Leveraging the Serverless Architecture for Securing Linux Containers

NiltonBila, PaoloDettori,Ali Kanso, YujiWatanabe*, Alaa YoussefIBMT.J. WatsonResearchCenter –NewYork

*IBMResearch- Tokyo, IBM Japan Ltd.

Ali Kanso, PhDSenior CloudSWEngineerIBMT.J. Watson,NY

Leveraging the Serverless Architecture for Securing Linux Containers

ShippingCode

Binary• exe• elf

Packaged• JAR• WAR• Gem

Containerized

• Images(dockerfiles)

ButContainerimagescanhavevulnerabilities bakedinthem!

SoftwareVulnerabilitiesPackageVu

lnerability

E.g.: Ghost Vulnerability in gLibclibrary < 2.18

(2000à2013)

ConfigurationVu

lnerability

E.g.: OpenSSH installed &#PasswordAuthenticationyes#PermitEmptyPasswords

Yes (or even no)

MalwareSignature

E.g.:- Viruses- Worms

- SpyWares- Trojan Horses

ScanningforVulnerabilities

IBMVulnerabilityAdvisor

Docker SecurityScanning

ü Scanimagesanddeployedcontainersü Vulnerabilitiesininstalledsoftwarepackagesü Securityconfigurationchecksü Malwaresignaturedetection

ClusteringContainers

Clusteringcanbeoverwhelming

Kubernetescanhelp

WhatisKubernetes?

Applications Containerized Clustered

Kubernetesmaster

Kubernetesagent

ContainerizedappsContainerizedappsContainerizedappsü Schedulingü Monitoringü Recoverymanagementü Auto-scalingü Authorization/Authentica

tion…

MasterNode

WorkerNode(Minion)

ü Monitoringü Reportingü Executingmaster’s

recommendations…

KubernetesResourceOrganizationExamplepoddescription

kind:Podmetadata:name:myPodspec:containers:- name:sleep-foreverimage:pause:0.8.0resources:limits:memory:1000Mi

K8sAPIs

CoreGroup ExtensionsGroupmonolithicv1API

RESTpath/api/v1ü Podsü Servicesü Replicationcontrollersü Resourcequotasü Nodesü Endpointsü …

RESTpath/apis/extensions/$VERSIONü Deploymentsü HorizontalPodAutoscalersü Ingressü Jobsü DaemonSetsü Thirdpartyresourcesü …

K8sOperators

K8sAPI Thirdpartyresources Operators<<Leverage>><<Extend>>

K8sThirdPartyResource(TPR)

K8sMaster(APIserver)

APIpathØ TPR

Ø SecurityactionsØ quarantine<<CRUDoperations>>

Third-PartySoftware(executable)

<<Watch&react>>

Controller:bridgingtheactualstatewiththedesiredstate

Resourceinstance:reflectingthedesiredstate

Securityaction,toquarantine ordelete container

http://192.168.0.15:8080/apis/myorg.com/v1/namespaces/default/securityactions/quarantine

KubernetesLimitation• K8sdoesnotimplementtheneededrangeofactionstocontainathreat

– Limitedto:Killpod,Rolling-Upgrade(involveskilling)PackageVu

lnerability

Quarantineuntil patched

ConfigurationVu

lnerability

Gracefully shutdown and preserve state for future investigation

MalwareSignature

Immediate kill

Weneedtohaveseverity-basedactions!

IntroducingtheSecurityEnforcementOperator

Kubernetesmaster KubernetesWorker

K8sAPI-server

Docker Docker

OS

PodsPods

OS

SEO

ü Quarantine/Unqarantineü Pause/unpauseü Stop/startü Fast-deleteü Graceful-delete

Net-plugin

Basedonscanningresults

VulnerabilityScanner

RegistryMonitorK8sWorkersImageRegistries VS-agent

scanimages

K8sWorkersK8sWorker Nodes

VS-agent

PodsPods

scandeployedcontainers

containerconfigurationinformation

ThreadIntelligenceingestthreatdata

periodically

VulnerabilityScanner

securityconfigurationchecks

packagevulnerabilitydetection

malwaresignaturedetection

?Notification+summaryofvulnerabilityfindings

(ReportfromVulnerabilityAdvisor)

imageconfigurationinformation

VSReportExample• Identifyspecificsoftwarepackageversionsinthecontainerwithdisclosedvulnerabilities

