containers • Applications run multiple microservices, each with its own container • Each container has its full compliment of packages and dependencies
is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code.”
is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code.” 66.6 % of analyzed images on Quay.io Coincidence? I think not !
do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read.” ORIGINAL PHOTO (CC) BY IAN KLUFT
do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read.” ORIGINAL PHOTO (CC) BY IAN KLUFT 80 % of analyzed images on Quay.io
of time and cost Solution: • Do not run any of these containers • Extract required knowledge from their static content • Analyze only once, for known and future vulnerabilities How do we analyze the containers ?
the: • Operating system ◦ /etc/.*-release, /etc/apt/sources.list, ... • Package list ◦ /var/lib/dpkg/status, /var/lib/rpm/Packages And store an improved diff ! • Metadata (id, parent id, command, environment, …) • Filesystem diff (which files have been added/modified/removed) + Operating system + Package list diff (which packages have been installed/upgraded/removed)
vulnerability trackers ◦ Ubuntu CVE Tracker launchpad.net/ubuntu-cve-tracker/ ◦ Debian Security Bug Tracker security-tracker.debian.org/tracker/ ◦ Red Hat Errata rhn.redhat.com/errata/ • Each source has its own format, and its own parser • Accurate because each distro knows exactly when they fix a vulnerability
4100 High / Critical vulnerabilities const ( [...] // High vulnerability is a real problem, exploitable for many people // in a default installation. Includes serious remote denial of // services, local root privilege escalations, or data loss. High Priority = "High" // Critical vulnerability is a world-burning problem, exploitable for // nearly all people in a default installation of Linux. Includes // remote root privilege escalations, or massive data loss. Critical Priority = "Critical" ) What about the vulnerabilities ?