Leveraging the Serverless Architecture for Securing Linux Containers
NiltonBila, PaoloDettori,Ali Kanso, YujiWatanabe*, Alaa YoussefIBMT.J. WatsonResearchCenter –NewYork
*IBMResearch- Tokyo, IBM Japan Ltd.
Ali Kanso, PhDSenior CloudSWEngineerIBMT.J. Watson,NY
Leveraging the Serverless Architecture for Securing Linux Containers
ShippingCode
Binary• exe• elf
Packaged• JAR• WAR• Gem
Containerized
• Images(dockerfiles)
ButContainerimagescanhavevulnerabilities bakedinthem!
SoftwareVulnerabilitiesPackageVu
lnerability
E.g.: Ghost Vulnerability in gLibclibrary < 2.18
(2000à2013)
ConfigurationVu
lnerability
E.g.: OpenSSH installed &#PasswordAuthenticationyes#PermitEmptyPasswords
Yes (or even no)
MalwareSignature
E.g.:- Viruses- Worms
- SpyWares- Trojan Horses
ScanningforVulnerabilities
IBMVulnerabilityAdvisor
Docker SecurityScanning
ü Scanimagesanddeployedcontainersü Vulnerabilitiesininstalledsoftwarepackagesü Securityconfigurationchecksü Malwaresignaturedetection
ClusteringContainers
Clusteringcanbeoverwhelming
Kubernetescanhelp
WhatisKubernetes?
Applications Containerized Clustered
Kubernetesmaster
Kubernetesagent
ContainerizedappsContainerizedappsContainerizedappsü Schedulingü Monitoringü Recoverymanagementü Auto-scalingü Authorization/Authentica
tion…
MasterNode
WorkerNode(Minion)
ü Monitoringü Reportingü Executingmaster’s
recommendations…
KubernetesResourceOrganizationExamplepoddescription
kind:Podmetadata:name:myPodspec:containers:- name:sleep-foreverimage:pause:0.8.0resources:limits:memory:1000Mi
K8sAPIs
CoreGroup ExtensionsGroupmonolithicv1API
RESTpath/api/v1ü Podsü Servicesü Replicationcontrollersü Resourcequotasü Nodesü Endpointsü …
RESTpath/apis/extensions/$VERSIONü Deploymentsü HorizontalPodAutoscalersü Ingressü Jobsü DaemonSetsü Thirdpartyresourcesü …
K8sOperators
K8sAPI Thirdpartyresources Operators<<Leverage>><<Extend>>
K8sThirdPartyResource(TPR)
K8sMaster(APIserver)
APIpathØ TPR
Ø SecurityactionsØ quarantine<<CRUDoperations>>
Third-PartySoftware(executable)
<<Watch&react>>
Controller:bridgingtheactualstatewiththedesiredstate
Resourceinstance:reflectingthedesiredstate
Securityaction,toquarantine ordelete container
http://192.168.0.15:8080/apis/myorg.com/v1/namespaces/default/securityactions/quarantine
KubernetesLimitation• K8sdoesnotimplementtheneededrangeofactionstocontainathreat
– Limitedto:Killpod,Rolling-Upgrade(involveskilling)PackageVu
lnerability
Quarantineuntil patched
ConfigurationVu
lnerability
Gracefully shutdown and preserve state for future investigation
MalwareSignature
Immediate kill
Weneedtohaveseverity-basedactions!
IntroducingtheSecurityEnforcementOperator
Kubernetesmaster KubernetesWorker
K8sAPI-server
Docker Docker
OS
PodsPods
OS
SEO
ü Quarantine/Unqarantineü Pause/unpauseü Stop/startü Fast-deleteü Graceful-delete
Net-plugin
Basedonscanningresults
VulnerabilityScanner
RegistryMonitorK8sWorkersImageRegistries VS-agent
scanimages
K8sWorkersK8sWorker Nodes
VS-agent
PodsPods
scandeployedcontainers
containerconfigurationinformation
ThreadIntelligenceingestthreatdata
periodically
VulnerabilityScanner
securityconfigurationchecks
packagevulnerabilitydetection
malwaresignaturedetection
?Notification+summaryofvulnerabilityfindings
(ReportfromVulnerabilityAdvisor)
imageconfigurationinformation
VSReportExample• Identifyspecificsoftwarepackageversionsinthecontainerwithdisclosedvulnerabilities
• Identifyspecificissueswiththecontainerconfigurations
Leveraging the Serverless Architecture for Securing Linux Containers
K8sWorkers
VS
OpenWhisk
K8sAPIserver
K8sWorkers
CRUDoperations
VS-agentSEO
PodsPods
K8sAPIserver
PoliciesPolicies
Add/Remove/ModifyActionbasedpolicies
IntroducingOpenWhisk
?
WhyOpenWhisk?
• OpenWhisk istheGluebetweenVSandK8s,itenables:– Different policies fordifferentusers–Multiple Clusters registertothesameOpenWhisk deployment
– Central point ofpolicymanagementacrossclusters
Actionbasedpolicies
ReportAPIandNotificationsonVulnerabilityScanner
• SupportsscansformultipleregisteredKubernetesclusters.• ProvideRESTful APIsforaccesstoVulnerabilityreportsforeachcontainer
• UseauthenticationtokentorestrictaccesstoclusterdataatthegranularityofKubernetesnamespaces.
• NotifyeventswithnewvulnerabilityfindingstoregisteredOpenWhisk APIendpoints.
• TriggeractioninvocationstotheOpenWhisk APIendpointsregisteredfortheKubernetescluster.
Notifications
• UsercreatesactionwithknownURLendpoint:– https://openwhisk.ng.bluemix.net/api/v1/web/<USER>/policy
• VulnerabilityScannerpostsvulnerabilitynotificationtopolicyendpoint
{“clusterid”: “xyz”,“podid”: “nginx- 3382653011-3p4p0”,“vulnerability_type”: “package”,“vulnerability_status”: “vulnerable”
}
PerUserPolicy!
• import vsimport kubernetes
def main(params):findings = vs.get_findings(pod_id, timestamp) vulnerable_packages = findings['vulnerable_packages'] insecure_configs = findings['insecure_configurations']
if len(vulnerable_packages) > 0: kubernetes.snapshot(pod_id) kubernetes.terminate_graceful(pod_id)return {'text': 'Deleted pod ' + pod_id }
if 'remote_shell_installed' in insecure_configs:kubernetes.quarantine(pod_id)return {'text': 'Quarantined pod ' + pod_id}
return {'text': 'Container was not modified ' + pod_id}
Serverless Policy
Terminate_faste(pod_id)
User1: marketing
User2: accounting
Terminated pod
VS OpenWhisk SEOK8s Networking
QuarantinePod
Podquarantined
Threatcontained
Quarantinecontainer(s)
Container(s)quarantined
NewPodcreatedScanningtriggered
Vulnerabilityfound
QuarantinePod
Executepolicy
InteractionSummary
RelatedWork
SecuringContainers
Starlight implementsakernelmodulethatinterceptslocaloperationsoneachhostandpassesthemtoalocalagentwhichinturnpassesthemtoaneventprocessorthatanalyzestheeventand
determineswhetherornottoalerttheadmin.
LiCShield generatesAppArmor profilesbytracingthecontainerengine(Docker daemon)
duringthebuildandtheexecutionofthecontainers.
UsingServerless intheCloud
Lambdefy frameworktodemonstratethedifferingrequirementsbetweenapplicationsdeployedtoIaaS andapplicationsdeployedasacloudevent,andMediaManagementSystemforshowinghigh
scalabilityofimageresizingtasksonLambda.
ContainerScanners
OpenSCAP (SecurityContentAutomationProtocol)searchesforanappropriatefixelement,resolvesit,preparestheenvironment,andexecutesthefixscript.
Docker SecurityScanningcanscanimagesinprivaterepositoriestoverifythattheyarefreefromknownsecurityvulnerabilitiesorexposures,andreporttheresultsofthescanforeachimagetag
That’sit!Questions?
Leveraging the Serverless Architecture for Securing Linux Containers
OpenWhisk
KubernetesVulnerability scannerSecurity Enforcement Operator