►
From YouTube: Building Container Defences Executable at a Time
Description
Supply Chain Security issues are on the rise. Supply Chain Security tools will ensure that whatever you are downloading from container registries is not tampered with. But the granularity of these tools is way too coarse. They work at the container image level. How do you ensure the continuous security of the apps shipped inside the container image? How do you secure the app against attacks where an attacker gains access to the container and replaces the app binaries? There are various ways supported in the k8s land, but they give you all or nothing solutions. How do you actively thwart someone from executing anything that is not shipped inside the image? This talk will showcase novel ideas using Linux Kernel technologies to implement solutions to block untrusted binary execution.
A
Hello
folks
welcome
to
my
talk,
building
container
defense
and
executable
at
a
time.
My
name
is
suraj
deshmukh
and
yeah
a
bit
about
me.
I
work
as
a
senior
software
engineer
at
microsoft
and
I've
been
managing
this
kubernetes
bangalore
meter
for
a
while
now,
and
you
can
find
me
at
any
of
these
following
places
so
yeah.
What
is
today's
talk
about?
A
A
For
example,
crypto
mining
is
the
the
most
popular
one
these
days.
So
how
do
we?
How
do
we
mitigate
that
or
what's
the
defense
against
it?
So
our
defense
is
disallowing.
Execution
of
binary
is
not
shipped
with
the
container
image.
So,
if
we
take
care
of
that
here,
we
are
assuming
like
whatever
is
shipped
with.
A
A
container
image
is
secure,
or
at
least
when
it
was
built.
It
was
built
with
an
intention
of
it
not
being
used
for
what
it
was
with
a
good
intention.
So
yeah,
let's
see
so
what
what
existing
solutions
we
have?
We
can.
We
can
start
a
pod
or
container
with
read-only
file
system,
but
the
thing
with
read-only
flag
on
when
you
start
a
container
in
catas,
you
can
still
still
do
stuff
in
slash
dave
partition
like
you
can
download
new
files
execute
execute
them
from
there.
A
The
other
solution
is
using
scratch
based
image.
It
is
the
most
secure
setup
I
think,
but
it
is
only
suitable
for
apps
that
have
static
binaries
applications
that
need
interpreter
won't
be
able
to
run
in
scratch
based
images.
They
have
to
be
shipped
with
with
a
bunch
of
package,
so
yeah
those
were
existing
solutions
with
disadvantages.
A
A
A
So
here
are
four
components
that
that
will
interact
with
each
other
in
some
way,
so
obviously
there
is
container
run
time,
creating
containers
and
managing
them
and
then
the
actual
container
that
will
be
monitoring
the
application,
as
in
the
the
our
application,
the
policy
enforcer
which
run
runs
alongside
and
the
kernel.
Finally,
so
obviously
the
application
is,
is
it's
continuously
looking
at
what
containers
are
created?
A
Now
this
particular
the
fourth
point
is
not
just
one
step
in
in
actual
coding.
There
are
two
steps
here,
but
for
for
the
sake
of
simplicity,
I've
shown
it
click.
It's
it's
just
one
step.
So
what
you
get
from
the
kernel
is
a
file
descriptor,
it's
a
queue
file,
descriptor
for
a
queue
where
you
can
read
events,
the
events
that
you
run
to
it
and
then
we
we
read
them
and
make
decisions.
A
A
Until
then,
that
system
call
the
execution
of
that
binary
is
paused.
So
we
have
to
respond
to
those
events
to
to
for,
for
those
binaries
to
go
ahead
and
execute
so
like
you
can
see
here
like
in
this
case.
We
have
allowed
it,
but
if,
if
there
is
some
malicious
binary
or
whatever
we
get
that
notification
again
and
depending
on
logic,
we
decide
that
it
should
not
be
allowed
execution.
A
A
So
if
you
notify
mark
is
used
to
place
a
mark
or
a
way
of
saying
this
is
what
I'll,
what
you
should
monitor
so
it
could
be.
You
can
place
a
mark
on
file
system,
mount
point
directory
file,
etc.
So
it
is.
It
is
also
used
to
specify
what
kind
of
events
you
would
like
to
receive.
Like
you
want
read:
write
open,
delete
access,
there
are
various
various
others,
so
yeah
these
are.
The
two
system
calls
and
let's
see
how
it
looks
like
with
the
actual
parameters.
A
So
here
we
are
saying
in
the:
if
you're
not
define
it
like,
we,
we
want
unlimited
q
and
unlimited
marks.
So
if
you
don't
specify
that
we
there
is,
there
is
upper
limit
to
how
many,
how
long
the
cube
can
be
and
how
many
marks
can
be
stored
there.
So
we
are
specifying
that
and
then,
if
f85
mark,
when
we
call
it
actual,
we
are
specifying.
We
want
to
monitor
this
mount
point,
and
specifically,
we
are
looking
for
open,
exact
permission
events,
so
the
this
is.
A
A
A
Obviously,
so
union
file
system
takes
care
of
merging
all
these
all
these
things
that
happen
at
the
container
runtime
level
at
the
at
this
level.
So
that's
what
we're
simulating
here
like.
I
have
started
a
container
called
example,
and
here
I
am
creating
the
fubar
file
like
you
see
here
and
then
removing
the
user
bend
touch
like
you
see
here.
A
A
So
in
this
way
we
can
see.
