Living in a Secure Container, Down by the River

DerbyCon 8.0 - Evolution

Presented by: Jack Mannino
Date: Saturday October 06, 2018
Time: 17:00 - 17:50
Location: Marriott VII, VIII, IX, X
Track: Track 2

Linux container technologies offer the ability to run software in isolation with a significantly reduced attack surface. By reducing the capabilities and resources a container can utilize, we make it increasingly difficult to elevate privileges, gain persistence or move laterally within a cluster of containerized services. While Docker is the container technology most people are familiar with, there are other container types to think about too, each with their own opinionated take on security. It’s getting increasingly common to adopt other runtimes through the Open Container Initiative (OCI) specification using interfaces and shims provided by container orchestration platforms. Containers that use Linux namespaces and control groups for isolation typically provide weaker protections against escaping than hypervisor-based containers, further detaching security reality from your hopes and dreams. This presentation will focus on the security and kernel protections available in several popular Linux container technologies including Docker, Rkt, LXC, Kata and gVisor. We will explore how the default runtime security controls stack up under attack and how they attempt to isolate resources at security boundaries. We will explore the container hardening process through AppArmor, SELinux, Seccomp and Capabilities. At the end of this presentation, you’ll be motivated to run minimally privileged containers that are isolated from doing any real damage. You’ll have plenty of time for security when your code is living in a container down by the river.

Jack Mannino

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats