ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Similar documents
TEN LAYERS OF CONTAINER SECURITY

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He

64-bit ARM Unikernels on ukvm

Virtual Machine Security

CSC 5930/9010 Cloud S & P: Virtualization

How Container Runtimes matter in Kubernetes?

, Inc

CSE543 - Computer and Network Security Module: Virtualization

Docker and Security. September 28, 2017 VASCAN Michael Irwin

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

A Secure Update Architecture for High Assurance Mixed-Criticality System Don Kuzhiyelil Dr. Sergey Tverdyshev SYSGO AG

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

CSE Computer Security

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

TEN LAYERS OF CONTAINER SECURITY

CSE543 - Computer and Network Security Module: Virtualization

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

Surviving in the wilderness integrity protection and system update. Patrick Ohly, Intel Open Source Technology Center Preliminary version

Technical Brief Distributed Trusted Computing

CSE543 - Computer and Network Security Module: Virtualization

Docker 101 Workshop. Eric Smalling - Solution Architect, Docker

[Docker] Containerization

Hacking and Hardening Kubernetes

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

Docker and Oracle Everything You Wanted To Know

STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID

Operating system hardening

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Module 1: Virtualization. Types of Interfaces

Multi-tenancy Virtualization Challenges & Solutions. Daniel J Walsh Mr SELinux, Red Hat Date

Amir Zipory Senior Solutions Architect, Redhat Israel, Greece & Cyprus

Welcome to SUSE Expert Days 2017 Service Delivery with DevOps

Securing your Virtualized Datacenter. Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008

Container Deployment and Security Best Practices

Secure Containers with EPT Isolation

Infrastructure Security 2.0

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

Simple custom Linux distributions with LinuxKit. Justin Cormack

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Multi-Arch Layered Image Build System

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Alpine Linux Documentation

Intel Clear Containers. Amy Leeland Program Manager Clear Linux, Clear Containers And Ciao

A Security State of Mind: Container Security. Chris Van Tuin Chief Technologist, West

The speed of containers, the security of VMs

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

Hypervisors on ARM Overview and Design choices

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

Jim Gallagher Senior Technical Marketing Lead, MontaVista Software

Kubernetes The Path to Cloud Native

The speed of containers, the security of VMs. KataContainers.io

Docker Security. Mika Vatanen

Oracle Solaris Virtualization: From DevOps to Enterprise

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

Azure Sphere: Fitting Linux Security in 4 MiB of RAM. Ryan Fairfax Principal Software Engineering Lead Microsoft

ovirt Node June 9, 2012 Mike Burns ovirt Node 1

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

#techsummitch

Course Overview This five-day course will provide participants with the key knowledge required to deploy and configure Microsoft Azure Stack.

Xen on ARM. Stefano Stabellini

VMWARE PIVOTAL CONTAINER SERVICE

The Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency

AWS Integration Guide

THE ROUTE TO ROOTLESS

Security: The Key to Affordable Unmanned Aircraft Systems

Cloud Computing Virtualization

EDGE COMPUTING & IOT MAKING IT SECURE AND MANAGEABLE FRANCK ROUX MARKETING MANAGER, NXP JUNE PUBLIC

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

Kata Containers The way to run virtualized containers. Sebastien Boeuf, Linux Software Engineer Intel Corporation

Microsoft Azure Stack Hybrid Cloud. The Modern System Architecture

Industry-leading Application PaaS Platform

Travis Cardwell Technical Meeting

/ Cloud Computing. Recitation 5 February 14th, 2017

I/O and virtualization

OS Security IV: Virtualization and Trusted Computing

Investigating Containers for Future Services and User Application Support

Patching and Updating your VM SUSE Manager. Donald Vosburg, Sales Engineer, SUSE

Red Hat Roadmap for Containers and DevOps

Deployment Patterns using Docker and Chef

IoT devices: secure boot and sw maintenance. Open IoT Summit Igor Stoppa

Allowing Users to Run Services at the OLCF with Kubernetes

Securing the container platform

Dockerized Tizen Platform

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

A Survey on Security Isolation of Virtualization, Containers, and Unikernels

One year of Deploying Applications for Docker, CoreOS, Kubernetes and Co.

Categorizing container escape methodologies in multi-tenant environments

Containers: Exploits, Surprises, And Security

VMware Fusion Tech Preview 2017: API/CLI Getting Started Guide

Security oriented OpenShift within regulated environments

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Transcription:

ViryaOS RFC: Secure Containers for Embedded and IoT A proposal for a new Xen Project sub-project Stefano Stabellini @stabellinist

The problem Package applications for the target Contain all dependencies Easy to update, Independent lifecycle Run applications on the target Run in isolation No interference between applications

The problem Package applications for the target Contain all dependencies Easy to update, Independent lifecycle Run applications on the target Run in isolation No interference between applications

The problem Package applications for the target Contain all dependencies Easy to update, Independent lifecycle Run applications on the target Run in isolation No interference between applications

Packaging vs. Runtime OCI Image Spec vs. OCI Runtime Spec

Containers!= Linux Namespaces Docker Registry Cloud-Native App Cloud-Native App App binaries App binaries Cloud Native App (rootfs + manifest) Docker App libraries App libraries Linux Namespaces Linux Namespaces Linux Namespaces Linux Kernel

Kat -Run

The problem with Linux namespaces

Secure By Default Cloud-native App Cloud-native App Cloud-native App POSIX Linux kernel

Secure By Default Large surface of attack Cloud-native App Cloud-native App Cloud-native App On average, 3 privilege escalation vulnerabilities per Linux release! POSIX Linux kernel

Secure By Default Large surface of attack Malicious App Cloud-native App Cloud-native App On average, 3 privilege escalation vulnerabilities per Linux release! POSIX Linux kernel

Secure By Default Large surface of attack Malicious App Cloud-native App Cloud-native App On average, 3 privilege escalation vulnerabilities per Linux release! POSIX Linux kernel

Secure By Default Large surface of attack Malicious App Cloud-native App Cloud-native App On average, 3 privilege escalation vulnerabilities per Linux release! POSIX Linux kernel

Secure By Default Large surface of attack Malicious App Cloud-native App Cloud-native App On average, 3 privilege escalation vulnerabilities per Linux release! POSIX Linux kernel

Security hardening techniques From Understanding and Hardening Linux Containers by NCC Group: Run unprivileged containers (user namespaces, root capability, dropping) Apply a Mandatory Access Control system, such as SELinux Build a custom kernel binary with as few modules as possible Apply sysctl hardening Apply disk and storage limits Control device access and limit resource usage with cgroups Drop any capabilities which are not required for the application within the container [...]

Security hardening techniques [...] Use custom mount options to increase defense in depth Apply GRSecurity and PAX patches to Linux Reduce Linux attack surface with Seccomp-bpf Isolate containers based on trust and exposure Logging, auditing and monitoring is important for container deployment Use hardware virtualization along application trust zones

Security hardening techniques Securing Linux namespaces is possible but very difficult It requires specific knowledge of the cloud-native app Auditing and monitoring should be performed everywhere Using virtualization for isolation is still recommended

Linux Namespaces: very embedded problems Mixed-criticality workloads are not supported Limits on resources utilization hard to enforce Real-time support is difficult Certifications are very difficult

An Example: Singularity Containers are a great packaging format Linux Namespaces are not suitable for all use-cases Singularity: bringing Docker containers to HPC https://goo.gl/5cw9uh

The Solution for Embedded and IoT: Xen As Containers Runtime Security, Isolation and Partitioning Multi-tenancy Mixed-criticality workloads Hardware access to applications Real-time support ViryaOS: a ready-to-use runtime environment for VMs and Secure Containers

The problem #2 Cross-building multiple VMs is difficult Assembling the output in a single runnable image is a manual process

Embedded and IoT use patterns Typically users know all the VMs they need beforehand They still need to: build them all, plus Xen and Dom0 install all images on target partition the hardware using device assignment edit the Dom0 device tree generate appropriate device trees for DomUs with device nodes plan for image upgrades and security fixes

It s a lot of work!

You think this is bad enough......then you try disaggregation

Current status Everybody has their own scripts and handcrafted solutions They are limited Only target one use-case Limited support for driver domains and service domains Only support one hardware platform We would all benefit from a unifying effort

ViryaOS A proposal for a new Xen Project sub-project

ViryaOS A Secure Xen based runtime Containers supported natively A turnkey solution A Flexible build system Supports aarch64 and x86_64 Targeted at Embedded and IoT

ViryaOS User App User App App ViryaOS Build BUILD RUNTIME

ViryaOS Runtime Dynamically deploy VMs and Secure Containers Containers are run securely, transparently as Xen VMs 1 Kubernetes Pod per VM See KataContainers and stage1-xen Measured Boot System Software Updates, and Containers updates Uses disaggregation, service domains and driver domains

ViryaOS Runtime Secure Containers Runtime Dom0 Containers/ DomUs Hardware Xen VIRYA OS

Secure Containers Runtime Internal API Dom0 Domain Manager Xen DomUs Hardware

Secure Containers Runtime Internal API Dom0 Domain Manager TPM Manager Network Manager DomUs Xen Hardware TPM NIC

ViryaOS: Build A multi-domain build system Builds multiple domains in one go Creates a runnable SD Card image from multiple domain builds Each domain build is independent and runs in a container Pre-configured device passthrough to guests Made for disaggregated architectures

ViryaOS Build Dom0 - Alpine Linux apks Image Builder SD Card Image Dom0 kernel - Yocto Image. gz Dom1 DriverD - Yocto Rootfs Dom2 DriverD - Alpine Linux apks

ViryaOS Build Everything builds in a container Supports cross-builds (ARM64 targets on x86) with qemu-user Supports any build systems for domain builds enables mixed Alpine Linux / Yocto environments rootfs and kernel can be built independently Supports multiple DomU build output formats The DomU output itself is stored in a container Anything can be pull to the Docker Hub to speed up the build

Status Very early stages, experimental Interest, but no company backers yet, community driver Subscribe to the mailing list to learn more and participate! Initial implementation available for: SDK Containers-driven build Yocto kernel build Missing ImageBuilder

Questions?

To Be Continued...

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback