTO (CC) BY IAN KLUFT

18. CVE-2014-0160 aka Heartbleed “The TLS and DTLS implementations in OpenSSL

    do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read.” ORIGINAL PHOTO (CC) BY IAN KLUFT 80 % of analyzed images on Quay.io

19. Why are these vulnerabilities so common?

20. Most containers built on same base layers

21. Most containers built on same base layers

22. How do we make this better for developers?

23. Automated detection of vulnerabilities • Check every new image pushed

    to Quay.io for vulnerabilities • Check every existing image against new or updated vulnerabilities • Notify developers when an image is vulnerable

24. Goal: • Analyze millions of containers in a minimum amount

    of time and cost How do we analyze the containers ?

25. Goal: • Analyze millions of containers in a minimum amount

    of time and cost Solution: • Do not run any of these containers • Extract required knowledge from their static content • Analyze only once, for known and future vulnerabilities How do we analyze the containers ?

26. 1. MAINTAINER Quentin Machu <[email protected]> 2. FROM ubuntu:trusty 3. RUN

    apt−get update && apt−get upgrade −y 4. EXPOSE 22 5. CMD ["/usr/sbin/sshd", "-D"] What is a container image ? Container Layer • Metadata (id, parent id, command, environment, …) • Filesystem diff (which files have been added/modified/removed)

27. What is extracted exactly ? For each container layer, find

    the: • Operating system ◦ /etc/.*-release, /etc/apt/sources.list, ... • Package list ◦ /var/lib/dpkg/status, /var/lib/rpm/Packages

28. What is extracted exactly ? For each container layer, find

    the: • Operating system ◦ /etc/.*-release, /etc/apt/sources.list, ... • Package list ◦ /var/lib/dpkg/status, /var/lib/rpm/Packages And store an improved diff ! • Metadata (id, parent id, command, environment, …) • Filesystem diff (which files have been added/modified/removed) + Operating system + Package list diff (which packages have been installed/upgraded/removed)
29. None

30. 1. MAINTAINER Quentin Machu <[email protected]>

31. 1. MAINTAINER Quentin Machu <[email protected]>

32. 2. FROM ubuntu:trusty

33. 2. FROM ubuntu:trusty

34. 2. FROM ubuntu:trusty

35. 2. FROM ubuntu:trusty

36. 3. RUN apt-get update && apt-get upgrade -y

37. 3. RUN apt-get update && apt-get upgrade -y

38. 3. RUN apt-get update && apt-get upgrade -y

39. 4. EXPOSE 22

40. 5. CMD [“/usr/sbin/sshd”, “-D”]

41. None
42. None

43. What about the vulnerabilities ? • Periodically update from distro-specific

    vulnerability trackers ◦ Ubuntu CVE Tracker launchpad.net/ubuntu-cve-tracker/ ◦ Debian Security Bug Tracker security-tracker.debian.org/tracker/ ◦ Red Hat Errata rhn.redhat.com/errata/ • Each source has its own format, and its own parser • Accurate because each distro knows exactly when they fix a vulnerability

44. 16 500 vulnerabilities - fixed by 92 000 package versions

    4100 High / Critical vulnerabilities const ( [...] // High vulnerability is a real problem, exploitable for many people // in a default installation. Includes serious remote denial of // services, local root privilege escalations, or data loss. High Priority = "High" // Critical vulnerability is a world-burning problem, exploitable for // nearly all people in a default installation of Linux. Includes // remote root privilege escalations, or massive data loss. Critical Priority = "Critical" ) What about the vulnerabilities ?
45. None
46. None
47. None
48. None
49. None
50. None
51. None
52. None
53. None
54. None
55. None
56. None
57. None
58. None
59. None
60. None
61. None
62. None
63. None

64. coreos.com/fest - @coreosfest May 9 & 10, 2016 - Berlin,

    Germany and San Francisco satellite!

65. See also: • quay.io • github.com/coreos/clair • github.com/coreos/clair#kubernetes

66. Thank you! Josh Wood @joshixisjosh9 | [email protected] | github.com/joshix We’re

    hiring in all departments! Email: [email protected] Positions: coreos.com/ careers