clair, a container image security analyzer
TRANSCRIPT
![Page 2: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/2.jpg)
We’re hiring in all departments! Email: [email protected] Positions: coreos.com/ careers
90+ Projects on GitHub, 1,000+ Contributors
OPEN SOURCE
CoreOS.com - @coreoslinux - github/coreos
Secure solutions, support plans, training + more
ENTERPRISE
[email protected] - tectonic.com - quay.io
CoreOS is Running the World’s Containers
Secure the InternetMISSION
2
![Page 3: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/3.jpg)
![Page 4: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/4.jpg)
Storytelling()
![Page 5: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/5.jpg)
A traditional deployment
5
![Page 6: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/6.jpg)
But … wait
6
![Page 7: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/7.jpg)
A containerized deployment
7
![Page 8: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/8.jpg)
A container in practice ...
8
![Page 9: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/9.jpg)
Is that all ?
9
![Page 10: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/10.jpg)
![Page 11: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/11.jpg)
CVE-2015-0235aka
GHOST
“GHOST is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability
allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code.”
11
![Page 12: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/12.jpg)
CVE-2014-0160aka
Heartbleed
“The TLS and DTLS implementations in OpenSSL do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain
sensitive information from process memory via crafted packets that trigger a buffer over-read.”
12
![Page 13: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/13.jpg)
76KVulnerabilities
13
![Page 14: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/14.jpg)
How do we make this better for developers?
![Page 15: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/15.jpg)
Open source project for the static analysis of vulnerabilities in appc and docker containers.
github.com/coreos/clair
15
![Page 16: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/16.jpg)
Showtime()
![Page 17: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/17.jpg)
- Static analysis
- Do the job only once
- Suggest & Notify
- Built as a framework
Clair in a few points
17
![Page 18: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/18.jpg)
Static analysisCONTEXT
Millions of container images
- Running these containers is expensive
- Running any untrusted container is unsafe- “We need to go deeper”- Secure solutions can become pretty complex
- Several dynamic analysis tools exist- Requires human input and guidance
18
![Page 19: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/19.jpg)
- Extract and store enough to inform about both known and future vulnerabilities
- Reuse analysis data as much as possible
Do the job only onceCONTEXT
Millions of container imagesOver 15 new vulnerabilities / day
What happens when new vulnerabilities are published ?
19
![Page 20: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/20.jpg)
“I read your security report about my container, but …what can I actually do?”
Here, look, here’s what you can easily fix.
“I feel confident about my container now. I’m lazy though and don’t want to check the report again. Tell me as soon as there’s
something new that I should be concerned about”
Sure. Where can I contact you?
Suggest & Notify
20
![Page 21: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/21.jpg)
Built as a framework
Open Source and Extensibilityare the heart and soul of Clair
v1.1.021
![Page 22: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/22.jpg)
Built as a framework- Detectors
type FeaturesDetector interface {GetRequiredFiles() []string
Detect(map[string][]byte) ([]database.FeatureVersion, error)}
v1.1.0
type NamespaceDetector interface {GetRequiredFiles() []stringDetect(map[string][]byte) *database.Namespace
}
type DataDetector interface {Supported(path string, format string) boolDetect(layerReader io.ReadCloser, toExtract []string, maxFileSize int64) (data map[string][]byte, err
error)}
22
![Page 23: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/23.jpg)
Built as a frameworktype Fetcher interface {FetchUpdate(database.Datastore) (FetcherResponse, error)Clean()
}
Built as a framework- Vulnerability Updaters / Notifiers
type Notifier interface {Configure(config.NotifierConfig) (bool, error)Send(database.VulnerabilityNotification) error
}
v1.1.023
![Page 24: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/24.jpg)
type Datastore interface {ListNamespaces() ([]Namespace, error)
InsertLayer(Layer) errorFindLayer(name string, withFeatures, withVulnerabilities bool) (Layer, error)DeleteLayer(name string) error
ListVulnerabilities(namespaceName string, limit int, page int) ([]Vulnerability, int, error)InsertVulnerabilities(vulnerabilities []Vulnerability, createNotification bool) errorFindVulnerability(namespaceName, name string) (Vulnerability, error)DeleteVulnerability(namespaceName, name string) errorInsertVulnerabilityFixes(vulnerabilityNamespace, vulnerabilityName string, fixes []FeatureVersion)
errorDeleteVulnerabilityFix(vulnerabilityNamespace, vulnerabilityName, featureName string) error
GetAvailableNotification(renotifyInterval time.Duration) (VulnerabilityNotification, error)GetNotification(name string, limit int, page PageNumber) (VulnerabilityNotification, PageNumber,
error)SetNotificationNotified(name string) errorDeleteNotification(name string) error
InsertKeyValue(key, value string) errorGetKeyValue(key string) (string, error)
Lock(name string, owner string, duration time.Duration, renew bool) (bool, time.Time)Unlock(name, owner string)FindLock(name string) (string, time.Time, error)
Ping() boolClose()
}
Built as a framework- Datastores
v1.1.024
![Page 25: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/25.jpg)
- Image format: appc, Docker
- Operating systems: Debian, Ubuntu, CentOS
- Detection: package managers (dpkg, rpm)
- Vulnerability sources: Distribution-specific
- Database: PostgresSQL 9.4+
- Notification: Webhook
What does it currently support ?
v1.1.025
![Page 26: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/26.jpg)
- Revisit database implementation- MySQL Support (Huawei)
- Improve release distribution- Embed migrations
- Address client UX- Integrate a solid command-line tool (Wemanity)
- Expand detection capabilities- Add Alpine Linux support (goo.gl/TSkCxM)- Implement npm (Huawei), python, OWASP
- Anything you’d like to see!
What’s next?
v1.1.026
![Page 27: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/27.jpg)
coreos.com/fest - @coreosfestMay 9 & 10, 2016 - Berlin, Germany
![Page 28: Clair, A Container Image Security Analyzer](https://reader035.vdocuments.us/reader035/viewer/2022062904/587586031a28ab901c8b4c31/html5/thumbnails/28.jpg)
Thank you!We’re hiring in all departments! Email: [email protected] Positions: coreos.com/ careers
Quentin Machu@Quentin__M | [email protected]