Technical Report on Container Security (I)

Technical Report on Container Security (I)

outubro 31, 2018 | Adeline Zhang

Overview

In recent years, the cloud computing model has gradually been universally recognized and accepted in the industry. In China, sectors such as governments, finance, carriers, and energy as well as small and medium-size organizations, to varying degrees, have migrated their business to the cloud. However, just turning hosts, platforms, or applications into virtual form cannot solve their legacy issues such as slow upgrade, clumsy architecture, and no support for rapid iteration. Then the concept of cloud native comes into being.

  • Container and Virtualization

One-to-many virtualization means to map one physical switch to multiple logical switches on a virtual tenant network for sharing among tenants.

Both virtual machine (VM) and containerization are system virtualization technologies to achieve system resource sharing through one-to-many virtualization. Compared with VM, containerization is lightweight. For example, VM is intended for virtualization of hardware resources at the hypervisor layer which serves as a platform to run VMs and manage VM operating systems as each VM has its own operating system, system library, and applications. Containerization, by contrast, is short of the hypervisor layer and each container shares hardware resources and the operating system with the host[1].

Containerization implements virtualization of computer system resources at the operating system layer. By separating, dividing, and controlling resources such as CPU, memory, and file system in the operating system, processes can utilize resources transparently. Figure 1.1 shows the difference in the implementation of VM and container technologies.

Figure 1.1 Architecture comparison between VM and containerization

As technologies advance and a balance is reached between business separation and performance indicators, containerization and VM tend to be fused. For example, the Kata Containers[i] project has containers embedded in lightweight VMs to achieve the container-level launch and running speeds as well as VM-level separation and security.

Figure 1.2 Architecture of the Kata Containers project

[1]Host machine, container host, and host mentioned in this report all indicate the host running the operating system kernel on which containers operate. Such a host can be either a physical server or a VM in the cloud environment.

[i] Kata Containers, https://katacontainers.io/

  • Evolutionary History of Containerization

The container concept can date back to chroot, a tool released for UNIX systems in 1979. Jails introduced in FreeBSD around 2000 can be deemed as one of earlier container technologies. Solaris proposed containers in 2004, bringing forward the concept of container resource management.

Arguably, Linux Containers (LXC) that appeared in 2008 is the first complete Linux container management solution implemented with Linux Control Groups (CGroups) and Linux Namespace. LXC, delivered in the liblxc library, provides API implementations of various programing languages and can run on the Linux kernel without any additional patches installed.

DotCloud (now Docker) open sourced its internal container project Docker[i] in 2013. Docker, based on LXC in early days, resorted to the self-developed libcontainer later. In addition to underlying services, Docker also introduces an ecosystem for container management which consists of a container image model, an image repository, REST APIs, and command lines.

In 2014, CoreOS released a container engine, Rocket[ii] (rkt for short), which is built on a more open standard container, App Container. Besides, CoreOS operating system, Etcd (a key-value storage component), and Flannel (a networking component) are also among container products developed by CoreOS.

In 2015, Microsoft launched Windows Containers[iii] to add container support for Windows-based applications on Windows Server. This implementation enables native support for running Docker containers on Windows systems.

In November 2017, Alibaba open sourced Pouch[iv], a lightweight container technology licensed under the Apache 2.0 license agreement. Built on the container technology T4, Pouch gradually absorbs the Docker image technology and has been playing an important role in various scenarios in Alibaba, thanks to its high performance, high portability, and resource efficiency features.

[i] Docker, https://github.com/docker

[ii] Rocket, https://github.com/rkt/rkt

[iii] Windows Containers, https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/

[iv] Alibaba Pouch, https://github.com/alibaba/pouch

Figure1.3 Evolution history of the container technology

  • Container Security

The container technology, though highly sought-after and having found a wide application, contains security issues that cannot be neglected.

On June 14, 2018, a security vendor found 17 Docker container images infected with a cryptomining program. Worse still, these images had been downloaded more than 5 million times[i].

According to a research report[ii] released on June 18 by Lacework, a cloud security vendor, more than 21,000 container orchestration platforms were currently exposed on the Internet, including such widely used ones as Kubernetes, Docker Swarm, Mesos Marathon, and Redhat OpenShift. Of all those exposed platforms, Kubernetes account for 75% (for details, see NTI data described in section 3.1.2) and 305 exposed ones, even with no password at all, may lead to disastrous consequences once maliciously exploited.

First, let’s take a look at Docker, the most popular container implementation technology within the industry. By July 31, 2018, a total of 38 vulnerabilities[iii] had been found in Docker since it was released in 2014, including eight in 2018, five in 2017, and 11 in 2016. Of all those vulnerabilities, 33 are assigned a risk level, with four marked critical, eight identified high-risk, and only three labeled low-risk.

For example, the vulnerability which was found at the end of 2014 and assigned CVE-2014-9357 is deemed critical by Common Vulnerability Scoring System (CVSS) V2.0 which gives the composite score of 10. This vulnerability can bring such security risks as denial-of-service, access control privilege bypass, and arbitrary code execution.

In March 2017, Docker, Inc. announced the official release of Docker Enterprise Edition (Docker EE) which is 17.X (17.03.0-ee-1/17.03.1-ee-2 or 17.03.0-ce/17.03.1-ce) upgraded from 1.13.X. Docker, whether the community edition or enterprise edition, has security considerations added during the last updates.

For example, Docker EE 17.06.2-ee-6[iv] released on November 27, 2017, fixes the execution state (moby/moby#35484[v]) of vulnerable versions, adds protection for health monitoring channels (moby/moby#35482[vi]), as well as addresses the memory exhaustion issue (moby/moby#35424[vii]) resulting from the daemon crash caused by abnormal images.

[i] Tainted, crypto-mining containers pulled from Docker Hub, https://techcrunch.com/2018/06/15/tainted-crypto-mining-containers-pulled-from-docker-hub/

[ii] Containers At-Risk, A Review of 21,000 Cloud Environments, https://info.lacework.com/containers-at-risk-cloud-environments-review?_ga=2.217313366.1971398103.1529458438-615050303.1529458438

[iii] CNNVD, http://www.cnnvd.org.cn/web/vulnerability/queryLds.tag?pageno=3&repairLd=

[iv] https://docs.docker.com/enterprise/17.06/#17062-ee-6-2017-11-27

[v] https://github.com/moby/moby/pull/35484

[vi] https://github.com/moby/moby/pull/35482

[vii] https://github.com/moby/moby/pull/35424

Figure 1.4 Keyword popularity trend on Google Trends

In addition, we have compared the search popularity of three keywords on Google Trends[1], i.e. “docker security”, “container security”, and “kubernetes security” in the past five years, as shown in Figure 1.4[2]. We can see that the search popularity of these keywords shows an upward trend, especially “docker security” for which the search popularity score was above 50 on average during the last year or two and even reached 100 in the period from February 4 to 10, 2018.

In June 2017, Gartner released Gartner Identifies the Top Technologies for Security in 2017[i], which listed container security and DevSecOps (Development-Security-Operations) as two of the top security technologies. In its 2017 Cloud Security Hype Cycle[ii], Gartner pointed out that container security, though in the Innovation Trigger phase and not yet fully mature, developed at a rapid pace. Container security and security protection of the container ecology are both great security concerns of chief information officer (CIO) and chief information security officer (CISO) of enterprises which are set to deploy containers.

[1]Google Trends is a kind of service developed by Google to analyze the popularity of search queries in Google. It can compare the search volume of different queries over time or allows users to see how popular a specific search term have been across regions and over time.

[2]The y-axis indicates the search popularity of a keyword (relative to the top spot) at a given place and time. The popularity score is 100 for the most searched terms, 50 for the ones with half popularity of those searched most often, and 0 for such words without enough search volume.

[i] Gartner Identifies the Top Technologies for Security in 2017,https://www.gartner.com/newsroom/id/3744917

[ii] Gartner Releases the Hype Cycle for Cloud Security in 2017,https://www.gartner.com/newsroom/id/3797963

Figure 1.5 Closed loop of DevSecOps capabilities

As the container technology runs through the development, testing, and O&M phases of DevOps, security assurance is required throughout the lifecycle. For example, security assessment of open-source repositories and container images, orchestration security, and container runtime security are all on the to-do list of DevSecOps. Apart from that, container systems, applications, and networks in the actual operating environment also need security hardening, security detection, and security protection.

Containerization is essentially a virtualization technology at the operating system level. Once an attacker attacks a container by exploiting a kernel vulnerability in the operating system of a host, he or she will escape to the host to compromise other containers on it. In addition, the container system has a certain degree of insecurity and users tend to be short of aid from a professional security team when deploying and using a container. All these factors open up an opportunity of attack.

As containerization is a virtualization technology implemented between platforms and infrastructure, traditional cloud security solutions targeting infrastructure virtualization cannot solve all the above-mentioned security issues. For example, setting up a DevOps environment with containers as technical support requires a container security solution featuring a lifecycle starting from container image creation to production.

To sum up, security issues with containers and their operating environments need urgent survey and analysis. Having a thorough grasp of risks existing in container technologies and systems built on these technologies as well as appropriate coping policies is a primary premise of setting up a secure cloud-native environment.

References

[1] Kata Containers, https://katacontainers.io/

[1] Docker, https://github.com/docker

[1] Rocket, https://github.com/rkt/rkt

[1] Windows Containers, https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/

[1] Alibaba Pouch, https://github.com/alibaba/pouch

[1] Tainted, crypto-mining containers pulled from Docker Hub, https://techcrunch.com/2018/06/15/tainted-crypto-mining-containers-pulled-from-docker-hub/

[1] Containers At-Risk, A Review of 21,000 Cloud Environments, https://info.lacework.com/containers-at-risk-cloud-environments-review?_ga=2.217313366.1971398103.1529458438-615050303.1529458438

[1] CNNVD, http://www.cnnvd.org.cn/web/vulnerability/queryLds.tag?pageno=3&repairLd=

[1] https://docs.docker.com/enterprise/17.06/#17062-ee-6-2017-11-27

[1] https://github.com/moby/moby/pull/35484

[1] https://github.com/moby/moby/pull/35482

[1] https://github.com/moby/moby/pull/35424

[1] Gartner Identifies the Top Technologies for Security in 2017,https://www.gartner.com/newsroom/id/3744917

[1] Gartner Releases the Hype Cycle for Cloud Security in 2017,https://www.gartner.com/newsroom/id/3797963