lcna14: security in the cloud: containers, kvm, and xen - george dunlap, citrix systems uk ltd
DESCRIPTION
In our interconnected world of mobile and cloud computing, particularly with the rise of governmental spying, corporate espionage, and theft of data by organized crime syndicates, security is more important than ever. Many claims are being made about the security of open-source cloud technologies: How can administrators, users, and developers separate fact from fiction? This talk will equip the audience with the principles needed to evaluate security claims. We will talk the nature of risk, of vulnerabilities and exploits; the various factors that reduce the risk of vulnerabilities in software; and about TCB, threat models, and defense-in-depth. We will then apply these principles to three open-source cloud technologies: containers, KVM, and Xen, to see how they stack up. These will be backed up with numbers: lines of code, security advisories, entry points, and so on.TRANSCRIPT
![Page 1: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/1.jpg)
Security in the Cloud: Xen, KVM, Containers
Or, Surviving and the Zombie Apocalypse
![Page 2: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/2.jpg)
–Dan Walsh (Mr. SELinux)
“Some people make the mistake of thinking of containers as a better and faster way of running virtual machines. From a security
point of view, containers are much weaker.”
![Page 3: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/3.jpg)
–James Bottomley, Linux Maintainer and Parallels CTO
“There's contentions all over the place that containers are not actually as secure as hypervisors. This is not really true. Parallels and Virtuozo, we've been running secure containers for at least 10
years.”
![Page 4: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/4.jpg)
–Jerome Petazzoni, Senior Software Engineer at Docker
“Virtual Machines might be more secure today, but containers are definitely catching up.”
![Page 5: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/5.jpg)
–Theo de Raadt, OpenBSD project lead
“You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write
operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without
security holes.”
![Page 6: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/6.jpg)
"Some people make the mistake of thinking of containers as a better and faster way of running virtual machines. From a security point of view, containers are
much weaker." -Dan Walsh
"There's contentions all over the place that containers are not actually as secure as hypervisors. This is not really true. Parallels and Virtuozo, we've been running
secure containers for at least 10 years.” -James Bottomley
"Virtual Machines might be more secure today, but containers are definitely catching up." -Jerome Petazzoni
"You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without
security holes, can then turn around and suddenly write virtualization layers without security holes." -Theo de Raadt
![Page 7: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/7.jpg)
Who am I?
![Page 8: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/8.jpg)
What I’m going to talk about
![Page 9: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/9.jpg)
Security and Risk
![Page 10: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/10.jpg)
Vulnerabilities and Exploits
![Page 11: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/11.jpg)
A vulnerability is a mistake.
![Page 12: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/12.jpg)
Configuration vulnerabilities
![Page 13: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/13.jpg)
Software vulnerabilities
![Page 14: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/14.jpg)
![Page 15: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/15.jpg)
![Page 16: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/16.jpg)
Intel SYSRET
![Page 17: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/17.jpg)
Zombie Apocalypse.
![Page 18: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/18.jpg)
![Page 19: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/19.jpg)
![Page 20: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/20.jpg)
![Page 21: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/21.jpg)
![Page 22: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/22.jpg)
![Page 23: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/23.jpg)
Every window is an opportunity to make a mistake
![Page 24: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/24.jpg)
Every element of every interface is an opportunity to make a mistake
![Page 25: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/25.jpg)
But does this really matter?
![Page 26: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/26.jpg)
![Page 27: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/27.jpg)
Would this affect a system configured reasonably for security?
![Page 28: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/28.jpg)
Xen: Access to HV memory >5TiB during migration
![Page 29: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/29.jpg)
Xen: Unsecured PV console parameters
![Page 30: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/30.jpg)
Xen: 1 year, 1-4 known vulnerabilities
![Page 31: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/31.jpg)
KVM: Escalation in vhost
![Page 32: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/32.jpg)
KVM: PUSHA instruction emulation
![Page 33: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/33.jpg)
KVM: vcpu hypercall boundary check
![Page 34: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/34.jpg)
KVM: vlapic shared page crossing a page boundary
![Page 35: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/35.jpg)
KVM: 1 year, 4 solid vulnerabilities
![Page 36: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/36.jpg)
qemu: VMWare emulated device
![Page 37: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/37.jpg)
qemu: virtio-net mac address update
![Page 38: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/38.jpg)
qemu: 1 year, 2 known vulnerabilities
![Page 39: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/39.jpg)
Linux: ping
![Page 40: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/40.jpg)
Linux: tty race condition
![Page 41: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/41.jpg)
Linux: ptrace and SYSRET
![Page 42: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/42.jpg)
Linux: AIO, arbitrary read of kernel memory
![Page 43: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/43.jpg)
Linux: Futex not checking if two pointers were different (2)
![Page 44: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/44.jpg)
Linux: AMD math coprocessor
![Page 45: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/45.jpg)
Linux: 2 months, 6 vulnerabilities
![Page 46: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/46.jpg)
Hypervisors: Low (but not zero) risk
![Page 47: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/47.jpg)
General-purpose containers: Not so good
![Page 48: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/48.jpg)
Application-specific containers + seccomp2?
![Page 49: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/49.jpg)
![Page 50: LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd](https://reader033.vdocuments.us/reader033/viewer/2022052900/555c4374d8b42a2c068b4f0b/html5/thumbnails/50.jpg)
Questions?