SlideShare a Scribd company logo

Securing the Infrastructure and the Workloads of Linux Containers

Massimiliano Mattetti
Massimiliano Mattetti

A framework to protect the infrastructure against attacks on the container engine and the containers workloads

1 of 24
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 1 How to make my containers secure? “Securing the Infrastructure and the Workloads of Linux Containers”, Workshop on Security and Privacy in the Cloud, Sept. 2015. Mattetti, M., Shulman-Peleg, A., Allouche, Y., Corradi, A., Dolev, S., Foschini, L.
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 2 Agenda 1. Introduction to Linux containers 2. Docker technology 3. Container threats 4. LiCShield framework: • How it works • Performance evaluation • Prevention of attacks 5. Conclusion and Future Work
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 3 Containers - emerging building blocks of clouds Lightweight OS-level virtualization via grouping resources like processes, files, and devices into isolated spaces. Benefits: • Portability and easy deployment • Application isolation • Near native performance Server Host OS Bins /Libs Bins/LibsBins /Libs App A App B App C App D Server Hypervisor Host OS Bins/ Libs App A App B App C Guest OS Bins/ Libs Guest OS Guest OS Bins/ Libs Containers VMs
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 4 Container boundaries - Capabilities + Namespaces + Cgroups + LSMs + new Root FS
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 5 Docker technology  Open-source platform that automates the deployment of applications within Linux containers  Applications and their dependencies are shipped as one package that can run on any Linux distribution https://www.docker.com/
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 6 Docker Images A set of read-only layers of a Union File System  Reduces the disk footprint  Speeds up container boot time  Copy-on-write (data volumes for applications data)  Automated building via Dockerfile
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 7 Automating code distribution and deployment with Containers • Container cloud (IaaS) • Deployment packages (PaaS) • 70% of organizations are evaluating Docker • 49% are concerned with Docker security Survey of Vmblog.com (745 participants) http://stackengine.com/infographic-state-containers-2015-docker-adoption/
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 8 Private/Public cloud Container threats Threats • Kernel exploits • Container engine • Shared resources • Shared Bins/Libs • Mis-configurations Attack flow: • “Escape to host” • Propagating to additional servers
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 9 Open source Linux tools to the rescue! Linux Security Modules (LSMs, e.g. AppArmor, SElinux) are lightweight, loadable kernel modules enforcing access control Advantages of LSM: • Part of Linux distributions • Provide mandatory access control (MAC) Disadvantages of LSMs: • Complicated configuration and tuning Profile to restrict the Docker daemon (none exists) Profiles to restrict the containers (limited docker- default profile)
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 10 Existing Docker-default profile Allows any operation on files except under /proc and /sys file systems Generic profile to suit the needs of any container workload If we know the workload we can do something better!
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 11 Linux Container Shield  Python framework to protect the infrastructure against attacks on Docker daemon and containers workloads  A Cloud Provider prospective: • hosting service allowing co-locating the Linux containers of different untrusted customers • containers deployment via pre-configured images or via building them on servers  Operates in a synthetic testing environment  Two steps process: 1. Tracing phase 2. Profiles generation
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 12 Tracing phase https://github.com/LinuxContainerSecurity/LiCShield.git  Dockerfile as input  Invokes Docker API (build/run commands)  Uses a SystemTap script to monitor the kernel operations  Stores the collected data in text file
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 13 Tracing Files Structure of a line (million lines file):  probe point name — name of the kernel function probed  control group path — path of the control group to which the trigger process belongs to  executable path — path of the executable file of the trigger process  resource path — paths of the resources given as input to the probed kernel function  mount namespace root — path of the root directory of the trigger process in the main mount namespace
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 14  Generates AppArmor rules to confine the executions of Docker daemon and its containers  Optimizes the learning phase of Host-based Intrusion Detection Systems, by providing the description of the expected activities Rules Engine
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 15 Profiles Technical Insights  Two types: • Host profile – to confine the Docker daemon (hundreds of rules) • Container profile – to have fine-grained control over the containers workloads (thousands of rules)  Tuning measures: • Host profile – Read, Write, Lock and Link permissions granted on /var/lib/docker subtree • Container profile – Read-only and Read-Write permissions granted under “harmless” subtrees
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 16  Strict control on: • which library can be loaded • which executable file can be run  pivot_root system call as switch point between the Host and the Container profile  Glob patterns to make profiles suitable for any container instance spawned from the examined images – e.g.* replaces container instance uuid Profiles Technical Insights (2)
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 17 Profile distribution and enforcement • Construct the security policy once for each image - apply to all the instances Server Host OS Docker Daemon My image Deploy
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 18 Dataset Image Workload Hadoop hadoop-mapreduce-examples-2.6.0.jar in non-distributed mode Java SPECjvm2008 Node.js 30000 HTTP Get requests sent at a fixed rate of 100 per second PHP Same of Node.js Nginix Same of Node.js MongoDB Mongo-perf MySQL MySQL benchmark suite PostgresSQL 4 clients generating 2000 transactions using the pgbench utility Python Unladen Swallows benchmark suite Redis 10000 requests sent by 50 parallel clients using the redis- benchmark utility
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 19 LiCShield Overhead  Profile generation • part of the simulation and testing environment • no overhead in the production environment  Profile loading • takes a few seconds • apparmor_parser utility compiles profiles in a binary format and stores them in a cache directory reducing time for subsequent loading requests MySQL PHP PostgresSQL Node.js Redis Nginx Python Java MongoDB Hadoop Time in seconds 584 785 965 437 695 824 842 857 1126 1478
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 20 LiCShield Overhead (2)  Profile enforcement Average times over 5 executions of the run operations Average times over 5 executions of the build operations < 3% No significant change in average response time and error rate for web containers (Node.js, PHP, Nginix)
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 21 LiCShield effectiveness against attacks  Kernel exploits: can not prevent (co-deploy with HIDS)  Shared resources: container profile stops any operation not provided (e.g. Shocker attack)  Container engine: exploits simulated by inserting backdoors (e.g. mistakenly mount data volumes) in the code of the Docker daemon; host profile stops any deviation from the expected set of operations  Container application: prevents attacks propagation (attacks can not gain more privileges than those granted to the applications)  Shared bin/libs: blocks any attempt to overwrite shared libraries during the containers executions (write permission on bin/libs granted only during the build)
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 22 shared Shocker attack Container Processes Host File System --cap-add DAC_READ_SEARCH escape using open_by_handle_at The attack: • is successful using the Docker default profile • fails against the LiCShield profiles since no rule allows the access to the resolved path (e.g. /shared/etc/shadow) Shocker code injected by overwriting the application startup script
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 23 Conclusion and Future Work  We presented a framework to secure the engine and the workloads of Linux containers  Test results show the low overhead introduced by LiCShield while it proved to be effective in protecting the system against different types of attack  LiCShield is not a competitor but a supplementary tool to optimize and complement HIDS  Ongoing work • Prove the benefits of the combined architecture of LiCShiend and HIDS on a production environment • Extend container service with a profile management module
© 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 24 Contact info: Massimiliano Mattetti massimiliano.mattetti@unibo.it https://it.linkedin.com/in/massimilianomattetti IBM Cyber Security Center of Excellence https://www.research.ibm.com/haifa/ccoe/index.shtml Thanks for your attention  Questions time…
Ad

Recommended

Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
Frank Victory
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
Kevin Lee
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
Stephane Woillez
 
AAI-1304 Technical Deep-Dive into IBM WebSphere Liberty
AAI-1304 Technical Deep-Dive into IBM WebSphere LibertyAAI-1304 Technical Deep-Dive into IBM WebSphere Liberty
AAI-1304 Technical Deep-Dive into IBM WebSphere Liberty
WASdev Community
 
WebSphere and Docker
WebSphere and DockerWebSphere and Docker
WebSphere and Docker
David Currie
 
WebSphere Application Server Liberty Profile and Docker
WebSphere Application Server Liberty Profile and DockerWebSphere Application Server Liberty Profile and Docker
WebSphere Application Server Liberty Profile and Docker
David Currie
 
WebSphere Application Server Liberty Profile and Docker
WebSphere Application Server Liberty Profile and DockerWebSphere Application Server Liberty Profile and Docker
WebSphere Application Server Liberty Profile and Docker
David Currie
 
VMs and Containers - Friends or Enemies
VMs and Containers - Friends or EnemiesVMs and Containers - Friends or Enemies
VMs and Containers - Friends or Enemies
Simone Morellato
 
Virtualization Vs. Containers
Virtualization Vs. ContainersVirtualization Vs. Containers
Virtualization Vs. Containers
actualtechmedia
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
Why containers
Why containersWhy containers
Why containers
Luca Ravazzolo
 
Application Virtualization Smackdown
Application Virtualization SmackdownApplication Virtualization Smackdown
Application Virtualization Smackdown
C/D/H Technology Consultants
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
vSphere integrated containers
vSphere integrated containersvSphere integrated containers
vSphere integrated containers
Atul Srivastava
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
Scalable, Available and Reliable Cloud Applications with PaaS and Microservices
Scalable, Available and Reliable Cloud Applications with PaaS and MicroservicesScalable, Available and Reliable Cloud Applications with PaaS and Microservices
Scalable, Available and Reliable Cloud Applications with PaaS and Microservices
David Currie
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen Hypervisor
The Linux Foundation
 
Using Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsUsing Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell Applications
Novell
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
The Linux Foundation
 
XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016
The Linux Foundation
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
The Linux Foundation
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
 
Techdays SE 2016 - Micros.. err Microcosmos
Techdays SE 2016 - Micros.. err MicrocosmosTechdays SE 2016 - Micros.. err Microcosmos
Techdays SE 2016 - Micros.. err Microcosmos
Mike Martin
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
Ricky Sanders
 
Anatomy of a Build Server Attack
Anatomy of a Build Server AttackAnatomy of a Build Server Attack
Anatomy of a Build Server Attack
DevOps.com
 
Scale17x: Thinking outside of the conceived tech comfort zone
Scale17x: Thinking outside of the conceived tech comfort zoneScale17x: Thinking outside of the conceived tech comfort zone
Scale17x: Thinking outside of the conceived tech comfort zone
The Linux Foundation
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
Anthony Chow
 
MR201411 SELinux in Virtualization and Containers
MR201411 SELinux in Virtualization and ContainersMR201411 SELinux in Virtualization and Containers
MR201411 SELinux in Virtualization and Containers
FFRI, Inc.
 
Aux emferordena
Aux emferordenaAux emferordena
Aux emferordena
Trabajojunta El Foro
 
文件传输技术发展与产品趋势
文件传输技术发展与产品趋势文件传输技术发展与产品趋势
文件传输技术发展与产品趋势
PMCamp
 
Ad

More Related Content

What's hot (20)

Virtualization Vs. Containers
Virtualization Vs. ContainersVirtualization Vs. Containers
Virtualization Vs. Containers
actualtechmedia
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
Why containers
Why containersWhy containers
Why containers
Luca Ravazzolo
 
Application Virtualization Smackdown
Application Virtualization SmackdownApplication Virtualization Smackdown
Application Virtualization Smackdown
C/D/H Technology Consultants
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
vSphere integrated containers
vSphere integrated containersvSphere integrated containers
vSphere integrated containers
Atul Srivastava
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
Scalable, Available and Reliable Cloud Applications with PaaS and Microservices
Scalable, Available and Reliable Cloud Applications with PaaS and MicroservicesScalable, Available and Reliable Cloud Applications with PaaS and Microservices
Scalable, Available and Reliable Cloud Applications with PaaS and Microservices
David Currie
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen Hypervisor
The Linux Foundation
 
Using Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsUsing Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell Applications
Novell
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
The Linux Foundation
 
XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016
The Linux Foundation
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
The Linux Foundation
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
 
Techdays SE 2016 - Micros.. err Microcosmos
Techdays SE 2016 - Micros.. err MicrocosmosTechdays SE 2016 - Micros.. err Microcosmos
Techdays SE 2016 - Micros.. err Microcosmos
Mike Martin
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
Ricky Sanders
 
Anatomy of a Build Server Attack
Anatomy of a Build Server AttackAnatomy of a Build Server Attack
Anatomy of a Build Server Attack
DevOps.com
 
Scale17x: Thinking outside of the conceived tech comfort zone
Scale17x: Thinking outside of the conceived tech comfort zoneScale17x: Thinking outside of the conceived tech comfort zone
Scale17x: Thinking outside of the conceived tech comfort zone
The Linux Foundation
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
Anthony Chow
 
MR201411 SELinux in Virtualization and Containers
MR201411 SELinux in Virtualization and ContainersMR201411 SELinux in Virtualization and Containers
MR201411 SELinux in Virtualization and Containers
FFRI, Inc.
 
Virtualization Vs. Containers
Virtualization Vs. ContainersVirtualization Vs. Containers
Virtualization Vs. Containers
actualtechmedia
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
Why containers
Why containersWhy containers
Why containers
Luca Ravazzolo
 
Application Virtualization Smackdown
Application Virtualization SmackdownApplication Virtualization Smackdown
Application Virtualization Smackdown
C/D/H Technology Consultants
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
vSphere integrated containers
vSphere integrated containersvSphere integrated containers
vSphere integrated containers
Atul Srivastava
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
Scalable, Available and Reliable Cloud Applications with PaaS and Microservices
Scalable, Available and Reliable Cloud Applications with PaaS and MicroservicesScalable, Available and Reliable Cloud Applications with PaaS and Microservices
Scalable, Available and Reliable Cloud Applications with PaaS and Microservices
David Currie
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen Hypervisor
The Linux Foundation
 
Using Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsUsing Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell Applications
Novell
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
The Linux Foundation
 
XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016
The Linux Foundation
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
The Linux Foundation
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
 
Techdays SE 2016 - Micros.. err Microcosmos
Techdays SE 2016 - Micros.. err MicrocosmosTechdays SE 2016 - Micros.. err Microcosmos
Techdays SE 2016 - Micros.. err Microcosmos
Mike Martin
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
Ricky Sanders
 
Anatomy of a Build Server Attack
Anatomy of a Build Server AttackAnatomy of a Build Server Attack
Anatomy of a Build Server Attack
DevOps.com
 
Scale17x: Thinking outside of the conceived tech comfort zone
Scale17x: Thinking outside of the conceived tech comfort zoneScale17x: Thinking outside of the conceived tech comfort zone
Scale17x: Thinking outside of the conceived tech comfort zone
The Linux Foundation
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
Anthony Chow
 
MR201411 SELinux in Virtualization and Containers
MR201411 SELinux in Virtualization and ContainersMR201411 SELinux in Virtualization and Containers
MR201411 SELinux in Virtualization and Containers
FFRI, Inc.
 

Viewers also liked (17)

Aux emferordena
Aux emferordenaAux emferordena
Aux emferordena
Trabajojunta El Foro
 
文件传输技术发展与产品趋势
文件传输技术发展与产品趋势文件传输技术发展与产品趋势
文件传输技术发展与产品趋势
PMCamp
 
Daniel Avidor - Deciphering the Viral Code – The Secrets of Redmatch
Daniel Avidor - Deciphering the Viral Code – The Secrets of RedmatchDaniel Avidor - Deciphering the Viral Code – The Secrets of Redmatch
Daniel Avidor - Deciphering the Viral Code – The Secrets of Redmatch
MIT Forum of Israel
 
Sex cake and your business
Sex cake and your businessSex cake and your business
Sex cake and your business
Graham Brooks
 
مراجعة الصف الثانى الاعدادى
مراجعة الصف الثانى الاعدادىمراجعة الصف الثانى الاعدادى
مراجعة الصف الثانى الاعدادى
Hanaa Ahmed
 
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
Akamon Entertainment
 
Bni loan qualification_101
Bni loan qualification_101Bni loan qualification_101
Bni loan qualification_101
Tom Drasler
 
Social media ROI
Social media ROISocial media ROI
Social media ROI
Dr. Khushbu Pandya
 
Introducción a los Sistemas Operativos
Introducción a los Sistemas OperativosIntroducción a los Sistemas Operativos
Introducción a los Sistemas Operativos
Juan David Pareja Soto
 
The State of Software Quality
The State of Software QualityThe State of Software Quality
The State of Software Quality
Coverity
 
γιορτή της σημαίας
γιορτή της σημαίαςγιορτή της σημαίας
γιορτή της σημαίας
Maria Rokadaki
 
Chistesvarios8
Chistesvarios8Chistesvarios8
Chistesvarios8
josemorales
 
I want to visit Austrialia
I want to visit AustrialiaI want to visit Austrialia
I want to visit Austrialia
mliadvisor
 
Usabilidad
UsabilidadUsabilidad
Usabilidad
Carlos García
 
الفصل الثالث
الفصل الثالثالفصل الثالث
الفصل الثالث
Hanaa Ahmed
 
Ailanto 2013 independent living community investment
Ailanto 2013 independent living community investmentAilanto 2013 independent living community investment
Ailanto 2013 independent living community investment
Hugo Ribadeneira
 
Goal Centre e-bulletin Feb 2015
Goal Centre e-bulletin Feb 2015Goal Centre e-bulletin Feb 2015
Goal Centre e-bulletin Feb 2015
Nurkhamimi Zainuddin
 
Aux emferordena
Aux emferordenaAux emferordena
Aux emferordena
Trabajojunta El Foro
 
文件传输技术发展与产品趋势
文件传输技术发展与产品趋势文件传输技术发展与产品趋势
文件传输技术发展与产品趋势
PMCamp
 
Daniel Avidor - Deciphering the Viral Code – The Secrets of Redmatch
Daniel Avidor - Deciphering the Viral Code – The Secrets of RedmatchDaniel Avidor - Deciphering the Viral Code – The Secrets of Redmatch
Daniel Avidor - Deciphering the Viral Code – The Secrets of Redmatch
MIT Forum of Israel
 
Sex cake and your business
Sex cake and your businessSex cake and your business
Sex cake and your business
Graham Brooks
 
مراجعة الصف الثانى الاعدادى
مراجعة الصف الثانى الاعدادىمراجعة الصف الثانى الاعدادى
مراجعة الصف الثانى الاعدادى
Hanaa Ahmed
 
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
Akamon Entertainment
 
Bni loan qualification_101
Bni loan qualification_101Bni loan qualification_101
Bni loan qualification_101
Tom Drasler
 
Social media ROI
Social media ROISocial media ROI
Social media ROI
Dr. Khushbu Pandya
 
Introducción a los Sistemas Operativos
Introducción a los Sistemas OperativosIntroducción a los Sistemas Operativos
Introducción a los Sistemas Operativos
Juan David Pareja Soto
 
The State of Software Quality
The State of Software QualityThe State of Software Quality
The State of Software Quality
Coverity
 
γιορτή της σημαίας
γιορτή της σημαίαςγιορτή της σημαίας
γιορτή της σημαίας
Maria Rokadaki
 
Chistesvarios8
Chistesvarios8Chistesvarios8
Chistesvarios8
josemorales
 
I want to visit Austrialia
I want to visit AustrialiaI want to visit Austrialia
I want to visit Austrialia
mliadvisor
 
Usabilidad
UsabilidadUsabilidad
Usabilidad
Carlos García
 
الفصل الثالث
الفصل الثالثالفصل الثالث
الفصل الثالث
Hanaa Ahmed
 
Ailanto 2013 independent living community investment
Ailanto 2013 independent living community investmentAilanto 2013 independent living community investment
Ailanto 2013 independent living community investment
Hugo Ribadeneira
 
Goal Centre e-bulletin Feb 2015
Goal Centre e-bulletin Feb 2015Goal Centre e-bulletin Feb 2015
Goal Centre e-bulletin Feb 2015
Nurkhamimi Zainuddin
 
Ad

Similar to Securing the Infrastructure and the Workloads of Linux Containers (20)

Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for Integration
Kim Clark
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source TriumvirateCloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
Animesh Singh
 
IBM Container Service Overview
IBM Container Service OverviewIBM Container Service Overview
IBM Container Service Overview
Kyle Brown
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Introduction to Cloud Security.pptx
Introduction to Cloud Security.pptxIntroduction to Cloud Security.pptx
Introduction to Cloud Security.pptx
ssuser0fc2211
 
docker
dockerdocker
docker
Cesar Maciel
 
.docker : How to deploy Digital Experience in a container, drinking a cup of ...
.docker : How to deploy Digital Experience in a container, drinking a cup of ....docker : How to deploy Digital Experience in a container, drinking a cup of ...
.docker : How to deploy Digital Experience in a container, drinking a cup of ...
ICON UK EVENTS Limited
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Java Development on Bluemix
Java Development on BluemixJava Development on Bluemix
Java Development on Bluemix
Ram Vennam
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
The Kubernetes WebLogic revival (part 1)
The Kubernetes WebLogic revival (part 1)The Kubernetes WebLogic revival (part 1)
The Kubernetes WebLogic revival (part 1)
Simon Haslam
 
A Deep Dive into the Liberty Buildpack on IBM BlueMix
A Deep Dive into the Liberty Buildpack on IBM BlueMix A Deep Dive into the Liberty Buildpack on IBM BlueMix
A Deep Dive into the Liberty Buildpack on IBM BlueMix
Rohit Kelapure
 
Containers as Infrastructure for New Gen Apps
Containers as Infrastructure for New Gen AppsContainers as Infrastructure for New Gen Apps
Containers as Infrastructure for New Gen Apps
Khalid Ahmed
 
IBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM Cloud Paris Meetup - 20180628 - IBM Cloud PrivateIBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM France Lab
 
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
WASdev Community
 
20191201 kubernetes managed weblogic revival - part 1
20191201 kubernetes managed weblogic revival - part 120191201 kubernetes managed weblogic revival - part 1
20191201 kubernetes managed weblogic revival - part 1
makker_nl
 
Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for Integration
Kim Clark
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source TriumvirateCloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
Animesh Singh
 
IBM Container Service Overview
IBM Container Service OverviewIBM Container Service Overview
IBM Container Service Overview
Kyle Brown
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Introduction to Cloud Security.pptx
Introduction to Cloud Security.pptxIntroduction to Cloud Security.pptx
Introduction to Cloud Security.pptx
ssuser0fc2211
 
docker
dockerdocker
docker
Cesar Maciel
 
.docker : How to deploy Digital Experience in a container, drinking a cup of ...
.docker : How to deploy Digital Experience in a container, drinking a cup of ....docker : How to deploy Digital Experience in a container, drinking a cup of ...
.docker : How to deploy Digital Experience in a container, drinking a cup of ...
ICON UK EVENTS Limited
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Java Development on Bluemix
Java Development on BluemixJava Development on Bluemix
Java Development on Bluemix
Ram Vennam
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
The Kubernetes WebLogic revival (part 1)
The Kubernetes WebLogic revival (part 1)The Kubernetes WebLogic revival (part 1)
The Kubernetes WebLogic revival (part 1)
Simon Haslam
 
A Deep Dive into the Liberty Buildpack on IBM BlueMix
A Deep Dive into the Liberty Buildpack on IBM BlueMix A Deep Dive into the Liberty Buildpack on IBM BlueMix
A Deep Dive into the Liberty Buildpack on IBM BlueMix
Rohit Kelapure
 
Containers as Infrastructure for New Gen Apps
Containers as Infrastructure for New Gen AppsContainers as Infrastructure for New Gen Apps
Containers as Infrastructure for New Gen Apps
Khalid Ahmed
 
IBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM Cloud Paris Meetup - 20180628 - IBM Cloud PrivateIBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM France Lab
 
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
WASdev Community
 
20191201 kubernetes managed weblogic revival - part 1
20191201 kubernetes managed weblogic revival - part 120191201 kubernetes managed weblogic revival - part 1
20191201 kubernetes managed weblogic revival - part 1
makker_nl
 
Ad

Recently uploaded (20)

How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 

Securing the Infrastructure and the Workloads of Linux Containers

  • 1. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 1 How to make my containers secure? “Securing the Infrastructure and the Workloads of Linux Containers”, Workshop on Security and Privacy in the Cloud, Sept. 2015. Mattetti, M., Shulman-Peleg, A., Allouche, Y., Corradi, A., Dolev, S., Foschini, L.
  • 2. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 2 Agenda 1. Introduction to Linux containers 2. Docker technology 3. Container threats 4. LiCShield framework: • How it works • Performance evaluation • Prevention of attacks 5. Conclusion and Future Work
  • 3. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 3 Containers - emerging building blocks of clouds Lightweight OS-level virtualization via grouping resources like processes, files, and devices into isolated spaces. Benefits: • Portability and easy deployment • Application isolation • Near native performance Server Host OS Bins /Libs Bins/LibsBins /Libs App A App B App C App D Server Hypervisor Host OS Bins/ Libs App A App B App C Guest OS Bins/ Libs Guest OS Guest OS Bins/ Libs Containers VMs
  • 4. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 4 Container boundaries - Capabilities + Namespaces + Cgroups + LSMs + new Root FS
  • 5. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 5 Docker technology  Open-source platform that automates the deployment of applications within Linux containers  Applications and their dependencies are shipped as one package that can run on any Linux distribution https://www.docker.com/
  • 6. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 6 Docker Images A set of read-only layers of a Union File System  Reduces the disk footprint  Speeds up container boot time  Copy-on-write (data volumes for applications data)  Automated building via Dockerfile
  • 7. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 7 Automating code distribution and deployment with Containers • Container cloud (IaaS) • Deployment packages (PaaS) • 70% of organizations are evaluating Docker • 49% are concerned with Docker security Survey of Vmblog.com (745 participants) http://stackengine.com/infographic-state-containers-2015-docker-adoption/
  • 8. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 8 Private/Public cloud Container threats Threats • Kernel exploits • Container engine • Shared resources • Shared Bins/Libs • Mis-configurations Attack flow: • “Escape to host” • Propagating to additional servers
  • 9. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 9 Open source Linux tools to the rescue! Linux Security Modules (LSMs, e.g. AppArmor, SElinux) are lightweight, loadable kernel modules enforcing access control Advantages of LSM: • Part of Linux distributions • Provide mandatory access control (MAC) Disadvantages of LSMs: • Complicated configuration and tuning Profile to restrict the Docker daemon (none exists) Profiles to restrict the containers (limited docker- default profile)
  • 10. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 10 Existing Docker-default profile Allows any operation on files except under /proc and /sys file systems Generic profile to suit the needs of any container workload If we know the workload we can do something better!
  • 11. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 11 Linux Container Shield  Python framework to protect the infrastructure against attacks on Docker daemon and containers workloads  A Cloud Provider prospective: • hosting service allowing co-locating the Linux containers of different untrusted customers • containers deployment via pre-configured images or via building them on servers  Operates in a synthetic testing environment  Two steps process: 1. Tracing phase 2. Profiles generation
  • 12. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 12 Tracing phase https://github.com/LinuxContainerSecurity/LiCShield.git  Dockerfile as input  Invokes Docker API (build/run commands)  Uses a SystemTap script to monitor the kernel operations  Stores the collected data in text file
  • 13. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 13 Tracing Files Structure of a line (million lines file):  probe point name — name of the kernel function probed  control group path — path of the control group to which the trigger process belongs to  executable path — path of the executable file of the trigger process  resource path — paths of the resources given as input to the probed kernel function  mount namespace root — path of the root directory of the trigger process in the main mount namespace
  • 14. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 14  Generates AppArmor rules to confine the executions of Docker daemon and its containers  Optimizes the learning phase of Host-based Intrusion Detection Systems, by providing the description of the expected activities Rules Engine
  • 15. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 15 Profiles Technical Insights  Two types: • Host profile – to confine the Docker daemon (hundreds of rules) • Container profile – to have fine-grained control over the containers workloads (thousands of rules)  Tuning measures: • Host profile – Read, Write, Lock and Link permissions granted on /var/lib/docker subtree • Container profile – Read-only and Read-Write permissions granted under “harmless” subtrees
  • 16. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 16  Strict control on: • which library can be loaded • which executable file can be run  pivot_root system call as switch point between the Host and the Container profile  Glob patterns to make profiles suitable for any container instance spawned from the examined images – e.g.* replaces container instance uuid Profiles Technical Insights (2)
  • 17. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 17 Profile distribution and enforcement • Construct the security policy once for each image - apply to all the instances Server Host OS Docker Daemon My image Deploy
  • 18. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 18 Dataset Image Workload Hadoop hadoop-mapreduce-examples-2.6.0.jar in non-distributed mode Java SPECjvm2008 Node.js 30000 HTTP Get requests sent at a fixed rate of 100 per second PHP Same of Node.js Nginix Same of Node.js MongoDB Mongo-perf MySQL MySQL benchmark suite PostgresSQL 4 clients generating 2000 transactions using the pgbench utility Python Unladen Swallows benchmark suite Redis 10000 requests sent by 50 parallel clients using the redis- benchmark utility
  • 19. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 19 LiCShield Overhead  Profile generation • part of the simulation and testing environment • no overhead in the production environment  Profile loading • takes a few seconds • apparmor_parser utility compiles profiles in a binary format and stores them in a cache directory reducing time for subsequent loading requests MySQL PHP PostgresSQL Node.js Redis Nginx Python Java MongoDB Hadoop Time in seconds 584 785 965 437 695 824 842 857 1126 1478
  • 20. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 20 LiCShield Overhead (2)  Profile enforcement Average times over 5 executions of the run operations Average times over 5 executions of the build operations < 3% No significant change in average response time and error rate for web containers (Node.js, PHP, Nginix)
  • 21. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 21 LiCShield effectiveness against attacks  Kernel exploits: can not prevent (co-deploy with HIDS)  Shared resources: container profile stops any operation not provided (e.g. Shocker attack)  Container engine: exploits simulated by inserting backdoors (e.g. mistakenly mount data volumes) in the code of the Docker daemon; host profile stops any deviation from the expected set of operations  Container application: prevents attacks propagation (attacks can not gain more privileges than those granted to the applications)  Shared bin/libs: blocks any attempt to overwrite shared libraries during the containers executions (write permission on bin/libs granted only during the build)
  • 22. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 22 shared Shocker attack Container Processes Host File System --cap-add DAC_READ_SEARCH escape using open_by_handle_at The attack: • is successful using the Docker default profile • fails against the LiCShield profiles since no rule allows the access to the resolved path (e.g. /shared/etc/shadow) Shocker code injected by overwriting the application startup script
  • 23. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 23 Conclusion and Future Work  We presented a framework to secure the engine and the workloads of Linux containers  Test results show the low overhead introduced by LiCShield while it proved to be effective in protecting the system against different types of attack  LiCShield is not a competitor but a supplementary tool to optimize and complement HIDS  Ongoing work • Prove the benefits of the combined architecture of LiCShiend and HIDS on a production environment • Extend container service with a profile management module
  • 24. © 2015 IBM Corporation IBM Security Systems – Cyber Center of Excellence 24 Contact info: Massimiliano Mattetti [email protected] https://it.linkedin.com/in/massimilianomattetti IBM Cyber Security Center of Excellence https://www.research.ibm.com/haifa/ccoe/index.shtml Thanks for your attention  Questions time…

Editor's Notes

  • #4: In a nutshell isolation less strong than vms
  • #5: Rely on | Cgroups to limit and account resource usage of the processes running inside the containers | Namespaces to provide a different view of the system resources for the process inside the container. Currently we have 6 | IPC | Network | Mount | PID | User | UTS. Not everything can be namespace. Privileged can attack and own the system. Power of super user has been divided into distinct units, known as capabilities, which can be independently enabled and disabled.
  • #6: Linux daemon in charge of managing the lifecycle of containers. Exposes RESTful APIs on a UNIX or HTTP Socket Public repository for container images
  • #13: We chose SystemTap since you can extend its script language using C code. We used this feature to query the kernel to get information about the privileged operation daemon and container processes
  • #16: we can safely grant /tmp directory that contains temporary files /usr/share is the place for manuals, documentations, examples
  • #19: Top 20 of Docker hub
  • #20: It operates in the testing environment so we don’t have overhead on production
  • #22: HIDS should be able to notify abnormal activities like if AppArmor has been disabled Poved to be very effectuve wiht attacks on Since our AppArmor profiles strictly check the mount flags, the execution of the container is blocked during its early stages Can not be written
  • #23: Injected Shocker code by overwriting the application startup script Any attempt to access the host file system triggers a security check with /shared as first level directory