Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Clair: A container image security analyzer

Clair: A container image security analyzer

Wercker meetup, Rackspace Geekdom SF: http://www.meetup.com/wercker/events/229673565/

Josh Wood

April 07, 2016
Tweet

More Decks by Josh Wood

Other Decks in Technology

Transcript

  1. We’re hiring in all departments! Email: [email protected] Positions: coreos.com/ careers

    90+ Projects on GitHub, 1,000+ Contributors OPEN SOURCE CoreOS.com - @coreoslinux - github/coreos Secure solutions, support plans, training + more ENTERPRISE [email protected] - tectonic.com - quay.io CoreOS Runs the World’s Containers
  2. Clair - A container image security analyzer - Not heuristic

    AV - Based on distro, package, container layer - REST HTTP API - Open source - Apache License - Base of Quay container image analysis features
  3. Insecurities • Security vulnerabilities today affect an increasing number of

    systems Source: https://www.cvedetails.com/browse-by-date.php
  4. Containers and Security • Applications today are being moved into

    containers • Applications run multiple microservices, each with its own container • Each container has its full compliment of packages and dependencies
  5. Containers and Security Operating System Package Manager Package A Package

    B Package C Microservice code Container Runtime Package Manager Package A Package D Package C Microservice code
  6. ORIGINAL PHOTO (CC) BY IAN KLUFT CVE-2015-0235 aka GHOST “GHOST

    is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code.”
  7. ORIGINAL PHOTO (CC) BY IAN KLUFT CVE-2015-0235 aka GHOST “GHOST

    is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code.” 66.6 % of analyzed images on Quay.io Coincidence? I think not !
  8. CVE-2014-0160 aka Heartbleed “The TLS and DTLS implementations in OpenSSL

    do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read.” ORIGINAL PHOTO (CC) BY IAN KLUFT
  9. CVE-2014-0160 aka Heartbleed “The TLS and DTLS implementations in OpenSSL

    do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read.” ORIGINAL PHOTO (CC) BY IAN KLUFT 80 % of analyzed images on Quay.io
  10. Automated detection of vulnerabilities • Check every new image pushed

    to Quay.io for vulnerabilities • Check every existing image against new or updated vulnerabilities • Notify developers when an image is vulnerable
  11. Goal: • Analyze millions of containers in a minimum amount

    of time and cost How do we analyze the containers ?
  12. Goal: • Analyze millions of containers in a minimum amount

    of time and cost Solution: • Do not run any of these containers • Extract required knowledge from their static content • Analyze only once, for known and future vulnerabilities How do we analyze the containers ?
  13. 1. MAINTAINER Quentin Machu <[email protected]> 2. FROM ubuntu:trusty 3. RUN

    apt−get update && apt−get upgrade −y 4. EXPOSE 22 5. CMD ["/usr/sbin/sshd", "-D"] What is a container image ? Container Layer • Metadata (id, parent id, command, environment, …) • Filesystem diff (which files have been added/modified/removed)
  14. What is extracted exactly ? For each container layer, find

    the: • Operating system ◦ /etc/.*-release, /etc/apt/sources.list, ... • Package list ◦ /var/lib/dpkg/status, /var/lib/rpm/Packages
  15. What is extracted exactly ? For each container layer, find

    the: • Operating system ◦ /etc/.*-release, /etc/apt/sources.list, ... • Package list ◦ /var/lib/dpkg/status, /var/lib/rpm/Packages And store an improved diff ! • Metadata (id, parent id, command, environment, …) • Filesystem diff (which files have been added/modified/removed) + Operating system + Package list diff (which packages have been installed/upgraded/removed)
  16. What about the vulnerabilities ? • Periodically update from distro-specific

    vulnerability trackers ◦ Ubuntu CVE Tracker launchpad.net/ubuntu-cve-tracker/ ◦ Debian Security Bug Tracker security-tracker.debian.org/tracker/ ◦ Red Hat Errata rhn.redhat.com/errata/ • Each source has its own format, and its own parser • Accurate because each distro knows exactly when they fix a vulnerability
  17. 16 500 vulnerabilities - fixed by 92 000 package versions

    4100 High / Critical vulnerabilities const ( [...] // High vulnerability is a real problem, exploitable for many people // in a default installation. Includes serious remote denial of // services, local root privilege escalations, or data loss. High Priority = "High" // Critical vulnerability is a world-burning problem, exploitable for // nearly all people in a default installation of Linux. Includes // remote root privilege escalations, or massive data loss. Critical Priority = "Critical" ) What about the vulnerabilities ?
  18. coreos.com/fest - @coreosfest May 9 & 10, 2016 - Berlin,

    Germany and San Francisco satellite!
  19. Thank you! Josh Wood @joshixisjosh9 | [email protected] | github.com/joshix We’re

    hiring in all departments! Email: [email protected] Positions: coreos.com/ careers