A Compendium of Container Escapes

Black Hat USA 2019

Presented by: Brandon Edwards, Nick Freeman
Date: Thursday August 08, 2019
Time: 15:50 - 16:40
Location: South Seas ABE

Containers are a hot topic because of the simplicity they bring to the process of software development, shipping, and deployment. They are insanely useful for eliminating environmental constraints such as library version conflicts, and for the overall organization and hygiene of software. Containers also provide some security properties, including version management, an expression of intent, and often reduced attack surface. However, it is important to understand that although the organizational isolation of containers is what enables these security properties, isolation itself is not a security property of containers.

As such, it becomes important to understand the security properties of containers, how they have been escaped in the past, and how they are likely to be escaped in the future. This year kicked off with a container escape vulnerability in runc, used by various container engines, which seemed to come as a shock for many users of containers.

The goal of this talk is to broaden the awareness of the how and why container escapes work, starting from a brief intro to what makes a process a container, and then spanning the gamut of escape techniques, covering exposed orchestrators, access to the Docker socket, exposed mount points, /proc, all the way down to overwriting/exploiting the kernel structures to leave the confines of the container.

Brandon Edwards

Brandon Edwards is the Chief Scientist and Co-founder of Capsule8, where he leads a team of researchers focused on Linux attacks. Prior to Capsule8, Brandon has been in various roles involving application security, program analysis, vulnerability discovery, and exploit development. He is a recurring lecturer and Hacker-in-Residence at NYU Tandon, and a recurring judge for the Pwnie Awards.

Nick Freeman

Nick Freeman is a Research Scientist at Capsule8, where he works on finding new ways to detect attackers. Prior to Capsule8, Nick spent ten years as a security consultant in New Zealand and the US.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats