SlideShare a Scribd company logo

SBA Live Academy - Secure Containers for Developer by Mathias Tausig

SBA Research
SBA Research

Target Group: SysAdmins, Developer, DevOps Focus: technical Talk language: English Abstract ********** What are Containers and what makes them secure to use? Which different types of Containers are out there and how can I best use them securely? What container types are there beyond Docker? About the Speaker: ********************* Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.

Technology
1 of 36
Download to read offline
Secure Containers for Developers Mathias Tausig SBA Research gGmbH SBA Live Academy 2020
History 1
Container History I • Since the 1980s, the chroot technology allows parts of the filesystem to separated from each other on *NIX systems • Parallel to the rise of virtualization 2000, interest in a more lightweight OS-Virtualization grew ◦ 2000: Virtuozzo (Linux, Windows) − 2005 OpenVZ ◦ 2000: Jails (BSD) ◦ 2001: Linux VServer ◦ 2004: Zones (Solaris) 2
Container History II • Around the same time, generic interfaces in the Linux kernel were developed: ◦ 1998: AppArmor ◦ 2000: SELinux ◦ 2002: Namespaces ◦ 2007: CGroups • 2008 saw the first release of LXC (Linux Containers), a userspace interface to create virtualized environments using these technologies ◦ No kernel modification neccesary • In 2013, the company dotCloud Inc. released the first version of its container software: Docker ◦ Initially based on LXC ◦ Switched to the libcontainer interface to use the kernel’s capabilities 3
Containers
VM vs. Container While a virtual machine is always running a full OS on virtual hardware, a container is part of the current host system sharing its resources (especially the kernel). 5
VM vs. Container A container ist more lightweight than a VM. • Less storage space • Less memory • Much faster creation and startup These performance advantages are offset by a worse isolation. Since all containers share the same kernel, an exploit on the kernel level can comprosie all containers on the host. 6
System- vs. application-container • An application container is used to run a single process. If that process is stopped, the corresponding container is terminated as well. • A system container is able to run multiple processes while keeping a persisten state over a long time. 7
Privileged containers A privileged container is one running with root privileges on the host system.1 An unprivileged container does not have those capabilities.2 1 Default for Docker 2 Default for LXC 8
Linux containment features
Namespaces • Since kernel 3.12 • Used to isolate system ressources and processes • Provides a certain ressource to a process in an abstracted fashion ◦ pid: Container may administer their own process hierarchy while having their own (logical) init process with PID 1 ◦ user: Isolation of user- and group IDS (uid and gid) allows a process to run processes as “root” without granting it elevated privileges on the host system ◦ net: Provides separated network devices and configurations as well as routing tables ◦ mnt: Each container can have their own view of the filesystem hierarchy ◦ ... 10
cgroups To limit negative consequences to the host system by a container, Control Groups (cgroups) may be used. They are built out of various subsystems, each of which limits a certain resource for a container. • blkio: Limits access to block devices • cpu, cpuacct, cpusets: Limits CPU access • devices: Access to devices can be granted • freezer: Allows to stop and wakeup tasks • hugetlb, memory: Limits available RAM • net_cls, net_prio: Used for network priorisation • perf_event: Used for process monitoring 11
SELinux / AppArmor The kernel security modules SELinux and AppArmor greatly extends the usual Discretionary Access Control (DAC) model of linux Access Controll Policies with a much more advanced and powerful Mandatory Access Controll (MAC) system. The allows i.e to limit which files a certain process may access, or to cut off its network access. 12
Linux Containers
What is LXC? LXC is a userspace interface for the Linux kernel containment features. Through a powerful API and simple tools, it lets Li- nux users easily create and manage system or application containers. – https://linuxcontainers.org 14
Frontends LXC container can be created and managed using different tools: • Direct usage of liblxc and lxc-utils • Usage of a frontend ◦ libvirt ◦ ProxMox ◦ LXD 15
LXD LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead. – https://linuxcontainers.org/lxd/introduction/ 16
LXD Architecture LXD is based on a daemon (which in turn is based on liblxc) which provides a REST API. This API is consumed by the command line tool lxc3 3 No typo. The tool is really named like this. 17
Images New containers are not installedm they get cloned from a base image, which is retrieved from a repository4 . 4 local or online 18
Use Cases Developer • Isolated execution of applications • Development environments with seperated dependencies • Test environments 19
LXD Tutorial
Requirements The following scenarios assume the following: • Ubuntu 18.04 Bionic 64 bit is used • Packages lxd, lxdtool are installedm • User is part of the group lxd5 5 Disclaimer: As with docker, this is equivalent to giving the user root privileges on the system. Take care. 21
Documentations • Official documentation: https://linuxcontainers.org/lxd/docs/master/ • Blog of Stéphane Graber: https://stgraber.org/category/lxd/ 22
Initialize $ l x d i n i t Would you l i k e to use LXD c l u s t e r i n g ? ( yes / no ) [ d e f a u l t =no ] : no Do you want to c o n f i g u r e a new storage pool ? ( yes / no ) [ d e f a u l t = yes ] : yes Name of the new storage pool [ d e f a u l t = d e f a u l t ] : mystorage Would you l i k e to connect to a MAAS s e r v e r ? ( yes / no ) [ d e f a u l t =no ] : no Would you l i k e to create a new l o c a l network bridge ? ( yes / no ) [ d e f a u l t = yes ] : yes What should the new bridge be c a l l e d ? [ d e f a u l t = lxdbr0 ] : l x d l o c a l What IPv4 address should be used ? ( CIDR subnet notation , " auto " or " none " ) [ d e f a u l t = auto ] : auto What IPv6 address should be used ? ( CIDR subnet notation , " auto " or " none " ) [ d e f a u l t = auto ] : none Would you l i k e LXD to be a v a i l a b l e over the network ? ( yes / no ) [ d e f a u l t =no ] : no Would you l i k e s t a l e cached images to be updated a u t o m a t i c a l l y ? ( yes / no ) [ d e f a u l t = yes ] no Would you l i k e a YAML " l x d i n i t " preseed to be p r i n t e d ? ( yes / no ) [ d e f a u l t =no ] : yes 23
Images $ l x c remote l i s t +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | NAME | URL | PROTOCOL | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | images | https : // images . l i n u x c o n t a i n e r s . org | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | l o c a l ( d e f a u l t ) | unix : // | l x d | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | ubuntu | https : // cloud−images . ubuntu . com/ r e l e a s e s | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | ubuntu−d a i l y | https : // cloud−images . ubuntu . com/ d a i l y | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ 24
Images $ l x c image l i s t ubuntu : +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | DESCRIPTION | ARCH | SIZE | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 amd64 ( r e l e a s e ) (20180706) | x86_64 | 1 6 9 . 5 1MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 arm64 ( r e l e a s e ) (20180706) | aarch64 | 153.62MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 armhf ( r e l e a s e ) (20180706) | armv7l | 1 5 2 . 8 1MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ . . . $ l x c image l i s t images : +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | DESCRIPTION | ARCH | SIZE | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | Alpine 3.6 amd64 (20190402 _13 :00) | x86_64 | 3 . 1 7MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | Alpine 3.6 arm64 (20190402 _13 :00) | aarch64 | 3.07MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ . . . 25
Container lifecycle $ l x c launch ubuntu : b i o n i c t e s t C r e a t i n g t e s t S t a r t i n g t e s t $ l x c l i s t +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ | t e s t | RUNNING | 1 0 . 1 1 4 . 1 3 . 2 4 ( eth0 ) | | PERSISTENT | 0 | +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ $ l x c exec t e s t −− / bin / bash root@test : ~# e x i t $ l x c stop t e s t $ l x c rm t e s t 26
BTRFS storage $ l x c storage create mybtrfs b t r f s source =/ dev / loop0 Storage pool mybtrfs created $ df −h F i l e s y s t e m S i z e Used A v a i l Use% Mounted on udev 7 ,8G 0 7 ,8G 0% / dev tmpfs 1 ,6G 2 ,0M 1 ,6G 1% / run / dev / sda2 1 1 7G 1 1 G 100G 10% / [ . . . ] / dev / loop0 30G 17M 28G 1% / var / l i b / l x d / storage−pools / mybtrfs $ l x c storage show mybtrfs c o n f i g : source : 031 d08f0−ed03−4f39 −8274−03fc4a12688c v o l a t i l e . i n i t i a l _ s o u r c e : / dev / loop0 d e s c r i p t i o n : " " name : mybtrfs d r i v e r : b t r f s used_by : [ ] s t a t u s : Created l o c a t i o n s : − none 27
Profile $ l x c p r o f i l e create myprof $ cat lxd−p r o f i l e −myprof . yaml c o n f i g : user . vendor−data : | # cloud−c o n f i g users : − name : ubuntu ssh_authorized_keys : − ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office s h e l l : / bin / bash d e s c r i p t i o n : My brandnew LXD p r o f i l e devices : eth0 : name : eth0 n i c t y p e : bridged parent : l x d l o c a l type : n i c root : path : / pool : mybtrfs type : d i s k s i z e : 10GB name : myprofile $ l x c p r o f i l e e d i t myprof < lxd−p r o f i l e −myprof . yaml 28
Profile $ l x c launch ubuntu : 1 8 . 0 4 web −−p r o f i l e myprof $ l x c p r o f i l e show myprof c o n f i g : user . vendor−data : | # cloud−c o n f i g users : − name : ubuntu ssh_authorized_keys : − ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office s h e l l : / bin / bash group : sudo d e s c r i p t i o n : My brandnew LXD p r o f i l e devices : eth0 : name : eth0 n i c t y p e : bridged parent : l x d l o c a l type : n i c root : path : / pool : mybtrfs s i z e : 10GB type : d i s k name : myprof used_by : [ web ] 29
Shared Disk $ l x c c o n f i g device add t e s t s r c d i r d i s k path =/home/ ubuntu / s r c source =/home/my/ s r c Device s r c d i r added to shared $ ssh ubuntu@10 . 4 5 . 2 3 8 . 1 6 7 ubuntu@shared : ~$ mount / dev /dm−5 on / type b t r f s ( rw , relatime , ssd , [ . . . ] ) none on / dev type tmpfs ( rw , relatime , s i z e =492k , mode=755 , uid =165536 , gid =165536) . . . / dev / mapper /myvg−home on /home/ ubuntu / s r c type ext4 ( rw , relatime , data = ordered ) . . . ubuntu@shared : ~$ df F i l e s y s t e m 1 K−blocks Used A v a i l a b l e Use% Mounted on / dev /dm−5 36700160 21135324 14910740 59% / none 492 0 492 0% / dev udev 3898488 0 3898488 0% / dev / t t y tmpfs 100 0 100 0% / dev / l x d tmpfs 100 0 100 0% / dev / . lxd−mounts tmpfs 3930688 0 3930688 0% / dev /shm tmpfs 3930688 172 3930516 1% / run tmpfs 5120 0 5120 0% / run / l o c k tmpfs 3930688 0 3930688 0% / sys / f s / cgroup / dev / mapper /myvg−home 95593892 85171544 5523328 94% /home/ ubuntu / s r c tmpfs 786136 0 786136 0% / run / user /1000 30
Network $ l x c network create i s o l a t e d Network i s o l a t e d created $ l x c network set i s o l a t e d ipv4 . nat f a l s e $ l x c network set i s o l a t e d ipv6 . address none $ l x c network set i s o l a t e d ipv6 . nat f a l s e $ l x c network attach i s o l a t e d webdev $ l x c network show i s o l a t e d c o n f i g : ipv4 . address : 1 0 . 8 1 . 2 3 8 . 1 / 2 4 ipv4 . nat : " f a l s e " ipv6 . address : none ipv6 . nat : " f a l s e " d e s c r i p t i o n : " " name : i s o l a t e d type : bridge used_by : − / 1 . 0 / c o n t a i n e r s / webdev managed : true s t a t u s : Created l o c a t i o n s : − none 31
Privileged containers $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true $ l x c c o n f i g show webdev a r c h i t e c t u r e : x86_64 c o n f i g : image . a r c h i t e c t u r e : amd64 image . d e s c r i p t i o n : ubuntu 18.04 LTS amd64 ( r e l e a s e ) ( 2 0 1 9 0 8 1 3 . 1 ) [ . . . ] s e c u r i t y . p r i v i l e g e d : " true " [ . . . ] v o l a t i l e . i s o l a t e d . hwaddr : 00:16:3 e :4 f : 4 7 : 1 5 v o l a t i l e . i s o l a t e d . name : eth1 v o l a t i l e . l a s t _ s t a t e . idmap : ’ [ { " I s u i d " : true , " I s g i d " : f a l s e , " Hostid " : 1 6 5 5 3 6 , [ . . . ] } ] ’ v o l a t i l e . l a s t _ s t a t e . power : RUNNING devices : i s o l a t e d : n i c t y p e : bridged parent : i s o l a t e d type : n i c ephemeral : f a l s e p r o f i l e s : − d e f a u l t s t a t e f u l : f a l s e d e s c r i p t i o n : " " 32
Privileged containers $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true $ l x c r e s t a r t webdev $ l x c s h e l l webdev root@webdev : ~# t a i l −f / var / log / s y s l o g & Oct 1 1 16:30:30 webdev systemd [ 1 ] : Stopped t a r g e t Login Prompts . [ . . . ] root@webdev : ~# logout $ ps aux | grep " t a i l −f " root 19655 [ . . . ] 18:30 0:00 t a i l −f / var / log / s y s l o g $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d f a l s e $ l x c r e s t a r t webdev $ l x c s h e l l webdev root@webdev : ~# t a i l −f / var / log / s y s l o g & Oct 1 1 1 6 : 3 1 : 0 4 g i t o l i t e systemd [ 1 ] : S t a r t e d User Manager f o r UID 0. [ . . . ] root@webdev : ~# logout $ ps aux | grep " t a i l −f " 165536 2 0 9 3 8 [ . . . ] 1 8 : 3 1 0:00 t a i l −f / var / log / s y s l o g 33
The End!
Klassifikation: Öffentlich 17 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org

