security in the cloud: xen, kvm, containers of... · security in the cloud: xen, kvm, containers...
TRANSCRIPT
![Page 1: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/1.jpg)
Security in the Cloud: Xen, KVM, Containers
Or, Surviving and the Zombie Apocalypse
![Page 2: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/2.jpg)
–Dan Walsh (Mr. SELinux)
“Some people make the mistake of thinking of containers as a better and faster way of running virtual machines. From a security
point of view, containers are much weaker.”
![Page 3: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/3.jpg)
–James Bottomley, Linux Maintainer and Parallels CTO
“There's contentions all over the place that containers are not actually as secure as hypervisors. This is not really true. Parallels and Virtuozo, we've been running secure containers for at least 10
years.”
![Page 4: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/4.jpg)
–Jerome Petazzoni, Senior Software Engineer at Docker
“Virtual Machines might be more secure today, but containers are definitely catching up.”
![Page 5: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/5.jpg)
–Theo de Raadt, OpenBSD project lead
“You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write
operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without
security holes.”
![Page 6: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/6.jpg)
"Some people make the mistake of thinking of containers as a better and faster way of running virtual machines. From a security point of view, containers are
much weaker." -Dan Walsh
"There's contentions all over the place that containers are not actually as secure as hypervisors. This is not really true. Parallels and Virtuozo, we've been running
secure containers for at least 10 years.” -James Bottomley
"Virtual Machines might be more secure today, but containers are definitely catching up." -Jerome Petazzoni
"You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without
security holes, can then turn around and suddenly write virtualization layers without security holes." -Theo de Raadt
![Page 7: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/7.jpg)
Who am I?
![Page 8: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/8.jpg)
What I’m going to talk about
![Page 9: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/9.jpg)
Security and Risk
![Page 10: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/10.jpg)
Vulnerabilities and Exploits
![Page 11: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/11.jpg)
A vulnerability is a mistake.
![Page 12: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/12.jpg)
Configuration vulnerabilities
![Page 13: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/13.jpg)
Software vulnerabilities
![Page 14: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/14.jpg)
![Page 15: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/15.jpg)
![Page 16: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/16.jpg)
Intel SYSRET
![Page 17: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/17.jpg)
Zombie Apocalypse.
![Page 18: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/18.jpg)
![Page 19: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/19.jpg)
![Page 20: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/20.jpg)
![Page 21: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/21.jpg)
![Page 22: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/22.jpg)
![Page 23: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/23.jpg)
Every window is an opportunity to make a mistake
![Page 24: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/24.jpg)
Every element of every interface is an opportunity to make a mistake
![Page 25: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/25.jpg)
But does this really matter?
![Page 26: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/26.jpg)
![Page 27: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/27.jpg)
Would this affect a system configured reasonably for security?
![Page 28: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/28.jpg)
Xen: Access to HV memory >5TiB during migration
![Page 29: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/29.jpg)
Xen: Unsecured PV console parameters
![Page 30: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/30.jpg)
Xen: 1 year, 1-4 known vulnerabilities
![Page 31: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/31.jpg)
KVM: Escalation in vhost
![Page 32: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/32.jpg)
KVM: PUSHA instruction emulation
![Page 33: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/33.jpg)
KVM: vcpu hypercall boundary check
![Page 34: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/34.jpg)
KVM: vlapic shared page crossing a page boundary
![Page 35: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/35.jpg)
KVM: 1 year, 4 solid vulnerabilities
![Page 36: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/36.jpg)
qemu: VMWare emulated device
![Page 37: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/37.jpg)
qemu: virtio-net mac address update
![Page 38: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/38.jpg)
qemu: 1 year, 2 known vulnerabilities
![Page 39: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/39.jpg)
Linux: ping
![Page 40: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/40.jpg)
Linux: tty race condition
![Page 41: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/41.jpg)
Linux: ptrace and SYSRET
![Page 42: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/42.jpg)
Linux: AIO, arbitrary read of kernel memory
![Page 43: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/43.jpg)
Linux: Futex not checking if two pointers were different (2)
![Page 44: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/44.jpg)
Linux: AMD math coprocessor
![Page 45: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/45.jpg)
Linux: 2 months, 6 vulnerabilities
![Page 46: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/46.jpg)
Hypervisors: Low (but not zero) risk
![Page 47: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/47.jpg)
General-purpose containers: Not so good
![Page 48: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/48.jpg)
Application-specific containers + seccomp2?
![Page 49: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/49.jpg)
![Page 50: Security in the Cloud: Xen, KVM, Containers of... · Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse –Dan Walsh (Mr. SELinux) “Some people](https://reader034.vdocuments.site/reader034/viewer/2022050718/5e16ad6dd30cd8629a35d6d6/html5/thumbnails/50.jpg)
Questions?