Security is an Important Coding Consideration Even When You Use Containers

Last month Tom Henderson wrote an article titled Container wars: Rocket vs. Odin vs. Docker. In that article he said, "All three are potentially very useful and also potentially very dangerous compared to traditional hypervisor and VM combinations."

Tom's list of contributions at Network World show you that he's not a neophyte when it comes to enterprise-level security, and that he's more of a product test/analytical person than a journalist. And afraid to state a strong opinion? That's someone else, not Tom, who got flamed hard for his "Container Wars" article, but has been proved right since it ran. Tom also says, in today's interview, that the recent Apple XcodeGhost breach should be a loud wake-up call for developers who don't worry enough about security. But will it? He's not too sure. Are you?

The spectrum of virtualization

Containers are even more dangerous than VMs since you lose even more virtualization. All these technologies sit on a spectrum of resource-cost-to-containment with the hardest containment being a different physical machine. Even process isolation yields some amount of containment (can't snoop cross-process memory) but this is typically trivial to breach for any malware.

A large part of the security problem can be solved with simple configuration cleanliness. Do you know what software you're running? If you don't then no amount of containment will help and it's just a matter of time before your network is pwned.

Re:The spectrum of virtualization

[phantomfive]

Containers are even more dangerous than VMs since you lose even more virtualization. All these technologies sit on a spectrum of resource-cost-to-containment with the hardest containment being a different physical machine. Even process isolation yields some amount of containment (can't snoop cross-process memory) but this is typically trivial to breach for any malware.

If you have a server (in a container or whatever), with all your user's passwords going through it.....then it really doesn't matter if the malware can't get out of the container, it can still sniff the passwords as they go through.

Re:The spectrum of virtualization

All these technologies sit on a spectrum of resource-cost-to-containment with the hardest containment being a different physical machine.

Physical separation opens up an entirely different set of security problems. I can purge and redeploy a few thousand containers before you've got a single physical machine halfway through re-imaging. You've also got to face the fact that security does not live in a bubble. Managing a metric crapload of containers or even full-blown VMs is far, far more efficient (cost and timewise) than managing a metric crapload of physical machines.

A large part of the security problem can be solved with simple configuration cleanliness. Do you know what software you're running? If you don't then no amount of containment will help and it's just a matter of time before your network is pwned.

This, though. In rare cases where shitty application code isn't to blame, I've found it's always been some asinine distribution-supplied bullshit that isn't even actually used. But it's installed and running anyway. Oh, and yes, everybody updates. All the time. Except when they don't. Which is pretty much always. Because testing/QA, rolling through dev/staging onto a scheduled production release...

Meanwhile, uselessshitd is sitting there vulnerable. For absolutely no reason.

Argh.

-1 Registration Required

[Luthair]

NT

There are 11 types of developers...

[xxxJonBoyxxx]

There are 11 types of developers when it comes to security.

00) Wot? 70% of them. Probably 95% of web designers.
01) I care about security, but I don't have to do anything about it in my layer. Another 20%.
10) I care about security and it is my problem. Just 10%. Maybe.

This guy is preaching to group 10 and trying to get group 01 to care. It's nice to see something else out there fighting the good fight.

Re:There are 11 types of developers...

[Darinbob]

You need other subcategories of number 10. Those who care about security, have to interface with security and use security features, but who are not the security expert. These are different from the developers who actually implement the security. Who may also different from the people who decide the policy of security (who may or may not be software/firmware people).

Security is hard

[phantomfive]

There are too many new developers coming in. The older guys may know how to write secure code, but then you have a bunch of new people and they have to learn the lessons of security all over again.

There is no "magic bullet." Garbage collection won't save you, a container won't save you. In the end, you need to be thinking about security every line you write, or you'll end up with an integer overflow that allows hackers to take over your container.

Re:Security is hard

[postbigbang]

Nobody knows WTF is inside of a container except the person that built it, and no one knows if they MD5'd the contents, used all of the appropriate checked libs, and made sure that processes/confs/symlinks that were unnecessary were removed from the container. The same needs to be done to hypervised VMs. You can MD5 the container once built, but then checking to see if something ugly's been added isn't simple.

Then there's the job of doing update/patch/fix, and ensuring that those payloads have a chain of course/authorities. Lacking that, downloading a container is a serious gamble, IMHO.

Re:Security is hard

[phantomfive]

And there is a magic bullet. It's called "knowing what you're doing"

Sounds like......you have a genius idea there.

Re:Security is hard

[Darinbob]

Experience causes people to think about security. Thus the old codgers who have the most experience are also more experienced at having run into these problems before. I see plenty of young coders repeating the same mistakes that were made back in the 70s.

The same group of kids who think that their parents will never see their drunken pictures on instagram are not the ones who have the proper paranoia to code securely.

Re: Security is hard

[phantomfive]

I......work hard to ensure that every line I write IS secure.

Then keep up the good work, we need more programmers like you.

EVEN WHEN??!!!!

[rubycodez]

Containers are even less separate than jails, of course they're near the bottom of the barrel in terms of security. Why the Container fad when the overhead of proper virtualization is now so very low it's negligible on any modern server processor?

Re:EVEN WHEN??!!!!

[sjvn]

Containers are even less separate than jails, of course they're near the bottom of the barrel in terms of security. Why the Container fad when the overhead of proper virtualization is now so very low it's negligible on any modern server processor?

Because you can run three to four more server apps on the same architecture than you can using even efficient VMs such as KVM. That, in turn, means you have o pay for fewer servers.

Re:EVEN WHEN??!!!!

[Trepidity]

It's not a terrible idea, but it takes effort and some time to get a solid and reliable implementation. The part where you do that first, before deploying them in production, seems to have been skipped with Linux. I'd trust Solaris or Illumos Zones, because they've been around for years and have had a lot of testing. IBM WPARs are probably also fine, if you can afford AIX (not that I can). But the bundle of duct tape and bailing wire that Docker has used to cobble together containers on Linux, which changes significantly with every release, leaves me less confident.

Re:EVEN WHEN??!!!!

[rubycodez]

You are completely full of shit, I'm looking at a VM right now at work with gigabytes provisioned but the actual RAM in use is but hundreds of megabytes. Enterprise class virtualization has evolved beyond whatever silly system you imagine

Re:EVEN WHEN??!!!!

[phantomfive]

The part where you do that first, before deploying them in production, seems to have been skipped with Linux

Don't worry, the systemd programmers will take care of that!

Re:EVEN WHEN??!!!!

[damaki]

The main bottleneck of virtualization is not CPU, which is already optimized as hell, it's I/O. With virtualization you add additional layers to access storage and network devices, and thus destroying your random read/writes performances. Sure, that is not an issue for the average app, but virtualize your favorite brand of database server and you will enter a world of pain at the worst time ever possible (a high load scenario).

Re:EVEN WHEN??!!!!

[dj245]

Containers are even less separate than jails, of course they're near the bottom of the barrel in terms of security. Why the Container fad when the overhead of proper virtualization is now so very low it's negligible on any modern server processor?

Containers are easy for weekend IT guys like me who run our own servers. I don't have time to bother with learning an entirely new IT paradigm and setting it all up myself. Home server software makes all of that unnecessary and Docker containers are handled almost like "apps" in some software (like Unraid). I have to set directories and manage the network port mapping but everything else is done for me. It does what I need it to do without requiring much new knowledge or skill.

Re:EVEN WHEN??!!!!

[rubycodez]

No, that's long obsolete. vSphere 6 is the current one, try to keep up

Containers do not provide sufficient isolation, less secure even than jail

Re:EVEN WHEN??!!!!

[allo]

LXC does not add any IO.

Re:EVEN WHEN??!!!!

[damaki]

True.But a LXC is a container system; not a real virtualization solution. It's powerful, it's clean, it's wicked cool with btrfs and it's my favourite. It just lacks neat docker tools such as docker composer.

Re:EVEN WHEN??!!!!

[allo]

I just use it with rootfs-folder. Using a btrfs-volume may add some stuff.

btw: Docker was based on LXC and i think it still supports it? So its just a aufs (unionfs) when using docker.

Re:EVEN WHEN??!!!!

[damaki]

btrfs volumes allows you to share core files between containers and not waste additional disc space. If you use a standard template to make other lxc containers, it makes new containers real cheap as it takes almost no additional disc space for each new one. Yup, I know that Docker uses the same kernel-level isolation mechanisms as LXC. But looks like it is not exactly the same as I've heard of recurrent garbage collection (files) issues with some Docker stuff. I could not guess how a properly designed docker container, with volumes for growing data, could lead to docker image growth. I thought that Docker images were meant to be read-only. BTW, ff your want Docker prebuilt containers, but bare LXC, runc (https://runc.io/) is a kind of Docker over LXC.As far as I could figure, it looks like it basically untars a docker archive in a lxc file tree. But it is still as alpha as one can do. I could not even build the damn stuff. Still, the core concept is really promising.

Re:EVEN WHEN??!!!!

[allo]

Yeah, docker creates a layer and then never changes it. With LXC backend, it uses aufs to stack them.
I still prefer using bare LXC containers. There i know what i have and do not trust any prebuilt stuff. And when i start with creating a baseimage (debootstrap for ubuntu/debian), i just do the same as a "lxc-create -t debian" does.
But maybe i am oldschool ;).

Re:Security is easy, just tedious.

[sexconker]

never use gotos,

There's nothing wrong with GOTO statements, and there never was. This is a rather popular misconception.

Sixth, never ever use exception handlers. You have a non-deterministic path through the program and therefore no means of knowing if the state of the program is valid. You also want the program to crash if it encounters a situation that it shouldn't, it means there's a catastrophic fault in the machine or the software. There are no exceptions to this rule. Exception handling is one of the worst mistakes ever made in software engineering.

Oh, so you're trolling.

I'm missing something

[FrozenGeek]

Given that xcode is free (as in comes with OS X), why would you get it from a source other than Apple?

Re:I'm missing something

[kauos]

Given that xcode is free (as in comes with OS X), why would you get it from a source other than Apple?

The quickest answer is that some countries fsck with the websites of others... I live in China and they love to play games with DNS resolving, temporary and permanent website bans, bandwidth restrictions (sometimes per service... ie just for www, but ssh is full speed).... and etcetera and so forth.

Sometimes you will download from another site just so it doesn't take a week to download, sometimes you don't even realize that you are on a China specific site that is giving you different binaries (ie Skype).

Re:There are always bugs. These can be used to bre

[postbigbang]

This presumes that the instance's NON-INTERNET-FACING side is secure, and don't be so assured that it is.

Doctor Who?

[friesofdoom]

Is it just me who hates all these stupid sounding technology names?

Pointless

[allo]

Who needs to argument about contributions to show "he's not a neophyte", has other problems. Especially if i needs to think about if he needs security even in containers. i mean, what the fuck.