Linux Container Security

Oct. 23rd, 2014 08:44 am
[personal profile] mjg59
First, read these slides. Done? Good.

Hypervisors present a smaller attack surface than containers. This is somewhat mitigated in containers by using seccomp, selinux and restricting capabilities in order to reduce the number of kernel entry points that untrusted code can touch, but even so there is simply a greater quantity of privileged code available to untrusted apps in a container environment when compared to a hypervisor environment[1].

Does this mean containers provide reduced security? That's an arguable point. In the event of a new kernel vulnerability, container-based deployments merely need to upgrade the kernel on the host and restart all the containers. Full VMs need to upgrade the kernel in each individual image, which takes longer and may be delayed due to the additional disruption. In the event of a flaw in some remotely accessible code running in your image, an attacker's ability to cause further damage may be restricted by the existing seccomp and capabilities configuration in a container. They may be able to escalate to a more privileged user in a full VM.

I'm not really compelled by either of these arguments. Both argue that the security of your container is improved, but in almost all cases exploiting these vulnerabilities would require that an attacker already be able to run arbitrary code in your container. Many container deployments are task-specific rather than running a full system, and in that case your attacker is already able to compromise pretty much everything within the container. The argument's stronger in the Virtual Private Server case, but there you're trading that off against losing some other security features - sure, you're deploying seccomp, but you can't use selinux inside your container, because the policy isn't per-namespace[2].

So that seems like kind of a wash - there's maybe marginal increases in practical security for certain kinds of deployment, and perhaps marginal decreases for others. We end up coming back to the attack surface, and it seems inevitable that that's always going to be larger in container environments. The question is, does it matter? If the larger attack surface still only results in one more vulnerability per thousand years, you probably don't care. The aim isn't to get containers to the same level of security as hypervisors, it's to get them close enough that the difference doesn't matter.

I don't think we're there yet. Searching the kernel for bugs triggered by Trinity shows plenty of cases where the kernel screws up from unprivileged input[3]. A sufficiently strong seccomp policy plus tight restrictions on the ability of a container to touch /proc, /sys and /dev helps a lot here, but it's not full coverage. The presentation I linked to at the top of this post suggests using the grsec patches - these will tend to mitigate several (but not all) kernel vulnerabilities, but there's tradeoffs in (a) ease of management (having to build your own kernels) and (b) performance (several of the grsec options reduce performance).

But this isn't intended as a complaint. Or, rather, it is, just not about security. I suspect containers can be made sufficiently secure that the attack surface size doesn't matter. But who's going to do that work? As mentioned, modern container deployment tools make use of a number of kernel security features. But there's been something of a dearth of contributions from the companies who sell container-based services. Meaningful work here would include things like:

  • Strong auditing and aggressive fuzzing of containers under realistic configurations
  • Support for meaningful nesting of Linux Security Modules in namespaces
  • Introspection of container state and (more difficult) the host OS itself in order to identify compromises

These aren't easy jobs, but they're important, and I'm hoping that the lack of obvious development in areas like this is merely a symptom of the youth of the technology rather than a lack of meaningful desire to make things better. But until things improve, it's going to be far too easy to write containers off as a "convenient, cheap, secure: choose two" tradeoff. That's not a winning strategy.

[1] Companies using hypervisors! Audit your qemu setup to ensure that you're not providing more emulated hardware than necessary to your guests. If you're using KVM, ensure that you're using sVirt (either selinux or apparmor backed) in order to restrict qemu's privileges.
[2] There's apparently some support for loading per-namespace Apparmor policies, but that means that the process is no longer confined by the sVirt policy
[3] To be fair, last time I ran Trinity under Docker under a VM, it ended up killing my host. Glass houses, etc.

3 weeks at home

Oct. 22nd, 2014 04:17 pm
pleia2: (Default)
[personal profile] pleia2

I am sitting in a hotel room in Raleigh where I’m staying for a conference, but prior to this I had a full 3 weeks at home! I was the longest stretch I’ve had in months, even my gallbladder removal surgery didn’t afford me a full 3 weeks. Unfortunately during this blessed 3 weeks home MJ was out of town for a full 2 weeks of it. It also decided to be summer time in San Francisco (typical of early October) with temperatures rising to 90F for several days and our condo not cooling off. Some days it made work a challenge as I sometimes fled to coffee shops. The cats didn’t seem amused by this either.

The time at home alone did give me a chance to chill out at home and listen to the Giants playoff games on the little AM radio I had set up in our living room. As any good pseudo-fan does I only loosely keep up with the team during the actual season, going to actual games only here and there as I have the opportunity, which I didn’t this year (too much travel + gallbladder). It felt nice to sit and listen to the games as I got some work done in the evenings. I did learn how much modern technology gets in the way of AM reception though, as I listened to the quality tank when I turned on the track lighting in my living room or random times when my highrise neighbors must have been doing something.

Fleet week also came to San Francisco while I was home. I think I’ve only actually been in town for it twice, so it was a nice treat. To add to the fun I was meeting up with a friend to work on some OpenStack stuff on Sunday when they were doing their final show and her office offers amazing floor to ceiling windows with a stunning view of the bay. Perfect for watching the show!

I also did manage to get out for some non-work social time with a couple friends, and finally made it out to Off the Grid in the Marina for some street food adventuring. I hadn’t been before because I’m not the biggest fan of food trucks, the food is fine but you end up standing while eating, making a mess, and not getting a meal for all that cheaper than you would if you just went to a proper restaurant with tables. Maybe I’m just a giant snob, but it was an interesting experience, and I got to take the cable car home, so that’s always fun.

And now Raleigh. I’m here for All Things Open which I’ll be blogging about soon. This kicked off about 3 weeks away from home, so I had to pack accordingly:

After Raleigh I’ll be flying to Miami for a cousin’s wedding, then staying several extra days in a beach hotel where I’ll be working (and taking breaks to visit the ocean!). At the end of the week I’m flying to Paris for the OpenStack Summit for a week. I’ve never been to Paris before so I’m really looking forward to that. When the conference wraps up I’m flying back stateside for another wedding for a family member, this time in Philadelphia. So during this time I’ll get to see MJ twice, as we meet in cities for weddings. Thankfully I head home after that, but then we’re off for a proper vacation a few days later – to Jamaica! Then maybe I’ll spend all of December in a stay-at-home coma, but I’ll probably end up going somewhere because apparently I really like airplanes. Plus December would be the only month I didn’t fly, and I can’t have that.

Originally published at pleia2's blog. You can comment here or there.

Quantum State of the Beable

Oct. 22nd, 2014 12:45 pm
beable: (Default)
[personal profile] beable
(In particular for those not on FB): Yes, I work downtown, however am safe.

Building is in lockdown, cell phone only semi-functional because of congestion on cell network.

How to Hate a Book

Oct. 20th, 2014 12:48 pm
altamira16: Tall ship at dusk (Default)
[personal profile] altamira16
About a week ago, the blogger formerly posting at Requires Hate wrote something friends locked on Twitter that made me wonder what was going on in her life. I started reading her when [livejournal.com profile] nihilistic_kid mentioned her as a potential recipient of a literary award for the best fan blogs.

At first, she was making fun of Charlaine Harris books for being racist, and I thought that her view point was interesting and way over the top. But then she started writing about anime, and I just cannot care about anime.

A few days ago, my sister gave me the link to this piece by an author named Hale who obsesses over a Goodreads reviewer. I didn't read the whole thing because it just seemed so neurotic, but again it reminded me of the person writing the Requires Hate blog because she had many words about how much she hated various books. I thought that Hale, the neurotic author, would hate her. (If you look at my book reviews here, I usually spend more time writing about things that I dislike than things that I like. I use blogging to work out my grievances sometimes. There are just a lot more people who are a lot more verbose about that type of thing.)

Anyway, today the "Requires Hate" blogger wrote an entry apologizing for some of her reviews. It seems like this happened because someone exposed her identity. Apparently, she has a new book coming out soon.

Hello Superhero

Oct. 18th, 2014 06:36 pm
beable: (care cthulhus)
[personal profile] beable
I normally hate pink, but I will make an exception for these utterly adorable pink Hello Kitty superheroes.

(especially Hawkeye)

http://diply.com/trendyjoe/avengers-other-superheroes-get-a-hilarious-hello-kitty/51166
beable: dalek hebrew alphabet (dalek alphabet)
[personal profile] beable
One of my friends was talking about teaching students (older ones, either high school or college aged) how to remember which months have 30 days and which have 31 by use of an old childhood rhyme (the 30 days hath November ... one).

The comments quickly moved on to alternate calendar ideas and why they would be better.

So I suggested the following:

Beable: I dunno. I think it would be really cool if we had a nice simple lunar calendar that was consistently 30 days (except occasionally, some months it would be 29 depending on what day of the week the 1st day started on). And we wouldn't want to get too out of sync with the seasons, so approximately 11 out of every 19 years we would have a leap month to keep ourselves roughly aligned with the seasons. Wouldn't that make an awesome calendar? Someone should invent that one!

Beable: Oh wait ....

Beable: My favourite thing about this calendar is the quote from Maimonides explaining that the mathematics for figuring out the calendar is so simple that even schoolchildren can learn how to do so within 3-4 days. Which might be what Tom Lehrer ACTUALLY meant in the New Math when he talked about it being "so simple, so very simple, that only a child can do it!"

...

It is now entirely clear to me that Tom Lehrer and Moses Maimonides are THE SAME PERSON.

If Tom Lehrer is still alive, I exhort you all to run up to him beaming and yell "Shalom Rambam!". If he acknowledges the greeting, we will know the truth.
puzzlement: (Default)
[personal profile] puzzlement
More in my SFF reading project:

I listened to John Chu's reading of his short story The Water That Falls on You From Nowhere. It's a sweet story. I didn't realise until it was discussed on Galactic Suburbia recently that I had both lost and gained something by listening to it rather than reading it: specifically, hearing the Mandarin words has a different effect, I think, for a non-speaker, than seeing them written.

I'm hoping to do a lot more listening to shorter stories. It's not a format I've spent much time with. I'd like to try "The Lady Astronaut of Mars" in audio (as originally published, in that case), although it's a pain that I need to buy an entire collection to do so.

This week I've read Mary Robinette Kowal's Glamourist Histories (the four published books, of course). I'd actually read Shades of Milk and Honey a year or two ago, when there was some issue with e-books not being easily available so I stopped there. I intended to start with Glamour in Glass this time but didn't remember enough of Milk and Honey, so re-read it.

Spoilery discussion )

Next up: I want to read along with [personal profile] kate_nepveu's Strange and Norrell re-read. (I've read S&N two or three times before.) Crap, already behind. Aside from that I'm thinking I will read Ancillary Justice and then if I like it, Ancillary Sword. I read the first 20 pages or so of the former and it seemed interesting, although I think it's part of a cultural conversation I have read essentially nothing of. (Spaceships with personalities.)

I wondered if all this Regency-with-magic meant I should check in on Age-of-Sail-with-dragons (Temeraire), which I last read when Tongues of Serpents came out. I didn't stop there just because that was the latest one: there's an unflattering review in a locked DW back in the day about the poor Australian history in that, and, speaking as someone who lives in NSW, it seriously lacks a sense of place. However, I might look back in on it when the very last one comes out, and see how it finished up, just for the sense of completion.
shadowspar: Members of the band B'z, sitting down (b'z sitting)
[personal profile] shadowspar

...when dealing with difficult people on the Internets.

Read more... )

SEEMS LEGIT

Oct. 12th, 2014 11:10 pm
shadowspar: An angry anime swordswoman, looking as though about to smash something (sabre - angry face)
[personal profile] shadowspar
CW: Gamergate... )

"Stay safe"

Oct. 11th, 2014 12:19 pm
badgerbag: (Default)
[personal profile] badgerbag
I get somewhat annoyed when I see people saying "stay safe". What the hell people? Is the point of life to stay safe? Since when?! Especially weird when saying it to women who get death threats on Twitter. What are the suppposed to do to stay safe? Go into hiding? I mean, I've seen several people DO that. I fucking refuse to ever do that. Seriously fuck it.

