►
From YouTube: The Eye of Falco: You Can Escape but Not Hide - Stefano Chierici & Lorenzo Susini, Sysdig
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
The Eye of Falco: You Can Escape but Not Hide - Stefano Chierici & Lorenzo Susini, Sysdig
Container technologies rely on features like namespaces, cgroups, SecComp filters, and capabilities to isolate different services running on the same host. However, SPOILER ALERT: container isolation isn’t bulletproof. Similar to other security environments, isolation is followed by red-teamer questions such as, “How can I de-isolate from this?” Designed with the principle of least privilege in mind, capabilities provide a way to isolate containers, splitting the power of the root user into multiple units. However, having lots of capabilities introduces complexity and a consequent increase of excessively misconfigured permissions and container escape exploits, as we have seen in recently discovered CVEs. Fortunately using Falco, a CNCF container runtime security tool, it’s possible to monitor Linux capabilities, detect misconfigured containers, and proactively respond to secure environments. In this talk, we explain how you can use Falco to detect and monitor container escaping techniques based on capabilities. We walk through show real-world scenarios based on recent CVEs to show where Falco can help in detection and automatically respond to those behaviors
A
A
So,
let's
start
for
for
for
today,
and
let's
start
with
talking
about
container
isolation,
so
we
all
know
container
is
is
a
a
great
way
to
to
deploy
our
our
our
application
and
transport
our
code.
However,
we
also
know
that
containers
aren't
security
boundaries,
so
what
makes
container
secure
and
what
make
a
container
resolution
are
all
the
layers
that
are
around
containers
and
in
error
reporters
some
of
them,
but
we
have
also
web
capabilities
second
performer,
but
we
have
also
Linux
Linux,
namespaces
and
C
group,
for
instance.
A
Second,
instead,
are
is
Linux
feature
that
can
be
used
to
restrict
ciscos
and
the
argument
that
we
can
pass
to
to
them
to
Cisco's
and
also
a
farmer
is
a
mandatory
Access
Control
framework
that
can
be
used
to
add
the
tax
on
programs,
and
we
can
enforce
the
specific
programs
can
have
specific
access
to
objects.
So,
for
instance,
we
can
say
a
specific
program,
can
never
access
or
read
access
to
or
to
I,
don't
know
ATC
past
2D,
but
not
to
ATC
Shadow.
A
It's
also
worth
mentioning
that
by
default,
when,
when
you
use
Docker
and
we
and
we
deploy
a
container
all
these
security
layers
are
enabled
by
default
in
order
to
provide
the
least
privileged
concept
and
and
that's
enabled
by
default,
so
we
don't
need
to
provide
any
particular
Flags
or
we'll
set.
Particular
Flags
is
all
enabled
by
default.
Today
we
talk
about
how
we
can
use
fileco
to,
since
fileco
is
able
to
to
have
a
visibility
over
what
is
going
on
inside
our
container.
A
B
Thanks
a
lot
Stefano
for
introducing
me
and
let's
now
jump
into
the
main
topic
and
well,
as
we
all
know,
traditionally,
we
used
to
distinguish
Linux
processes
into
two
different
categories
which
are
Privileges
and
processes
and
unprivileged
ones.
So
we
can
say
that
this
model
is
binary
and
it
can
be
risky
from
a
security
perspective.
B
This
is
because,
basically,
privileged
processes
are
those
running
with
effective
user
ID
equal
to
zero,
and
it
can
basically
password
kernel
permission
checks,
as
we
all
know,
and
on
the
other
hand,
privileged
processes
instead
are
those
subject
to
all
current
permission,
checks
and
most
of
the
time
this
is
done
using
their
own,
effective,
user-ready
or
group
ID
and
from
an
attacker
standpoint.
This
model
is
exposable,
of
course,
by
attacking
directly
root
processes
and
once
the
root
process
is
compromised,
the
whole
system
is
at
risk
of
being
compromised.
B
For
this
reason
to
improve
its
security
model,
Linux
has
implemented
the
capabilities
and
capabilities.
May
are
a
clear
example
of
applying
and
implementing
the
principle
of
list
privilege
and
in
fact,
as
the
model
States,
the
power
of
the
super
user
is
splitted
into
distinct
units.
That
can
be
independently
granted
or
revoked,
and
this
allow
us
to
run
processes
with
the
minimal
set
of
privileges
that
they
need,
and
hopefully,
an
attacker
getting
in
control
about
the
beginning.
Control
on
these
processes
cannot
compromise
fully
the
system
with
the
same
needs
as
before,
and
the
classic
example
about.
B
B
B
We
can
let
it
not
bypass
checks,
for
instance,
on
the
file
system,
which
is
translating
into
a
completely
different
capabilities,
which
is
in
this
in
this
case
Capital
right.
So
since
you
are
here
to
implement
proper
monitoring
of
capabilities
with
the
purpose
of
detecting
attacks,
our
takeovers
on
this
is
that
not
all
capabilities
are
the
same
in
terms
of
privileges
they
allow.
B
In
fact,
some
of
them
can
be
defined
as
full
root
equivalent,
if
gained
by
an
attacker,
and
this
is
because,
if
an
attacker
manages
to
gain
one
of
them,
it
can
possibly
gain
all
of
them
with
other
successful
attacks
and,
as
we
will
show
later,
so,
let's
go
on
and
to
implement
to
implement
monitoring
for
capabilities.
We
have
to
better
understand
how
they
work.
So,
basically,
capabilities
are
usually
divided
into
three
main
sets
and
which
are
defective.
B
The
process
may
have
been
required
and
we
can
move
capabilities
from
the
effective
set
to
the
permitted
set
to
let
the
effective
set
have
only
the
Privileges
needed
at
a
specific
point
in
time
and
last
button
on
list.
The
inheritable
set
instead
is
used
to
control,
which
capabilities
are
inerted
upon.
Exactly
a
system
call
which
is
a
pretty
relevant
example,
so
the
narratable
set
is
used
to
perform
specific
operations
by
the
kernel
to
compute
the
new
permitted
set,
as
you
can
see
in
the
next
slide
and
yeah.
B
So
this
is
how
capabilities
changes
upon
exact
fear
and
what
I
want
to
stress
here
is
that
the
Cardinal
use
specific,
set
sort
of
rules
to
change
capabilities
of
a
process,
and,
following
the
previous
reasoning,
we
have
to
say
that
the
effective
set
should
start
to
empty
when
exactly
is
performed.
This
is
because
we
want
processes
to
manually
move
with
CIS
called
capabilities
from
the
permitted
sets
to
the
effective
one.
B
B
Sorry
it
can
be
used,
and
this
is
basically
used
to
move
the
new
permitted
set
to
the
effective
set
so
that
that
the
process
doesn't
have
to
move
capabilities
using
others
is
called
so
now,
let's
go
back
to
container
security
and
see
our
capabilities
applied
to
it,
and,
in
fact,
when
talking
about
container
security,
we
basically
have
two
different
possibilities:
fill
out
our
work
with
drums.
Actually,
so
the
first
one
is
to
avoid
container
running
as
root.
B
I
think
everybody
here
knows
about
this,
because
basically,
containers
like
Stefan
was
saying
before:
are
not
the
security
boundary
like
VMS
and
if
you're,
not
using
username
spaces
root
in
the
container
is
also
root
on
the
host,
but
sometimes
we
want
our
containers
to
run
privileges
or
privileged
operations,
and
we
may
be
tempted
to
run
down
this
route.
So
what
can
we
do?
We
can
do?
We
can
use
capabilities,
as
we
said,
capabilities.
A
So
thanks,
let's
now
deep
dive
into
attacks
on
container
escaping
I,
just
reported
this
slide
just
to
say
basically
what
we
have
said
before
right,
so
containers
aren't
isolated
by
default
and
in
this
case
we
all
know
if
we
deploy
a
container
as
privileged.
This
is
far
to
be
isolated
right.
So,
of
course
we
are,
we
are
still
using
container.
We
are
still
using
Docker,
but
this
is
far
to
be
an
isolated
environment.
A
That's
because
if
we
use
capabilities-
and
we
see
since
we
are
talking
about
capabilities
with
privileged
all
the
capabilities
are
available
and
all
the
capabilities
can
be
used
and
loaded
by
a
possible
attack.
So
that's
just
to
mention
that
when
we
deploy
a
container
as
privilege,
we
need
to
be
careful
that
this
is
needed
and
we
we
need
to
be
super
careful
of
what
we
do.
So,
let's
start,
let's
start
now
really
talk
about
container
skipping
attacks
and
in
this
case,
let's
start
with
the
with
this
technique
with
the
CIS
model
capability.
A
So
this
module
is
used
to
load
and
load
kernel
module
and
for
this
technique
we
have
the
only
requirement
here
that
we
have
is
having
the
assist
model
capability
and
how
it
works
is
pretty
simple.
So
let's
say
that
an
attacker
is
able
to
get
any
the
initials
the
initial
foothold
in
a
container
and
find
out
that
the
disease
model
capability
is,
is
available
and
can
be
used.
So
the
attacker
just
need
to
drop
the
the
module
inside
the
container
and
since
the
module
is,
is
loaded
in
the
kernel.
