Docker's LinuxKit Launches Kernel Security Efforts, Including Next-Generation VPN

darthcamaro writes: Back in April, when Docker announced its LinuxKit effort, the primary focus appeared to just be [tools for] building a container-optimized Linux distribution. As it turns out, security is also a core focus -- with LinuxKit now incubating multiple efforts to help boost Linux kernel security. Among those efforts is the Wireguard next generation VPN that could one day replace IPsec. "Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like Signal," said Nathan McCauley, Director of Security at Docker Inc.
According to the article, Docker also has several full-time employees looking at ways to reduce the risk of memory corruption in the kernel, and is also developing a new Linux Security Module with more flexible access control policies for processes.

Linux is behind yet again

As usual, Windows is more secure than Linux and doesn't need these upgrades. Everything is half-assed and amateurish with Linux

Re: Linux is behind yet again

Most or all Linux developers are farmers by day and programmers by night. So Linux can't be compared with Windows, which is fully made by professionals.

Linux is like the Paralympics. You should be kinder...

Re:Linux is behind yet again

Totally agree.

I remember a company trying to foist a complex and complicated virtualized "system" in 2011 on the company that I used to work a few years ago.

I had more fun poking holes in all of the security flaws int hat "system".

And the vendor's response to all of the security flaws? Yeah, we'll fix them... if you pay us a whole lot more money.

BTW... the company, and a well-known one at that, that tried to sell that pile of $#!@ is still is business and still making loads of money.

Oh get double-stuffed!

Slashdot: ""Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like Signal," said Nathan McCauley,

eweek: ""Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like WhatsApp," McCauley said.

Bite me, slashdot. Don't just take mainstream-marketing-bullshit and replace WhatsApp with Signal, 'cause it's more nerdy. It's still weapons-grade bullshit, next you're gonna tell us it's military-grade-encryption or what?!

Re:Oh get double-stuffed!

[110010001000]

Exactly. Signal is as secure as WhatsApp, meaning "who knows"? Signals servers are run by a single corporation. They go on about how "federated messaging" is stuck in the 90s, but that is complete bullshit.

Re:Oh get double-stuffed!

[Kjella]

Exactly. Signal is as secure as WhatsApp, meaning "who knows"? Signals servers are run by a single corporation. They go on about how "federated messaging" is stuck in the 90s, but that is complete bullshit.

Bullshit. Message transport has nothing to do with security, doesn't matter if you send a PGP message over SMTP (decentralized) or Facebook (centralized) as long as the cryptography is sound. And the clients are open source, the cryptography is vetted and all that. And if you don't want their servers recording any metadata the server code is open source too, with minor modifications you have your own Signal protocol network. Federation is mainly just a messy hybrid of client to server and server to server communication, either go full P2P and deal with all those routing/discovery/web-of-trust/revocation/denial-of-service/spam complications or just run one central server.

The main reason to use it over PGP is that Signal gives you backwards secrecy, the algorithm is constantly upgrading the keys meaning even if you record messages and compromise a device later you can't decrypt anything other than the most recent ones. If you manage to get a private PGP key, you can decrypt every message sent to that key from the dawn of time. It doesn't do 90% of what PGP tries to do, but it does the last 10% much, much better. And most of all, simpler. Most people don't check Signal's MITM protection and doesn't care when they're notified of key changes, but the same people are not likely to use PGP at all. But since a few will check doing bulk surveillance would be discovered, while everyone intentionally or unintentionally in the middle can wiretap plaintext email all day long.

Re:Oh get double-stuffed!

It's called forward secrecy, dumbass.

Re:Oh get double-stuffed!

Have you heard of Keybase? You might be interested. They have a chat client written on top of their encrypted filesystem: https://keybase.io

Security you say?

Hot air will not create an air gap network, even if you blow really hard.

Signal is secure?

How would you know Signal is secure? They run the servers. I don't trust them.

Re: Signal is secure?

How do you know you know IPSec is secure ? Packets go through routers, do you trust their owners ?

Re:Signal is secure?

[0ptix]

Because of a combination of two reasons:
1) The protocol used by signal and their implementation are both open and well studied.
2) The Signal protocol (like many modern secure p2p-communication protocols such as Allo, Whatsapp, Wickr, etc.) uses end-to-end encryption and authentication. So the central server (along with the rest of the network infrastructure between end points) can do little more then deny service to uses.

Caveat: AFAIK beyond service denial, at worst the servers could do some traffic analysis (only the *encrypted* and padded data) and maybe swap the order in which messages are delivered to users in a given chatroom. (So could your ISP.) Of course traffic analysis can lead to non-trivial privacy breaches too but exposure to this threat is (currently) the price we all pay if we want messaging to work over an extremely asynchronous network with high churn & latency and low bandwidth & availability. In particular clients can message each other even when they (and in fact almost all other clients) are rarely and unevenly online with no guaranteed overlap time.

Trusting docker?

They're well-known for their cookie-cutter, "docker", which probably fits their business model to a tee but fails to provide all sorts of things you might want from a fully-fledged containering thing. Oh and then there's the compatability-with-itself issues, administrative access to hosts from within containers called "not a bug, but a feature" apparently with complete disregard or misunderstanding of security principles, and so on. And so now they're taking their secret sauce to VPNs and other security tools.

I for one, etc.

Re:Trusting docker?

I for one, etc.

Welcome our docker overlords???

Reinventing the wheel?

I've used OpenVPN without any problems (well, other than the fact the configuration is a bit of a pain) since 2002.

Re:Reinventing the wheel?

OpenVPN is fine product, but it has had its share of vulnerabilities. 13 reported since 2005, including a remote code execution exploitable by clients. Wireguard is 4000 lines of straightforward code. Small and simple and _far_ less likely to harbor so many problems. Also, it's silent by default. You can make OpenVPN do this as well and greatly reduce your attack surface, if you wish to dig around in OpenVPN obscura to figure it out, but you get this for free with Wireguard; every Wireguard server does.

It's a better design. Lesson's learned. Don't dismiss it out of hand.

Re: Reinventing the wheel?

It has no support for any kind of PKI type setup. WireGuard's assumptions and security model are broken beyond repair, and small codebase can't really femedy that. Faulty key management is how crypto gets broken nowadays, and WireGuard's is in thedailywtf category.

Re:Reinventing the wheel?

[greenfruitsalad]

maybe you know, maybe you don't, maybe other people will find this interesting - openvpn 2.4 can now be configured to be (so far) completely indistinguishable from regular https traffic when used with --tls-crypt option and run on the appropriate port.

How does a VPN boost Kernel Security

Forgive me if I am an idiot here, but I do not see the connection between a VPN and Kernel Security. Can someone ELI5?

Insane Tirade from Linus in 5.. 4.. 3.. 2..

I can't wait to read the steaming tirade from Linus about how the Linux Kernel does not need a boost in security...

Re:Insane Tirade from Linus in 5.. 4.. 3.. 2..

All security should be handled by systemd now, right?

Re:Insane Tirade from Linus in 5.. 4.. 3.. 2..

So why did Linus sell out to poettering and crew? As in, he doesn't really oppose them when they're trying to change linux' fundaments from Unix-like to windows-like, from transparent to opaque, from fixable to "trust us, we know best". He complained about one guy's excreable code, once, but, well, that's it. All the bloat, the bad ideas, the poor to bad code, the not playing well with others, it doesn't seem to matter to him. Why is this?

Re:Insane Tirade from Linus in 5.. 4.. 3.. 2..

Linus doesn't care about */Linux the userland, only about Linux the kernel. He said so himself multiple times.

Re:Insane Tirade from Linus in 5.. 4.. 3.. 2..

[sad_]

that is all user land, Linus isn't involved in that. he's also not ranting against google for whatever they do wrong with android.

Linux VPN support sucks

[AaronW]

Something needs to happen.

Last night I tried to get pptp to work with our corporate VPN and it failed miserably. I ran Wireshark to figure out what the problem is and the Linux PPP stack just can't handle the options that it was being sent (bug opened on pppd). Next I tried to connect to my home firewall VPN which used to work and again this failed miserably because the Linux PPP stack refused to turn off the async char map negotiation (which isn't used for PPTP).

I've also struggled to get ipsec in any form to work (no success) nor have I been able to get openvpn to work, requiring all the generation of certs and whatnot. PPTP, despite being quite insecure, at least used to work before the modern PPP brokeness.

The problem with VPNs is that the solutions are overly complicated with a bazillion different options.

IPSec + L2TP!?!?! This is insane. PPTP is just plain broken as well.

I want something as simple as how PPTP used to work but without all the broken security (i.e. MD5 password hashes) and get rid of PPP.

Re:Linux VPN support sucks

[decep]

Linux VPN support is actually very good. You just should not be using PPTP. OpenVPN or some of the other user space type VPNs are great for connecting remote users.

I agree that L2TP is insane for individual user VPNs, but for site-to-site VPNs, IPSec is the only option you should trust. The problem with a lot of user space VPN solutions, like OpenVPN, is once you have authenticated, it just kind of acts like a router for packets. You have to use a secondary controls like a firewall to control access. This is usually fine for allowing access for end users.

IPSec is the the solution you need when you want to create a site-to-site connection with a 3rd party you do not implicitly trust. Every aspect of the VPN must be agreed by both sides of the tunnel before the tunnel can be established. 6 months later if someone tries to change the tunnel parameters on one side without informing the other party, the whole thing stops.

Re:Linux VPN support sucks

[bsDaemon]

IKEv2 IPsec via StrongSwan or LibreSwan really isn't that difficult on Linux. Problem is a lot of these corp vpn products that don't have a Common Cirteria or FIPS mode don't support it, and many of these other technologies have to do lame hacks to get things like NAT traversal to work.

