What if I tell you there is no container, is just another process running on your machine - Container Security
2020-12-05, 15:05–15:55 (America/Mexico_City), Stream 4
Language: English

Containers Security is mostly based on already existing Linux security mechanism, In this talk we are going to explore, at a high level, how processes works in Linux and how with the use of Namespaces, Cgroups and Capabilities we can have what we commonly known as "Containers"


What if I tell you there is no container, is just another process running on your machine

Description

Containers Security is mostly based on already existing Linux security mechanism, In this talk we are going to explore, at a high level, how processes works in Linux and how with the use of Namespaces, Cgroups and Capabilities we can have what we commonly known as "Containers", the talk is divided in two part, offensive and defensive security of Linux containers:

Container Offensive Security

Container escape and privilege escalation using containers

  • volume mounts
  • host network
  • pid boundary

Container Defensive Security

How to build more secure containers and runtime protections

  • scratch container
  • distroless
  • drop capabilities
  • secComp
  • AppArmor
  • SELinux

Lenin Alevski is an Application Security Engineer at MinIO. Before joining MinIO, Lenin worked at OneLogin, Oracle and Websec Mexico as a software engineer, security consultant and penetration tester. He is very passionate about startups, security & privacy, CTFs, blockchain and home automation. He also enjoys giving talks and workshops about security. Follow Lenin on Twitter @alevskey