Security in the Cloud: Xen, KVM, Containers

Or, Surviving and the Zombie Apocalypse

–Dan Walsh (Mr. SELinux)

“Some people make the mistake of thinking of containers as a better and faster way of running virtual machines. From a security

point of view, containers are much weaker.”

–James Bottomley, Linux Maintainer and Parallels CTO

“There's contentions all over the place that containers are not actually as secure as hypervisors. This is not really true. Parallels and Virtuozo, we've been running secure containers for at least 10

years.”

–Jerome Petazzoni, Senior Software Engineer at Docker

“Virtual Machines might be more secure today, but containers are definitely catching up.”

–Theo de Raadt, OpenBSD project lead

“You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write

operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without

security holes.”

"Some people make the mistake of thinking of containers as a better and faster way of running virtual machines. From a security point of view, containers are

much weaker." -Dan Walsh

"There's contentions all over the place that containers are not actually as secure as hypervisors. This is not really true. Parallels and Virtuozo, we've been running

secure containers for at least 10 years.” -James Bottomley

"Virtual Machines might be more secure today, but containers are definitely catching up." -Jerome Petazzoni

"You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without

security holes, can then turn around and suddenly write virtualization layers without security holes." -Theo de Raadt

Who am I?

What I’m going to talk about

Security and Risk

Vulnerabilities and Exploits

A vulnerability is a mistake.

Configuration vulnerabilities

Software vulnerabilities

Intel SYSRET

Zombie Apocalypse.

Every window is an opportunity to make a mistake

Every element of every interface is an opportunity to make a mistake

But does this really matter?

Would this affect a system configured reasonably for security?

Xen: Access to HV memory >5TiB during migration

Xen: Unsecured PV console parameters

Xen: 1 year, 1-4 known vulnerabilities

KVM: Escalation in vhost

KVM: PUSHA instruction emulation

KVM: vcpu hypercall boundary check

KVM: vlapic shared page crossing a page boundary

KVM: 1 year, 4 solid vulnerabilities

qemu: VMWare emulated device

qemu: virtio-net mac address update

qemu: 1 year, 2 known vulnerabilities

Linux: ping

Linux: tty race condition

Linux: ptrace and SYSRET

Linux: AIO, arbitrary read of kernel memory

Linux: Futex not checking if two pointers were different (2)

Linux: AMD math coprocessor

Linux: 2 months, 6 vulnerabilities

Hypervisors: Low (but not zero) risk

General-purpose containers: Not so good

Application-specific containers + seccomp2?

Questions?