A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Living in a Secure Container, Down by the River - Jack Mannino Derbycon 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)

Living in a Secure Container, Down by the River
Jack Mannino
Derbycon 2018

Linux container technologies offer the ability to run software in isolation with a significantly reduced attack surface. By reducing the capabilities and resources a container can utilize, we make it increasingly difficult to elevate privileges, gain persistence or move laterally within a cluster of containerized services. While Docker is the container technology most people are familiar with, there are other container types to think about too, each with their own opinionated take on security. It’s getting increasingly common to adopt other runtimes through the Open Container Initiative (OCI) specification using interfaces and shims provided by container orchestration platforms. Containers that use Linux namespaces and control groups for isolation typically provide weaker protections against escaping than hypervisor-based containers, further detaching security reality from your hopes and dreams. This presentation will focus on the security and kernel protections available in several popular Linux container technologies including Docker, Rkt, LXC, Kata and gVisor. We will explore how the default runtime security controls stack up under attack and how they attempt to isolate resources at security boundaries. We will explore the container hardening process through AppArmor, SELinux, Seccomp and Capabilities. At the end of this presentation, you’ll be motivated to run minimally privileged containers that are isolated from doing any real damage. You’ll have plenty of time for security when your code is living in a container down by the river.

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.


Back to Derbycon 2018 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast