Is Docker Secure?

Grehack’16 @France

Manideep K

Carnegie Mellon University

2

Shameless Bragging

• Masters Student + Security Researcher at Carnegie Mellon, Cylab

• Authored a book on Info Sec & Ethical Hacking at the age of 20

• Featured in INDIA’s largest news papers and news channels

• Trained 15,000+ people in Infosec including corporates, students & cyber cops

• 10 certifications : ISO 27001:2013 ISMS LA, CCNA, CEH, JNCIP-SEC etc.

• Ex Team Lead – Core Security & Data Analytics at TCS

• Interest areas : Container Security, Application Security etc.

More details about me on www.manideepk.com

3

What am I upto with Containers?

• Co-Authored CIS Docker 1.12 Benchmark

• Cloud Security Research Intern @Adobe

• Extensive research at Carnegie Mellon

4

Before we start

• How many of you know what containers are?

• How many of you used containers?

Personal / Enterprise development or production

• How many of you did not adopt containers because of security issues?

5

6-7 months research in 30 minutes

Tough task but we will do it

6

What are we doing for next 30 mins?

Intro

• Containers in 60 seconds

• Container Pipeline and Risk Areas

Sec…Security

• Images

• Container runtime

• Hello enterprises

Holistic pipeline view

Wrap up

7

What are we doing for next 30 mins?

Intro

• Containers in 60 seconds

• Container Pipeline and Risk Areas

Sec…Security

• Images

• Container runtime

• Hello enterprises

Holistic pipeline view

Wrap up

8

Quick “60 second” Intro

Containers?

Lightweight

Application centric

No more - “it works on my machine” Micro-services

Namespaces : Isolation (PID, User, Network, IPC,

Mount, UTS)

Cgroups : Isolates, limits and accounts resource

usage (CPU, memory etc.)

BUZZ……….! Are containers

brand new?

Img Ref: www.docker.com

Containers in 60 seconds

9

Client <=> daemon

communication

Communication with public/private registry

Registry’s security

Host security Daemon security

Containers Images

Container Pipeline & Risk Areas

Ref: Modified version of image on www.docker.com

10

What are we doing for next 30 mins?

Intro

• Containers in 60 seconds

• Container Pipeline and Risk Areas

Sec…Security

• Images

• Container runtime

• Hello enterprises

Holistic pipeline view

Wrap up

11

Containers do not contain

53% of decision makers are worried about security of containers*

Containers are not production-ready

Container Security (Docker) developed “a lot” in the past two years, is still developing and has lot of scope

Docker containers are now “production-ready**” . Google spins up more than 2 billion containers per week

Containers are the “FUTURE”

* Forrester/Red Hat Report , January 2015 ** You have to make them secure

12

“Images” Security

Lifecycle of An Image

• Where can I get Images?

- Docker hub public

- Docker Private Store (Beta)

• Can I use them (directly)?

- No! Not Docker hub (at least general images) for enterprises (personal?)

- How about Docker Private store?

• Official images are scanned with Nautilus (general images are not)

- Reports can be seen by opening tags on Hub

13

My Analysis with Images

• Downloaded 50 images from hub & the first image analyzed has XSS, CSRF vulns www.vulnerability-lab.com/get_content.php?id=1802

www.vulnerability-lab.com/get_content.php?id=1803

• Some others (which includes official images) are using vulnerable versions of

OpenSSL, glibc, tar, bash etc. and are vulnerable to Heartbleed, Shellshock etc.

• Manual and also analyzed with Twistlock tool

14

Quick Facts from Banyanops 2015 Analysis report*

30% official images are vulnerable

70% general images are vulnerable

How well the stats of the report stay good today?

* Ref: https://banyanops.com/blog/analyzing-docker-hub/

15

Manideep, What to do now?

Enterprises - Build your own in-house registry by referring CIS Docker 1.12 doc

• Write Dockerfiles securely (version pinning mechanisms, creating user etc.)

• Maintain, Consume them securely (Docker content trust, frequent scanning etc.)

Personal users - HMM….HMm...Hmm..mmm (Private store?)

16

Container Runtime - Messy Slide, Sorry!

• Breakout of container and attack host / other containers

• Major problem is “shared kernel”

• Beware & Fix bizarre Docker defaults (few below) else you will be in big trouble

a) Containers can consume entire memory causing DOS

b) Containers can communicate with each other leading to sniffing etc.

c) Containers are on the same bridge leading to ARP spoofing, MITM etc.

d) Containers have no fork limit causing fork bomb

e) Containers run as root – do you still want to know the impact?

f) Docker daemon access users have effective root privileges

• Isolation / Security

Namespaces - Beware of non-namespaced kernel keyring, SYS_TIME etc.

and do not share namespaces unless and until needed

Seccomp - How a single vulnerability in a system call ripped off / torn apart

containers (Linux vulnerability but impacted Docker – Cansecwest’16)

LSM’s - SELinux and Apparmor

Capabilities - Do not use privileged containers and try to set flag for not

acquiring any additional privileges

17

Hello enterprises (applies for personal users too)

• Use tools (Ex: Twistlock, Scalock, Nautilus) which allow you to (not all of them do every task)

a) Use only signed/ XYZ images

b) Scan images “efficiently” and frequently

c) Automatic container profiling etc.

• Tune CIS benchmark as per your org requirements and adhere to it

- Seccomp profiles, Apparmor/Selinux modules, SIEM/monitoring etc.

• Group containers on VM (basing on trust, operational categories etc.)

• Employ separate patch management, vulnerability assessment etc. procedures for

containers

18

What’s next?

Intro

• Containers in 60 seconds

• Container Pipeline and Risk Areas

Sec…Security

• Images

• Container runtime

• Hello enterprises

Holistic pipeline view

Wrap up

19

Container pipeline (Holistic View)

Client <=> daemon

communication

Communication with public/private registry

Registry’s security

Host security

Daemon security

Containers Images

Img Ref: Modified version of image on www.docker.com

*

*

20

What’s next?

Intro

• Containers in 60 seconds

• Container Pipeline and Risk Areas

Sec…Security

• Images

• Container runtime

• Hello enterprises

Holistic pipeline view

Wrap up

21

So, what did you learn today?

Docker Containers are not secure, you have to make them secure…!

22

It’s not good to keep questions in your mind

Throw them out and I am here to catch

23

References

1. CIS Docker Benchmark 1.12

2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf

3. www.oreilly.com/webops-perf/free/files/docker-security.pdf

4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf

5. http://www.slideshare.net/Docker/docker-security-workshop-slides

6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231

7. https://docs.docker.com/engine/security/

8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence

24 TCS Confidential

Hope you enjoyed…!

Reach me on www.manideepk.com for any questions