Re:Linux VPN support sucks

I've also struggled to get ipsec in any form to work (no success) nor have I been able to get openvpn to work, requiring all the generation of certs and whatnot

Gawd. This makes me sick. Go get a business degree or something.

Re:Linux VPN support sucks

[tlhIngan]

Actually, what's worse is SSL-VPNs, because there are no standards for them. They are insanely simple and very popular because they can be used from behind practically any firewall that allows SSL through. (This is vitally essential since many corporate firewalls block everything except 80, 443 and 21, and if you consult and need to VPN to home base, you need a VPN that can go through the firewall)

The problem is all the SSL-VPN vendors are basically incompatible with each other - between Dell/SonicWall, OpenVPN (over SSL), Pulse, etc. And few offer Linux clients.

Re:Linux VPN support sucks

l2tp+ipsec is pretty much the gold standard of corporate VPN. Setting up a client for it in linux is significantly more painful than it should be.

Re:Linux VPN support sucks

[AaronW]

Years ago I worked on an ipsec product and was successful getting it to work. The problem is that since then the complexity has increased significantly. Making matters worse is that different commercial products do it differently. Linux to linux is one thing, because one can easily verify that all of the appropriate settings are the same. Linux to a commercial box, on the other hand, is a big problem.

For example, my home router, a Mikrotik box, has a bazillion options for ipsec but trying to figure out the correct combination to make it actually work is a major pain in the butt. IPSec's problem is that it is so complex, and when it comes to commercial products they often offer a driver for Windows and maybe Mac but when it comes to Linux you're often out of luck when it comes to connecting to them, though they may offer some Java in the browser (ugh) thing.

Re:Linux VPN support sucks

[AaronW]

We have Sonicwall at work. Unfortunately it requires running Java in the browser to connect to it through Linux.

OpenVPN isn't bad

[Sycraft-fu]

It is fairly easy to set up and supports new protocols. Linux seems to support it reasonably well and its Windows implementation isn't totally retarded.

However really, it is worth your while to invest time and effort in learning IPSec. I know it is a pain in the ass, I've done a ton with it. However it is powerful. The reason it is complex is that it can be used for basically everything. It is a general purpose encryption and authentication method for IP. It is also a mandatory part of the IPv6 spec so going forward it is just going to be a thing that all systems will have.

It also has the benefit of being widely supported. While not a lot talks OpenVPN, nearly everything already talked IPSec.

Re:OpenVPN isn't bad

ipsec isn't secure

Re: OpenVPN isn't bad

Really ?

Correction regarding WireGuard's author

Docker is not responsible for WireGuard at all. A Gentoo developer (Jason A Donenfeld, AKA 'zx2c4') is responsible for WireGuard. As far as I know, he does not work for Docker.

The wording in the summary is poor and doesn't reflect that. TFA (correctly) mentions WireGuard as an external project.

Why Systemd?

[Futurepower(R)]

I'd very much like to know that, also. Anyone have an explanation for Systemd?

Is "opaque" a way for Red Hat to make more money giving support?

Linus Torvalds is sometimes unstable. He doesn't know how to deal with his conflicts. Two examples:

The Creator Of Linux Has An Attitude And A Foul Mouth, And People Are Angry At Him (Again)

Linus Torvalds in NSFW Red Hat rant.

Re:Why Systemd?

Spashing together random sentences to make incoherent ideas, replying to the wrong person.. Why is it the crazies seem to think RH 'makes' money supporting systemd.

The idea situation is for customers to PAY them and not call support, hiring support costs money.

Re:Why Systemd?

[F.Ultra]

You do realise that systemd is not part of the Linux kernel where Linus decides what should go in or not?

OpenConnect however doesn't suck!

Stop whining and upgrade.

https://en.m.wikipedia.org/wiki/OpenConnect

Re:

Why? Do you not want an easy way to add a backdoor (ignoring the firmware backdoor in intel chipsets)? That sounds like crazy talk. You must want something for free that isn't consumable for surveillance.

After you figure it out... run it in a container

[gosand]

Once you figure out how to connect... run it in a docker container.
I set up an ubuntu container with openconnect and freerdp, and a couple of simple scripts. I can connect to my corporate VPN and RDP into my Win10 laptop from my Linux box in about 10 seconds. I could do it faster but I have it prompt me for the password. We use Azure for multi-factor authentication.

If you do it this way then your container connects to the vpn keeping all of your other traffic off the corporate network.

Yes, but Linus could be helpful.

[Futurepower(R)]

Yes, but he could have a strong opinion that might be very influential.

Re:Yes, but Linus could be helpful.

[F.Ultra]

Well since he is both a pragmatist and smart then I suppose that he have nothing at all against systemd, and for those that don't like systemd there are i.e Devuan, Gentoo, Alpine and so on.