Breaking and Fixing your ‘Docker’ ized environments

Presented at AppSec USA 2016, Oct. 14, 2016, 3:30 p.m. (60 minutes).

This presentation extracts few points from CIS Docker 1.12 benchmark which was co-authored by me. Ref: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker12.100 Abstract: The concept of containerization was in Linux from ages in the form of jails, zones, LXC etc. but it is since 2 years it gained tremendous recognition. The credit goes to "Docker" which made the concept of containerization very useful and handy by adding many benefits to existing container technologies. Tech giants like Redhat, Google, IBM, VMware etc. are not only the biggest contributors to this most active open source project but also major users of it. Only Google spins up more than 2 billion containers per week, more than 3,300 containers per second. Inspired from Docker, Microsoft also started its container technology by extending its research project "Drawbridge". The effect of containers already impacted the virtual machine market and this impact is going to increase significantly in near future. Security is always an important issue for any upcoming technology and Docker is no exception to it. This presentation starts with a brief introduction to containers vs. virtualization technology, Docker ecosystem and then goes deep into "Docker Security". It touches each and every component listed below in the Docker container pipeline and gives details about the ways on how they can be broken and then defensive measures to secure them. Container Pipeline Components: a) Images b) Container Runtime c) Host security d) Daemon security e) Communication security ( daemon <=> client , daemon to registry etc.) f) Registry security Below is the brief overview only on Images, containers components. 1. Images a. Image security analysis in which I have extracted more than 50 Docker hub images (which also includes official images) and found critical vulnerabilities like Heartbleed, Shellshock, CSRF, XSS etc. in them. The presentation also provides a comprehensive security analysis on Docker hub images , how vulnerable are they and gives details about alternative options available for getting secure images b. Protecting images - Efficient scanning : binary level scanning, hash based comparison instead of version string matching mechanisms - Docker Content Trust: Ensures authenticity, integrity and freshness guarantees (Is this really secure to use?) - 20 golden rules to be followed for "writing Dockerfiles and maintaining images" securely 2. Containers a. Detailed explanation about how containers isolation can be torn apart b. Docker claims that their containers are "Secure by Default" and also a popular report on Linux containers released by NCC Group states that "Docker has strong defaults". In this presentation, I will be proving that Docker defaults are vulnerable to DOS, side channel, remote exploitation etc. vulnerabilities. Besides, I will also be explaining about a few other ways of exploiting Docker containers if CIS Docker bechmark rules were not adhered c. 20 golden rules to be followed for ensuring secure container runtime Apart from the topics mentioned above, this presentation also throws a light on the tools available in market for securing container ecosystem along with the pros and cons of each tool : Twistlock, Aquasec, Nautilus etc.

Presenters:

  • Manideep Konakandla - Carnegie Mellon University
    Is an Author, Security Researcher, Speaker and a J.N Tata Scholar. He is current Security Researcher + Masters student in Information Security @Carnegie Mellon University, USA and is currently researching on "Security of containers with focus on Docker". He has authored a book at an age of 21 which made him one of the youngest authors in India to write a book on Hacking. He was also featured in India's largest circulated English and Telugu newspapers including Deccan Chronicle, The Hindu, Hans India, Vaartha, AndhraJyoti, Saakshi, Andhrabhoomi, Visaalandra etc. and was also interviewed by HMTV news channel for his achievements in Security. He holds more than a dozen certifications - ISO 27001:2013 ISMS Lead Auditor, CCNA, CEH, ECSA, JNCIP-SEC, CHFI, JNCIS-SEC , ITIL v3, etc. Manideep has also reported critical vulnerabilities on more than 100 websites and applications including Yahoo Messenger, Jease CMS, universities providing Masters in Information and Cyber Security - CMU, Purdue, USC, NEU, SUNY Brook, Stanford etc. and also has 2 dozen CVE-IDs under his name. He also has cracked Sodexo MNC meal passes barcode algorithm and presented it at NULL security conference. He was appreciated by Deccan Chronicle newspaper for this milestone. His team recently won third prize at Microsoft's "Build the Shield" competition. Manideep was also a speaker at more than 50 seminars and workshops on 'Ethical Hacking & Cyber Forensics' and 'Cyber Crime Eradication' including at IIT Guwahati, ISTE (Indian Society for Technical Education), CSI (Computer Society of India), Tata Consultancy Services. He has trained more than 15,000 people in Information Security domain including corporate security teams, cyber cops and students. He worked as a Team Lead for Core Security & Data Analytics module at Tata Consultancy Services for 3 years before joining Carnegie Mellon. He received appreciations from Global Head-IT Security for his extraordinary performance in enhancing organization's security posture. He also worked along with CIO and CSO for few investigations and cyber security exercises. Apart from his profession, he also works as a freelancer and is also associated as a professional member with prestigious organizations such as OWASP, APSA, CSI, ACM etc.

Links:

Similar Presentations: