If You Give a Container a Capability: A Tale of Container Exploitation

Presented at ToorCon San Diego 20 (2018), Sept. 16, 2018, 1 p.m. (50 minutes)

This talk walks through mechanisms used by container solutions to create an "isolated" computation environment and the weaknesses of each mechanism. It also covers a basic testing methodology that can be used when assessing a new container environment and the release of a new tool to assist in such an assessment.

Containerization is often used as a replacement for virtual machines to isolate customer data and customer code due to its ease of deployment and marginal performance impact. As security consultants, we have conducted numerous security reviews of a variety of container configurations, where real companies have been using Docker to securely run untrusted customer code.

While Docker is easy to get up and running, it is not always clear that certain high level settings have low level security implications. When configured poorly, a container running malicious code can view network traffic from the host or other co-located containers, access firewalled servers, affect the performance of other containers, or even run code on the host.

In this presentation, we’ll give insight into how Docker utilizes Linux kernel security features, such as capabilities and namespaces, in order to attempt to provide container isolation. We’ll illustrate common security pitfalls in container configurations and how to exploit them.

We’ll conclude with a demo of a new container auditing tool that finds common container configuration issues and presents exploits for these issues, if applicable. This tool may be leveraged by penetration testers assessing a container environment or by security engineers and developers aiming to ensure they’ve properly hardened their use of containers.

Presenters:

• Vikas Kumar
  Vikas Kumar is a Senior Security Consultant at NCC Group. His interests including low-level application security, containers, embedded security, and cryptography. Vikas Kumar is a Senior Security Consultant at NCC Group, an information security firm specializing in application, network, and mobile security. He joined the team February 2016. His interests including low-level application security, containers, embedded security, and cryptography. Vikas graduated from the University of Michigan with a bachelor's in Computer Science. Prior to NCC Group, Vikas interned as a Security/Devops Engineer at RelateIQ in 2015, and as a Security Engineer at Duo Labs in 2014. While at the University of Michigan, he co-lead Michigan Hackers’ Security Team, which co-hosted 2 Capture The Flag events with Facebook. He did cryptography research with Professor Alex Halderman, focusing on applying (and optimizing) known attacks against RSA to internet wide scans of TLS and SSH configurations. He also did a basic analysis of Bluetooth Low Energy protocol security.
• Rob Glew
  Rob Glew is a Senior Security Consultant at NCC Group in Chicago. He has been exploring security in a wide variety of areas for the last 5 years and has most recently begun digging into the internals of Docker and other container platforms. He has developed tools to assist in performing security audits for numerous types of applications and for fun enjoys working on reverse engineering challenges for security competitions.

Links:

• https://frab.toorcon.net/en/toorcon20/public/events/113.html
• https://infocon.org/cons/ToorCon/ToorCon XX - 2018/If You Give A Container A Capability A Tale Of Container Exploitation - Kumar & Glew.mp4
• https://infocon.org/cons/ToorCon/ToorCon XX - 2018/If You Give A Container A Capability A Tale Of Container Exploitation - Kumar & Glew.Eng.srt (subtitles)
• https://www.youtube.com/watch?v=uyduWESBpKg

Similar Presentations:

• DerbyCon 8.0 Evolution (2018) / Living in a Secure Container, Down by the River
• DEF CON 30 (2022) / The COW (Container On Windows) Who Escaped the Silo
• BruCON 0x0A (2018) / Outside the Box: Breakouts and Privilege Escalation in Container Environments