• Identifyspecificissueswiththecontainerconfigurations

Leveraging the Serverless Architecture for Securing Linux Containers

K8sWorkers

VS

OpenWhisk

K8sAPIserver

K8sWorkers

CRUDoperations

VS-agentSEO

PodsPods

K8sAPIserver

PoliciesPolicies

Add/Remove/ModifyActionbasedpolicies

IntroducingOpenWhisk

?

WhyOpenWhisk?

• OpenWhisk istheGluebetweenVSandK8s,itenables:– Different policies fordifferentusers–Multiple Clusters registertothesameOpenWhisk deployment

– Central point ofpolicymanagementacrossclusters

Actionbasedpolicies

ReportAPIandNotificationsonVulnerabilityScanner

• SupportsscansformultipleregisteredKubernetesclusters.• ProvideRESTful APIsforaccesstoVulnerabilityreportsforeachcontainer

• UseauthenticationtokentorestrictaccesstoclusterdataatthegranularityofKubernetesnamespaces.

• NotifyeventswithnewvulnerabilityfindingstoregisteredOpenWhisk APIendpoints.

• TriggeractioninvocationstotheOpenWhisk APIendpointsregisteredfortheKubernetescluster.

Notifications

• UsercreatesactionwithknownURLendpoint:– https://openwhisk.ng.bluemix.net/api/v1/web/<USER>/policy

• VulnerabilityScannerpostsvulnerabilitynotificationtopolicyendpoint

{“clusterid”: “xyz”,“podid”: “nginx- 3382653011-3p4p0”,“vulnerability_type”: “package”,“vulnerability_status”: “vulnerable”

}

PerUserPolicy!

• import vsimport kubernetes

def main(params):findings = vs.get_findings(pod_id, timestamp) vulnerable_packages = findings['vulnerable_packages'] insecure_configs = findings['insecure_configurations']

if len(vulnerable_packages) > 0: kubernetes.snapshot(pod_id) kubernetes.terminate_graceful(pod_id)return {'text': 'Deleted pod ' + pod_id }

if 'remote_shell_installed' in insecure_configs:kubernetes.quarantine(pod_id)return {'text': 'Quarantined pod ' + pod_id}

return {'text': 'Container was not modified ' + pod_id}

Serverless Policy

Terminate_faste(pod_id)

User1: marketing

User2: accounting

Terminated pod

VS OpenWhisk SEOK8s Networking

QuarantinePod

Podquarantined

Threatcontained

Quarantinecontainer(s)

Container(s)quarantined

NewPodcreatedScanningtriggered

Vulnerabilityfound

QuarantinePod

Executepolicy

InteractionSummary

RelatedWork

SecuringContainers

Starlight implementsakernelmodulethatinterceptslocaloperationsoneachhostandpassesthemtoalocalagentwhichinturnpassesthemtoaneventprocessorthatanalyzestheeventand

determineswhetherornottoalerttheadmin.

LiCShield generatesAppArmor profilesbytracingthecontainerengine(Docker daemon)

duringthebuildandtheexecutionofthecontainers.

UsingServerless intheCloud

Lambdefy frameworktodemonstratethedifferingrequirementsbetweenapplicationsdeployedtoIaaS andapplicationsdeployedasacloudevent,andMediaManagementSystemforshowinghigh

scalabilityofimageresizingtasksonLambda.

ContainerScanners

OpenSCAP (SecurityContentAutomationProtocol)searchesforanappropriatefixelement,resolvesit,preparestheenvironment,andexecutesthefixscript.

Docker SecurityScanningcanscanimagesinprivaterepositoriestoverifythattheyarefreefromknownsecurityvulnerabilitiesorexposures,andreporttheresultsofthescanforeachimagetag

That’sit!Questions?

Leveraging the Serverless Architecture for Securing Linux Containers

OpenWhisk

KubernetesVulnerability scannerSecurity Enforcement Operator