Containers have revolutionized the way we do application development, but, as with most new technologies, their adoption in the enterprise is (rightfully) hindered by genuine security concerns. Ultimately, containers can bring huge security benefits not found in traditional infrastructure. But with new technologies come new risks.
Containers enable things to happen faster, so while this means faster deployments, it also means faster failures. And while containers are great for isolating valuable data, it’s also holding valuable data so the more you put into a container, the more you have to trust everyone (and everything) that has access to it and that it can access. Containers also provide some security properties, including version management, an expression of intent, and often reduced attack surface. However, it is important to understand that although the organizational isolation of containers is what enables these security properties, isolation itself is not a security property of containers.
Capsule8’s Kelly Shortridge does an excellent job explaining the various facets container security, the challenges, and the representative vendors in the space in her post, “Container Security: Nobody Knows What It Means but It’s Provocative.” Part of the reason why the space itself is so confusing, as Kelly explains, is that containers are used by different teams in different contexts and container security could mean different things to each of them, for example, scanning image repositories for vulnerabilities, managing credentials for container deployment, or monitoring running containers for unwanted activity.
And as the use of containers in production Linux environments continues to increase, so does the interest in how the technology responsible for containers can be used and abused to break free from the confines of a container. What it boils down to is this: the ability to escape containers is not confined to a one-off vulnerability in container management programs or orchestrators.
As Capsule8 Researcher Nick Freeman explains in his post, “An Exercise in Practical Container Escapology,” containers are just processes, and as such they are governed by the kernel like any other process. Thus any kernel-land vulnerability which yields arbitrary code execution can be exploited to escape a container.
If you’re interested in seeing a container escape live, you should register for our live webcast, “Linux & Containers: Brandon and Nick Hack Things Live.” Capsule8 researchers Brandon Edwards and Nick Freeman will perform live hacking walk-throughs of common container escape patterns and what signals they leave behind. This will be demo-heavy and focus on user mode helpers and kernel exploits–watch the demo gods make fools of them live!
As an attendee you’ll:
- Learn common patterns utilized in container escape exploits
- Gain practical advice to secure your containerized environments
- Identify when container escapes have occurred by remnants in data logs
- Have the opportunity to ask questions throughout the session