Recommended

Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...SBA Research
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Research
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift Origin
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev
 

Recommended

Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...SBA Research
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Research
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift Origin
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
Wireguard VPN
Wireguard VPNWireguard VPN
Wireguard VPNAll Things Open
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the DockerNotSoSecure Global Services
 
Enterprise Architecture Case in PHP (MUZIK Online)
Enterprise Architecture Case in PHP (MUZIK Online)Enterprise Architecture Case in PHP (MUZIK Online)
Enterprise Architecture Case in PHP (MUZIK Online)Yi-Feng Tzeng
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE - ATT&CKcon
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS SecurityJose Manuel Ortega Candel
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival GuideKen Johnson
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
 
SauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better WormholeSauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better WormholeSauce Labs
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!NETWAYS
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applicationsDaniel Garcia (a.k.a cr0hn)
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory SegalPassive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory SegalCODE BLUE
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containersGiuseppe Scrivano
 

More Related Content

What's hot

OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
Enterprise Architecture Case in PHP (MUZIK Online)
Enterprise Architecture Case in PHP (MUZIK Online)Enterprise Architecture Case in PHP (MUZIK Online)
Enterprise Architecture Case in PHP (MUZIK Online)Yi-Feng Tzeng
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE - ATT&CKcon
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival GuideKen Johnson
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
 
SauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better WormholeSauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better WormholeSauce Labs
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!NETWAYS
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory SegalPassive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory SegalCODE BLUE
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 

What's hot (20)

OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
 
Wireguard VPN
Wireguard VPNWireguard VPN
Wireguard VPN
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
 
Enterprise Architecture Case in PHP (MUZIK Online)
Enterprise Architecture Case in PHP (MUZIK Online)Enterprise Architecture Case in PHP (MUZIK Online)
Enterprise Architecture Case in PHP (MUZIK Online)
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS Security
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival Guide
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)
 
SauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better WormholeSauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better Wormhole
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory SegalPassive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 

Similar to SBA Live Academy - Secure Containers for Developer by Mathias Tausig

Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 
Shifter: Containers in HPC Environments
Shifter: Containers in HPC EnvironmentsShifter: Containers in HPC Environments
Shifter: Containers in HPC Environmentsinside-BigData.com
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?ArangoDB Database
 
The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless ContainersAkihiro Suda
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesAkihiro Suda
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariMetosin Oy
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and dockerFabio Fumarola
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Commit to excellence - Java in containers
Commit to excellence - Java in containersCommit to excellence - Java in containers
Commit to excellence - Java in containersRed Hat Developers
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introductionkanedafromparis
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Patrick Chanezon
 
Docker 原理與實作
Docker 原理與實作Docker 原理與實作
Docker 原理與實作kao kuo-tung
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xrkr10
 
Tutorial to setup OpenStreetMap tileserver with customized boundaries of India
Tutorial to setup OpenStreetMap tileserver with customized boundaries of IndiaTutorial to setup OpenStreetMap tileserver with customized boundaries of India
Tutorial to setup OpenStreetMap tileserver with customized boundaries of IndiaArun Ganesh
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance AnalysisBrendan Gregg
 

Similar to SBA Live Academy - Secure Containers for Developer by Mathias Tausig (20)

Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
Shifter: Containers in HPC Environments
Shifter: Containers in HPC EnvironmentsShifter: Containers in HPC Environments
Shifter: Containers in HPC Environments
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
 
The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless Containers
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas Saari
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and docker
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Commit to excellence - Java in containers
Commit to excellence - Java in containersCommit to excellence - Java in containers
Commit to excellence - Java in containers
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introduction
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
 
Docker 原理與實作
Docker 原理與實作Docker 原理與實作
Docker 原理與實作
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Tutorial to setup OpenStreetMap tileserver with customized boundaries of India
Tutorial to setup OpenStreetMap tileserver with customized boundaries of IndiaTutorial to setup OpenStreetMap tileserver with customized boundaries of India
Tutorial to setup OpenStreetMap tileserver with customized boundaries of India
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance Analysis
 

More from SBA Research

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Research
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...SBA Research
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Research
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Research
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Research
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas KopeinigSBA Research
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSBA Research
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Research
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Research
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Research
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...SBA Research
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Research
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Research
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Research
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Research
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Research
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Research
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Research
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Research
 
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...SBA Research
 

More from SBA Research (20)

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computing
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
 
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

SBA Live Academy - Secure Containers for Developer by Mathias Tausig

  • 1. Secure Containers for Developers Mathias Tausig SBA Research gGmbH SBA Live Academy 2020
  • 3. Container History I • Since the 1980s, the chroot technology allows parts of the filesystem to separated from each other on *NIX systems • Parallel to the rise of virtualization 2000, interest in a more lightweight OS-Virtualization grew ◦ 2000: Virtuozzo (Linux, Windows) − 2005 OpenVZ ◦ 2000: Jails (BSD) ◦ 2001: Linux VServer ◦ 2004: Zones (Solaris) 2
  • 4. Container History II • Around the same time, generic interfaces in the Linux kernel were developed: ◦ 1998: AppArmor ◦ 2000: SELinux ◦ 2002: Namespaces ◦ 2007: CGroups • 2008 saw the first release of LXC (Linux Containers), a userspace interface to create virtualized environments using these technologies ◦ No kernel modification neccesary • In 2013, the company dotCloud Inc. released the first version of its container software: Docker ◦ Initially based on LXC ◦ Switched to the libcontainer interface to use the kernel’s capabilities 3
  • 6. VM vs. Container While a virtual machine is always running a full OS on virtual hardware, a container is part of the current host system sharing its resources (especially the kernel). 5
  • 7. VM vs. Container A container ist more lightweight than a VM. • Less storage space • Less memory • Much faster creation and startup These performance advantages are offset by a worse isolation. Since all containers share the same kernel, an exploit on the kernel level can comprosie all containers on the host. 6
  • 8. System- vs. application-container • An application container is used to run a single process. If that process is stopped, the corresponding container is terminated as well. • A system container is able to run multiple processes while keeping a persisten state over a long time. 7
  • 9. Privileged containers A privileged container is one running with root privileges on the host system.1 An unprivileged container does not have those capabilities.2 1 Default for Docker 2 Default for LXC 8
  • 11. Namespaces • Since kernel 3.12 • Used to isolate system ressources and processes • Provides a certain ressource to a process in an abstracted fashion ◦ pid: Container may administer their own process hierarchy while having their own (logical) init process with PID 1 ◦ user: Isolation of user- and group IDS (uid and gid) allows a process to run processes as “root” without granting it elevated privileges on the host system ◦ net: Provides separated network devices and configurations as well as routing tables ◦ mnt: Each container can have their own view of the filesystem hierarchy ◦ ... 10
  • 12. cgroups To limit negative consequences to the host system by a container, Control Groups (cgroups) may be used. They are built out of various subsystems, each of which limits a certain resource for a container. • blkio: Limits access to block devices • cpu, cpuacct, cpusets: Limits CPU access • devices: Access to devices can be granted • freezer: Allows to stop and wakeup tasks • hugetlb, memory: Limits available RAM • net_cls, net_prio: Used for network priorisation • perf_event: Used for process monitoring 11
  • 13. SELinux / AppArmor The kernel security modules SELinux and AppArmor greatly extends the usual Discretionary Access Control (DAC) model of linux Access Controll Policies with a much more advanced and powerful Mandatory Access Controll (MAC) system. The allows i.e to limit which files a certain process may access, or to cut off its network access. 12
  • 15. What is LXC? LXC is a userspace interface for the Linux kernel containment features. Through a powerful API and simple tools, it lets Li- nux users easily create and manage system or application containers. – https://linuxcontainers.org 14
  • 16. Frontends LXC container can be created and managed using different tools: • Direct usage of liblxc and lxc-utils • Usage of a frontend ◦ libvirt ◦ ProxMox ◦ LXD 15
  • 17. LXD LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead. – https://linuxcontainers.org/lxd/introduction/ 16
  • 18. LXD Architecture LXD is based on a daemon (which in turn is based on liblxc) which provides a REST API. This API is consumed by the command line tool lxc3 3 No typo. The tool is really named like this. 17
  • 19. Images New containers are not installedm they get cloned from a base image, which is retrieved from a repository4 . 4 local or online 18
  • 20. Use Cases Developer • Isolated execution of applications • Development environments with seperated dependencies • Test environments 19
  • 22. Requirements The following scenarios assume the following: • Ubuntu 18.04 Bionic 64 bit is used • Packages lxd, lxdtool are installedm • User is part of the group lxd5 5 Disclaimer: As with docker, this is equivalent to giving the user root privileges on the system. Take care. 21
  • 23. Documentations • Official documentation: https://linuxcontainers.org/lxd/docs/master/ • Blog of Stéphane Graber: https://stgraber.org/category/lxd/ 22
  • 24. Initialize $ l x d i n i t Would you l i k e to use LXD c l u s t e r i n g ? ( yes / no ) [ d e f a u l t =no ] : no Do you want to c o n f i g u r e a new storage pool ? ( yes / no ) [ d e f a u l t = yes ] : yes Name of the new storage pool [ d e f a u l t = d e f a u l t ] : mystorage Would you l i k e to connect to a MAAS s e r v e r ? ( yes / no ) [ d e f a u l t =no ] : no Would you l i k e to create a new l o c a l network bridge ? ( yes / no ) [ d e f a u l t = yes ] : yes What should the new bridge be c a l l e d ? [ d e f a u l t = lxdbr0 ] : l x d l o c a l What IPv4 address should be used ? ( CIDR subnet notation , " auto " or " none " ) [ d e f a u l t = auto ] : auto What IPv6 address should be used ? ( CIDR subnet notation , " auto " or " none " ) [ d e f a u l t = auto ] : none Would you l i k e LXD to be a v a i l a b l e over the network ? ( yes / no ) [ d e f a u l t =no ] : no Would you l i k e s t a l e cached images to be updated a u t o m a t i c a l l y ? ( yes / no ) [ d e f a u l t = yes ] no Would you l i k e a YAML " l x d i n i t " preseed to be p r i n t e d ? ( yes / no ) [ d e f a u l t =no ] : yes 23
  • 25. Images $ l x c remote l i s t +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | NAME | URL | PROTOCOL | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | images | https : // images . l i n u x c o n t a i n e r s . org | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | l o c a l ( d e f a u l t ) | unix : // | l x d | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | ubuntu | https : // cloud−images . ubuntu . com/ r e l e a s e s | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | ubuntu−d a i l y | https : // cloud−images . ubuntu . com/ d a i l y | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ 24
  • 26. Images $ l x c image l i s t ubuntu : +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | DESCRIPTION | ARCH | SIZE | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 amd64 ( r e l e a s e ) (20180706) | x86_64 | 1 6 9 . 5 1MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 arm64 ( r e l e a s e ) (20180706) | aarch64 | 153.62MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 armhf ( r e l e a s e ) (20180706) | armv7l | 1 5 2 . 8 1MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ . . . $ l x c image l i s t images : +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | DESCRIPTION | ARCH | SIZE | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | Alpine 3.6 amd64 (20190402 _13 :00) | x86_64 | 3 . 1 7MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | Alpine 3.6 arm64 (20190402 _13 :00) | aarch64 | 3.07MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ . . . 25
  • 27. Container lifecycle $ l x c launch ubuntu : b i o n i c t e s t C r e a t i n g t e s t S t a r t i n g t e s t $ l x c l i s t +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ | t e s t | RUNNING | 1 0 . 1 1 4 . 1 3 . 2 4 ( eth0 ) | | PERSISTENT | 0 | +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ $ l x c exec t e s t −− / bin / bash root@test : ~# e x i t $ l x c stop t e s t $ l x c rm t e s t 26
  • 28. BTRFS storage $ l x c storage create mybtrfs b t r f s source =/ dev / loop0 Storage pool mybtrfs created $ df −h F i l e s y s t e m S i z e Used A v a i l Use% Mounted on udev 7 ,8G 0 7 ,8G 0% / dev tmpfs 1 ,6G 2 ,0M 1 ,6G 1% / run / dev / sda2 1 1 7G 1 1 G 100G 10% / [ . . . ] / dev / loop0 30G 17M 28G 1% / var / l i b / l x d / storage−pools / mybtrfs $ l x c storage show mybtrfs c o n f i g : source : 031 d08f0−ed03−4f39 −8274−03fc4a12688c v o l a t i l e . i n i t i a l _ s o u r c e : / dev / loop0 d e s c r i p t i o n : " " name : mybtrfs d r i v e r : b t r f s used_by : [ ] s t a t u s : Created l o c a t i o n s : − none 27
  • 29. Profile $ l x c p r o f i l e create myprof $ cat lxd−p r o f i l e −myprof . yaml c o n f i g : user . vendor−data : | # cloud−c o n f i g users : − name : ubuntu ssh_authorized_keys : − ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office s h e l l : / bin / bash d e s c r i p t i o n : My brandnew LXD p r o f i l e devices : eth0 : name : eth0 n i c t y p e : bridged parent : l x d l o c a l type : n i c root : path : / pool : mybtrfs type : d i s k s i z e : 10GB name : myprofile $ l x c p r o f i l e e d i t myprof < lxd−p r o f i l e −myprof . yaml 28
  • 30. Profile $ l x c launch ubuntu : 1 8 . 0 4 web −−p r o f i l e myprof $ l x c p r o f i l e show myprof c o n f i g : user . vendor−data : | # cloud−c o n f i g users : − name : ubuntu ssh_authorized_keys : − ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office s h e l l : / bin / bash group : sudo d e s c r i p t i o n : My brandnew LXD p r o f i l e devices : eth0 : name : eth0 n i c t y p e : bridged parent : l x d l o c a l type : n i c root : path : / pool : mybtrfs s i z e : 10GB type : d i s k name : myprof used_by : [ web ] 29
  • 31. Shared Disk $ l x c c o n f i g device add t e s t s r c d i r d i s k path =/home/ ubuntu / s r c source =/home/my/ s r c Device s r c d i r added to shared $ ssh ubuntu@10 . 4 5 . 2 3 8 . 1 6 7 ubuntu@shared : ~$ mount / dev /dm−5 on / type b t r f s ( rw , relatime , ssd , [ . . . ] ) none on / dev type tmpfs ( rw , relatime , s i z e =492k , mode=755 , uid =165536 , gid =165536) . . . / dev / mapper /myvg−home on /home/ ubuntu / s r c type ext4 ( rw , relatime , data = ordered ) . . . ubuntu@shared : ~$ df F i l e s y s t e m 1 K−blocks Used A v a i l a b l e Use% Mounted on / dev /dm−5 36700160 21135324 14910740 59% / none 492 0 492 0% / dev udev 3898488 0 3898488 0% / dev / t t y tmpfs 100 0 100 0% / dev / l x d tmpfs 100 0 100 0% / dev / . lxd−mounts tmpfs 3930688 0 3930688 0% / dev /shm tmpfs 3930688 172 3930516 1% / run tmpfs 5120 0 5120 0% / run / l o c k tmpfs 3930688 0 3930688 0% / sys / f s / cgroup / dev / mapper /myvg−home 95593892 85171544 5523328 94% /home/ ubuntu / s r c tmpfs 786136 0 786136 0% / run / user /1000 30
  • 32. Network $ l x c network create i s o l a t e d Network i s o l a t e d created $ l x c network set i s o l a t e d ipv4 . nat f a l s e $ l x c network set i s o l a t e d ipv6 . address none $ l x c network set i s o l a t e d ipv6 . nat f a l s e $ l x c network attach i s o l a t e d webdev $ l x c network show i s o l a t e d c o n f i g : ipv4 . address : 1 0 . 8 1 . 2 3 8 . 1 / 2 4 ipv4 . nat : " f a l s e " ipv6 . address : none ipv6 . nat : " f a l s e " d e s c r i p t i o n : " " name : i s o l a t e d type : bridge used_by : − / 1 . 0 / c o n t a i n e r s / webdev managed : true s t a t u s : Created l o c a t i o n s : − none 31
  • 33. Privileged containers $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true $ l x c c o n f i g show webdev a r c h i t e c t u r e : x86_64 c o n f i g : image . a r c h i t e c t u r e : amd64 image . d e s c r i p t i o n : ubuntu 18.04 LTS amd64 ( r e l e a s e ) ( 2 0 1 9 0 8 1 3 . 1 ) [ . . . ] s e c u r i t y . p r i v i l e g e d : " true " [ . . . ] v o l a t i l e . i s o l a t e d . hwaddr : 00:16:3 e :4 f : 4 7 : 1 5 v o l a t i l e . i s o l a t e d . name : eth1 v o l a t i l e . l a s t _ s t a t e . idmap : ’ [ { " I s u i d " : true , " I s g i d " : f a l s e , " Hostid " : 1 6 5 5 3 6 , [ . . . ] } ] ’ v o l a t i l e . l a s t _ s t a t e . power : RUNNING devices : i s o l a t e d : n i c t y p e : bridged parent : i s o l a t e d type : n i c ephemeral : f a l s e p r o f i l e s : − d e f a u l t s t a t e f u l : f a l s e d e s c r i p t i o n : " " 32
  • 34. Privileged containers $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true $ l x c r e s t a r t webdev $ l x c s h e l l webdev root@webdev : ~# t a i l −f / var / log / s y s l o g & Oct 1 1 16:30:30 webdev systemd [ 1 ] : Stopped t a r g e t Login Prompts . [ . . . ] root@webdev : ~# logout $ ps aux | grep " t a i l −f " root 19655 [ . . . ] 18:30 0:00 t a i l −f / var / log / s y s l o g $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d f a l s e $ l x c r e s t a r t webdev $ l x c s h e l l webdev root@webdev : ~# t a i l −f / var / log / s y s l o g & Oct 1 1 1 6 : 3 1 : 0 4 g i t o l i t e systemd [ 1 ] : S t a r t e d User Manager f o r UID 0. [ . . . ] root@webdev : ~# logout $ ps aux | grep " t a i l −f " 165536 2 0 9 3 8 [ . . . ] 1 8 : 3 1 0:00 t a i l −f / var / log / s y s l o g 33
  • 36. Klassifikation: Öffentlich 17 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org