A
So
in
this,
in
this
example
one
once
we
load
the
malicious
module,
The
Bash
reversal
is
going
to
be
executed,
and
so
the
connection
will
will
be
open
from
the
container
those
back
to
the
back
to
attacker
machine,
and
it's
also
worth
mentioning
that
the
attacker
might
need
to
to
compile
the
model
inside
the
container,
because
just
to
be
sure
that
the
model
is
gonna
is
gonna
run
and
and
for
this
the
attacker
might
need
the
the
Linux
heater
installed
in
the
in
the
host.
Otherwise,
it's
not
possible
to
run
this
attack.
A
Let's
just
move
on
with
another
technique,
and
in
this
case
we
use
this.
The
capability
pit
race
in
particular
pit
race,
is
used
to
control
other
other
processes,
but
also
with
pit
race.
We
can
also
modify
the
the
process
memory
to
inject
arbitrary
code
and
you
can
also
modify
the
the
pointer
extraction
in
order
to
run
this
arbitrary
code
so
in,
in
other
words,
with
pitrace.
We
can
inject
malicious
code
and
actually
execute
it,
so
it's
pretty
powerful
capability.
So
in
this
case,
for
this
technique
we
have
three
main
requirements.
A
A
I'll,
just
close
with
with
the
last
the
last
example
for
today.
So
this
attack
is
a
well-known
attack
for
container
escaping.
In
this
case,
it
was
published
on
2019
on
Twitter.
In
this
case.
The
first
example
that
is
reported
here
on
on
the
left
required
a
privileged
run
as
privileged
a
container
runs
privileged
after
after
that,
a
new,
a
new
exploit
came
out,
and
in
this
case
we
just
need
the
C
submin
capability.
In
order
to
to
be
successful.
A
For
this
specific
attack,
we
have
three
requirements.
So
since
admin
is
one
a
farmer
with
the
unconfined
or
just
allowing
the
mount
operation,
and
also
we
need
to
have
a
root
user
inside
the
container.
So
to
understand
how
this
work,
we
just
need
to
understand
how
notifying
or
release
works,
and-
and
this
is
pretty
easy
so
on
if
I
notify.
Your
release
is
a
feature
in
the
C
group,
V1
versus
version
one
and
basically,
if
it's
enabled
so
it's
set
to
one
once
a
container
a
process
terminates.
A
The
kernel
is
going
to
execute
the
code
inside
the
release
agent
file.
So
whatever
code
inside
is
inside
the
release
agent
is
going
to
be
executed
by
the
kernel
and
and
that's
basically
the
how
the
exploit
works.
So,
just
just
going
through
the
code,
the
exploit
just
create
a
directory.
A
directory
is
mounting
the
the
C
group
controller
inside
this.
This
director,
with
the
the
option
RDMA
and
also
is
creating
the
C
group
directory
inside
it.
A
Also,
as
we
as
we
can
see,
the
the
Notifier
release
is
set
to
one
and,
as
we
said
you
just
to
enable
the
feature,
and
then
all
the
other
commands
is
done
to
create
the
release
agent
with
the
malicious
command
that
we
want
to
execute.
In
this
case,
it's
just
getting
the
path
for
from
the
overlays
and
and
the
command
that
we
want
to
execute.
So
in
this
case
being
sh.
A
So
just
to
recap
what
we
have
said
so
far,
so
we
have
these
three
techniques.
All
that
the
three
techniques
that
we
have
presented
are
using
three
different
capabilities,
and
so
now
we,
let's
see
what
we
did
in
in
FICO,
in
order
to
detect
those
this
malicious
behavior
and
how
we
can
and
what
we
can
do
with
FICO
for
monitoring
abilities.
B
Yeah
thanks
Stefano
for
doing
that,
with
such
examples,
and
so
now
that
we
are
aware
about
talk
of
abilities,
work
and
how
they
can
be
used
in
real
attacks.
We
want
to
show
you
how
to
monitor
them
using
Falco.
So
for
those
of
you
who
doesn't
know
about
Falco
Falco
is
an
open
source
project
for
runtime
security
and
it
can.
It
became
the
de
facto
standard
for
kubernetes
strategic
action.
B
It
was
originally
created
by
sisdig
and
then
donated
to
the
cncf,
and
it's
currently
at
incubation
level,
and
we
both
work
for
it
become
better
and
better
and
we
always
try
to
improve
it.
Its
detection
capabilities,
so
another
thing
that
it's
exciting
about
Falco
is
its
Vibrant,
Community
and
I
think
that
it's
really
nice
to
work
in
such
an
environment,
because
people
are
really
active
and
contributing,
and
hopefully
this
all
that
shows
an
extension
that
we
made
to
Falco,
we'll
encourage
you
to
do
the
same
and
improve
it
and
make
it
become
better
and
better.
B
So,
with
this
in
mind,
we
realize
that
Falco
was
only
able
to
see
in
black
and
white,
meaning
that
he
was
only
able
to
discriminate
and
distinguish
root
and
root
processes,
and
we
wanted
to
put
some
light
in
that
gray
area.
That
capabilities
have
created
in
between.
So
to
summarize,
the
part
of
the
work
that
we
have
done,
we
can
do
it
in
explaining
the
two
main
steps.
B
So,
basically,
what
we
did
is
that
when
Falco
starts,
it
needs
to
be
to
build
the
state
of
the
world,
that
is,
the
state
of
the
the
actual
System
state
at
a
given
point
in
time.
This
is
when
Falco
starts
and
most
of
the
information
used
to
do.
This
comes
from
the
frock
file
system,
and
fortunately
there
is
a
file
in
the
frock
file
system
which
let
us
retrieve
information
about
all
capabilities
of
process,
and
we
use
this
to
populate
the
initial
state.
B
A
A
So,
let's
see
the
condition
here,
so
the
rule
is
going
to
trigger
when
we
create
a
new
container
with
excessive
capabilities
and
in
the
macro
shows
all
the
capabilities
that
we
are
monitoring
in
this
case
and
as
you
can
see,
there
are
assist
model
and
see
speed
race.
There
are
the
two
capabilities
that
we
have
talked
before
and
in
the
bottom
we
can
see
there,
the
output
from
from
Falcon,
and
also
we
have
also
the
the
other
rule
that
we
created.
A
This
is
specific
for
the
use
case,
as
we
talked
before
about
the
release
agent
file.
So
as
we
discussed
before,
the
the
attackers
need
to
modify
the
release
agent
file
in
order
to
inject
the
code
that
you
want
to
execute,
and
that's
mainly
where
we
create
the
detection.
So
once
the
release
agent
file
is
open,
is
open
to
write
a
commands
and
also
the
the
container
as
the
the
sysadmin
capability
and
the
user
is
root.
A
B
That
was
basically
it
hope
you
have
enjoyed
the
salt
and
if
you
have
some
questions,
feel
free
to
reach
out
now
or
in
the
Falco
kubernetes
slack,
and
that's
it
I
hope
you
have
enjoyed
the
talk
and
you
will
use
capabilities
or
try
to
improve
routes
and
hopefully
contribute
to
the
gut
to
be
able
to
improve
Falco.
Always
thanks
a
lot
for
being
here.
C
B
B
D
Thank
you,
maybe
an
obvious
question
for
a
Falco.
We
see
all
the
rule
configurations
that
go
in
the
yaml
configuration
for
the
cluster
does
Falco
look
also
into
those
type
of
of
aspects.
Do
we
consider
that
any
configuration
that
occurs
is
treated
as
an
event
and
then
Falco
will
see
and
analyze,
or
these
are
two
separate,
no.
B
D
E
D
So
if,
if
I'm,
able
now
to
capture
at
runtime,
also
those
type
of
configuration
do
I
have
an
overlap
or
do
I
always
need
to
have
both
of
them,
because
there
are
configuration
types
that
cannot
be
captured
by
by
the
event
triggering
and
looking,
if
I,
if
I'm,
allowing
Falco
to
be
able
to
detect
all
the
configurations
at
runtime
that
happen.
Through
this
you
know,
enamel
configuration
so
I
have
a
duplication.
Now,
I
have
the
rule
engines
that
detect
that
I
have
also
a
file
code.
That
is
looking
from
a
logging
perspective.
C
D
E
C
A
B
You
are
saying
if
it
is
possible
to
deploy
Falco
without
privilege,
yeah
Falcon,
it's
a
specific
and
a
unique
workload
because
it
has
to
inspect
the
system.
So
it
has
to
have
some
privileges,
of
course,
and
we
have
in
a
down
chart.
We
we
try
to
run
the
our
BPF
probe
with
these
Privileges
and
there's.
There
is
an
option
to
do
that,
but
in
general
it
has
to
have
some
privileges.
E
A
A
A
Think
most
of
other
tools
are
basically
using
the
same
way
since
I
mean
it's
not
possible
to
do
any
anyway
in
other
ways,
so
of
course
we
can
reduce
it,
but
at
the
end
it's
something
that
we
need
in
order
to
have
visibility,
and
of
course
we
want
to
have
visibility
in
order
to
provide
the
best
detection
possible.
So
I
think
that's
the
point
good.