Matthew Garrett@mjg59 | mjg59@coreos.com | coreos.com

Building trustworthy containers

Security is a tough sell

Convenience often beats security

How can we ensure security wins?

Make the secure solution the better solution

Telnet

rsh

ssh

or increase social pressure

Lets Encrypt

Many other security stories have been failures

SELinux

Seccomp

Trusted Computing

So, why do people want containers?

Ease of deployment

Ease of development

Containers let us think differently

Containers give us well-defined interfaces

Containers let us treat different code differently

Containers move much security to the runtime

SELinux today:

Write some software

Ship it

Discover SELinux blocks it on RHEL

Write SELinux policy

Discover SuSE ship different SELinux policy

sudo setenforce 0

SELinux with containers:

Write software

Package container

Thats it

No, really, thats it

Container runtime does the rest

But what about bundled libraries?

Static analysis works

Paradoxically, may be easier

Not all OpenSSL use is equally security critical

More aggressive updates of each container

Containers are better than the status quo

but can we do even more?

You cant build security on shaky foundations

Container security depends on OS security

General purpose operating systems are hard

Without defined use-cases, security is difficult

Lets build specific-purpose operating systems

A truly immutable OS

Cryptographically verified filesystem

Trusted Computing

A trustworthy base to build on

But what next?

Signed container images

Measure the container images into the TPM

Verifiable audit trail

Taking things even further

Not all containers are equal

Can we isolate further?

(We can isolate further)

VM-based isolation

Deploy and manage identically

All the security benefits of full VMs

We can build secure container infrastructure

We can place trust in our containers

Thank you!

Matthew Garrett@mjg59 | mjg59@coreos.com Were hiring in all departments! Email: careers@coreos.com Positions: coreos.com/ careers