towards improving container security by preventing runtime
TRANSCRIPT
![Page 1: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/1.jpg)
Towards Improving Container Security by Preventing Runtime Escapes
Michael Reeves, Dave Tian, Antonio Bianchi, and Z. Berkay Celik
#IEEESecDev https://secdev.ieee.org/20211SAND2021-12434 C
![Page 2: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/2.jpg)
What is a container?
- Container: Process- Kernel Isolation Mechanisms- Kernel Security Mechanims
- Isolation: limit container’s access- Cgroups- Namespaces
- Security: limit container abilities - Linux Security Modules- Seccomp- Capabilities
2
Docker
Linux Kernel
Storage
Namespaces Networking
Cgroups Security
Device Mapper
Btrfs Aufs
PID NET MNT User
device memory Capability SELinux seccomp
bridge iptablesveth
CPU
![Page 3: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/3.jpg)
Why do adversaries want to control container hosts?
1. CryptoJacking2. Corporate Espionage3. Exfiltrate Customer Data
TODO: ADD PIC HERE
3
![Page 4: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/4.jpg)
How do adversaries attack container hosts?
- Misconfiguration (1)- Kernel Bug (2)- Runtime Vulnerability (3)
Container != VMVulnerabilities =>
EscapeEscape => Host Code
Execution
4
![Page 5: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/5.jpg)
Related Work: Container Escapes
5
• Lin et al. (ACSAC): • measure kernel exploit container escapes
• Anton (Thesis): • measures container escape exploits, only 4 CVEs
• Martin et al.(Computer Communications) : • measure container configuration escapes
• Flauzac et al. (Procedia Computer Science): • limited comparison between technology features
• Allodi et al. (ACM): • conducted vulnerability risk assessment
![Page 6: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/6.jpg)
Contributions:
6
No work has analyzed container runtime vulnerabilities1. Container security study:
• 11 runtimes and 59 corresponding container runtime CVEs
• 28 container runtime CVEs have PoC exploits
2. Container CVE taxonomy:• Container runtime PoC: 7-class taxonomy
• 46% of all container runtime PoC CVEs => 9 different container escape exploits
• Main cause of escape: host component leaked into the container
3. User namespace defense:• prevent exploitation of root privileges on host
• 7 of 9 exploits prevented
![Page 7: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/7.jpg)
SAND2021-12434 C
Security Study
![Page 8: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/8.jpg)
Threat Model:
• System: • Linux Server Container Host
• Adversary:• Container Code Execution• Goal: control host
• TCB:• Container Configuration• Linux Kernel• Server Hardware
• Threat:• Runtime Vulnerability
ContainerLinux Server:container host
3
22
1X
![Page 9: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/9.jpg)
Runtime Vulnerability: Container Escape Exploit
9
CVE-2019-5736: runc vulnerability
1. Override Entrypoint2. At initialization:
a. EVIL.so loaded by entrypointb. Overwrite container runtime
with evil backdoor3. New container executes evil
Adversary Escapes and executes
Code on the host!
Container
Linux Server:container host
/self/proc/exe1
EVIL.so2
3
![Page 10: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/10.jpg)
Data Collection
10
1. Build List: a. 11 Runtimes
2. Query CVEs: a. NVDTOOLS 59 CVEs
>=9 <9, >=7 <7, >=4 <4
![Page 11: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/11.jpg)
Data Collection (Cont…)
11
3. Filter CVEs: a. remove 9 DoS CVEsb. focus on CVEs w/ PoC
4. Search PoC: Github/Googlea. missing PoC (not in NVD or
public internet)
>=9 <9, >=7 <7, >=4 <4
![Page 12: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/12.jpg)
SAND2021-12434 C
Taxonomy
![Page 13: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/13.jpg)
Exploit Analyzer Framework:
- binary analysis (low level)- MITRE ATT&CK (high level)- steps (low + high level)Categories: consider cause and impact
runc: CVE-2019-5736:1. symlink container entry point to /proc/self/exe2. save malicious.so with new function to overwrite
host runtime engine onto container3. entry point executes in the container on startup4. /proc/self/exe executes container_runtime ON
CONTAINER5. host runtime loads the malicious.so6. .so overwrites container_runtime -> evil7. new containers will execute evil, code execution
achieved
![Page 14: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/14.jpg)
CVE Taxonomy
14
Key:C2H: container to hostLHA: limited-host-accessH: hostC: container
46%
21%
14%
7%
4%4% 4%
Container Runtime PoC Exploit Categories
C2H-escape
H-priv-esc
C2H-LHA
unpatched-system
C2H-net
C-priv-esc
MAC-bypass
![Page 15: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/15.jpg)
Escape Exploits
15
3
3
3
Exploit Categories
File Descriptor Mishandling Component Missing Access Control
Host Execution in Container Context
Main Issue: Unintended host components exposed in container3 Causes:1. File Descriptor Mishandling 2. Component Missing Access
Control3. Host Execution
in Container Context
![Page 16: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/16.jpg)
SAND2021-12434 C
NamespaceDefense
![Page 17: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/17.jpg)
User Namespaces
17
Design:Container User mapped to non-privileged host user
Prevents: Exploiting root permissions on the host
![Page 18: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/18.jpg)
Prevented: Container Escape Exploit
18
Container
Linux Server:container host
/self/proc/exe1
EVIL.so2
CVE-2019-5736: runc vulnerability
1. Override Entrypoint2. At initialization:
a. EVIL.so loaded by entrypointb. FAILS TO OVERRIDE ENTRY
Why?:Container root user != host root userNo permissions on host to overwrite!
![Page 19: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/19.jpg)
Defense Effectiveness
19
Exploits Prevented (Failed) Exploits still Succeed Effectiveness
7 2 78%
![Page 20: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/20.jpg)
Defense Limitation
20
Main Limitation: host runtime utility executes as root, but depends on adversary-controlled container objectsWhy?:CVE- 2019-19921: TOCTOU in runC’s volume mount operation. Occurs before container fully initializedSolution:Fix runC software to open volume mount directories as file descriptor rather than a string
![Page 21: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/21.jpg)
Conclusions
21
• Security Study: • 11 runtimes and their 59 CVEs.
• Taxonomy: • 7-classes over the 28 CVEs with publicly available PoC exploits• Main cause of container escapes is a host component leaked into the
container
• Defense: • Main idea: prevent exploitation of root privileges on host• User namespace prevents 7 of 9 exploits
![Page 23: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/23.jpg)
SAND2021-12434 C
BACKUP:
![Page 24: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/24.jpg)
3
1
1
2
1
1
Container Escape Exploits by Runtime
runC rkt kata Docker containerd LXC
3
3
3
2
1
1
Container Escape CVEs by Runtime
runC rkt kata Docker containerd LXC
24
12 Container Escape CVES -> 9 PoC Exploits
![Page 25: Towards Improving Container Security by Preventing Runtime](https://reader033.vdocuments.us/reader033/viewer/2022042815/626909a8739e951a235a39ab/html5/thumbnails/25.jpg)
NamespacesExplained
25
PID NamespaceDesign:Isolate the processes of separate containers Prevents: Observing processes across the whole operating system