Also weirdly irksome, when people say it to journalists going into war zones. I know what people mean is, I hope you come back ok from this. Still, if they were planning on staying safe they wouldn't go into a war zone to report from the front lines.

Annoying recent fad of language. I don't think I ever heard anyone say "stay safe" before about ... maybe 10 years ago, maybe less. When I hear it I hear a double message of "I'm worried about you" and "Be afraid and in fact I'm judging on you right now for not being afraid and behaving cowardly enough and whatever happens to you is your own fault"

Curmudgeonishly, me.

Chaff and flares; flares and chaff

Oct. 11th, 2014 04:20 am
shadowspar: An angry anime swordswoman, looking as though about to smash something (sabre - angry face)
[personal profile] shadowspar

Serious trigger warning for violent misogyny, harassment, abuse, and threats.

Seriously, TW for GamerGate and all the things associated therewith. )

The smell of wealth

Oct. 10th, 2014 10:43 pm
badgerbag: (Default)
[personal profile] badgerbag
In a book I'm reading right now (the dragons in Detroit one) the protagonist notices "the smell of wealth" as he joins a horrible sibling for dinner. apparently the smell of wealth in this fancy restaurant is hardwood and truffle oil. Fair enough. I suddenly wondered what the smell of wealth would be or not be for different people.

Things that are definitely not the smell of wealth:
* Pine-sol
* Patchouli
* Feet smelling carpet in the YMCA dressing room
* Those air freshener candles in the gross smelling aisle at the drug store

Add your own to this list. It has a lot of potential.

I then had a memory not for the first time of this amazing lady I used to work with. We didn't work together directly, but were acquaintances from different departments and I would be around in her in various work contexts. She was a couple levels of hierarchy up from me. Once at dinner I was suddenly struck by realizing she was wearing like, a super simple sheath dress and some sandals and nothing else noticable, with her air in a ponytail. But she looked wealthy in a way I could not fathom. Why did she look like she was sort of burnished and definitely rich. It came down to I think, plastic surgeries, and super white teeth, and years of very regular spa visits. Like she must have got not just her hair cut every week but had the full run of things that can happen to you in a day spa/salon (a thing i was only dimly aware of at the time. ) She absolutely glowed. Nothing was out of control or out of place and she also projected an air of being extremely relaxed. She was also *nice* all the time. It was very odd. Her simple dress was also very structured and perfectly tailored to her. If you look around in the world, most 60 year old people don't look like that. I think celebrities must do this high level of work to look super polished. (this was near L.A. so she wasn't the only one to look like this) to me that is what wealthy looks like. They look like perfect dolls of humans. It isn't even the amount of consistent long term labor that goes into it. It's like the lifetime of never dropping that labor. And being really relaxed and comfortable because of leisure, at the same time. It was just their normal. It goes so far beyond a regular person's dressing up for an occasion (like, you can't get there by just doing your hair.)

Middle class people (when I'm definitely in middle class landia and not strange silicon valley land where different signifiers hold true) look like the current season's mall clothes. This is unmistakeable. Most of the people getting off a plane from Dallas or Houston will be wearing a current Mall from head to toe and it won't be more than 6 months old, not a fray or an inkstain.

This has been my painkiller fueled ramble of the day. You're welcome.

Ancillary Sequel

Oct. 10th, 2014 10:48 pm
beable: (on the aurora with philias fogg)
[personal profile] beable
The sequel to Ancillary Justice - Ancillary Sword - has just been released.

Same format (trade paperback) as Ancillary Justice.

And for those of you who haven't yet read Ancillary Justice, it's both the most interesting, moving, and creative SF book I have read this year. It really stood out for me as an example of excellence.
Page generated Oct. 24th, 2014 08:27 am
Powered by Dreamwidth Studios