Okay,
like
a
new
file.
Foo
bar
is
added,
which
means
it's
not
something
that's
shipped
with
with
the
with
the
actual
container
image,
and
this
is
what
will
help
us
identify,
will
help
us
make
decision.
Let's
say
an
attacker,
creates
this
new
file
and
is
trying
to
execute
it,
and
if
we
see
that
it's
a
it's
a
diff
from
the
base
image,
we
can
decide.
Okay,
like
this
is
this
could
be
malicious
and
should
not
be
allowed
so
yeah.
A
A
A
Like
you
have
all
the
binaries
in
there
and
your
your
build
system
gives
you
extra
metadata
about
those
binaries.
Let's
say
your
build
system
is
built
with
secure
software
supply
chain
in
mind,
at
which
point
you
can
have
a
list
of
all
the
binaries
and
their
hashes.
So
it's
it's
not
necessary,
but
it
is
possible
that
your
build
system
takes
care
of
it.
A
The
other
way
to
build
this
source
of
truth
is
you
can
you
can
calculate
this
on
the
fly
before
the
container
starts
after
the
container
has
been
unpacked
on
the
file
system
before
p1
starts?
Obviously-
and
the
third
possibility
is
is,
is
you
can
have
another
some
rest
service
running
so
every
time
a
container
is
started
or
liquid
can
have
a
local
cache,
where
you
just
make
a
api
call,
and
then
it
gives
you
the
it
gives
you
this
list
of
hashes
and
binaries,
so
this
becomes
your
source
of
truth.
A
So
like
this,
you
can
make
make
the
decision
whether
to
allow
certain
binary
to
execute
or
not
so
yeah
like
the
two
designs
have
their
own
pros
and
cons
like
design.
One
is
is,
does
not
need
those
precomputed
hashes
it.
It
removes
the
whole
logistics
of
creating
them
and
things
like
that,
but
which
which
which
design2
obviously
needs
to
function.
A
Second,
is
design.
One
depends.
It
depends
on
the
container
runtime
to
provide
those
steps
which
contain
which
design
two
doesn't
it's
it's
it's
a
runtime
agnostic,
so
we
can.
So
what
this
does
is
like
it
adds
dependency
on
the
runtime
to
be
online
and
like
without
it
the
design
one
one
function
so,
but
design
two
doesn't
care
about
the
uptime
of
run
times.
A
It
will
continue
to
run
so
and
that's
why,
like
the
other
thing
is
almost
all
run
times,
have
decoupled
the
container
and
container
runtime
manager
by
creating
like
with
docker
docker,
has
done
container
d
and
then
contain
addition
for
each
container.
So
using
this,
this
default
pi
kinda
introduces
the
dependency,
thus
rendering
the
decoupling
useless
so
yeah
pros
and
cons.
So
let's
see
what
policy
enforcer
app
like,
where
it
can
run
even
depending
on
that
there
are
pros
and
cons
of
it
like.
A
Let's
say
we
create
a
standalone
application
which
runs
as
daemon
using
systemd
or
kubernetes
d1
set
or
whatever
the
the
pros
are
like.
We
have
flexibility,
especially
with
kubernetes
demon
set.
We
have
flexibility
and
policy
change
enforcement
like
we
can
create
a
operator
which
is
backed
by
crd
and
then
users
just
modify
those
policies
on
the
go,
and
then
it
is
enforced
accordingly.
A
But
the
cons
are
like
a
single
daemon
which
monitors
single
demon
on
the
node,
which
is
monitoring
all
the
containers.
The
problem
with
it
is,
if
it
goes
down
then
like
what
is
what
what
would
be
monitoring
the
containers,
so
there
could
be
attacks
like
that,
taking
taking
advantage
of
that.
What
are
the
other
timing?
Issues
are.
Let's
say,
your
enforcing
application
starts
after
the
containers
to
be
enforced
starts
so
yeah
such
issues
can
happen.
A
Yeah
again,
this
is
assuming
with
content
id
so
like
yeah.
So
if
the
code
lives
there,
that
means
the
container
like
this
monitoring
code
like
it.
It
takes
birth
and
dies
with
the
container
itself,
so
yeah.
So
we
don't
have
all
the
problem
of
late
start
and
all
that,
and
but
the
problem
is
in
flexibility
and
policy
change
enforcement
like
with
crds
we
can.
A
So
we
talked
about
what
the
earlier
before
we
started.
Looking
at
this
new
solution,
we
talked
about
what
the
existing
solutions
were
and
how
this
solution,
this
new
solution,
adds
benefits
over
them.
Like
with
read
on
the
file
system,
we
saw
like
slash
dev,
it
was
writable,
but
everything
else
was
not
writable.
A
A
A
So
what
can
they
do
so
they
can
create
a
new
file,
for
example-
and
you
can
see
like
there
are
events
going
on
up
there.
Okay,
these
are
all
the
events
that
are
for
for
debugging
purposes.
I
have
I'm
showing
like
the
like.
This
particular
thing
is
allowed
like
we
ran,
touch
this
new
file
and
then
we
see
that
this
particular
binary
was
executed,
and
it
says
that
this
was
allowed
all
right.
A
We
can
see
that
this
new
file
accessed
here
new
files,
so
let's
try
to
simulate
something
like
an
attacker,
tries
to
remove
an
existing
binary
and
replace
it
with
something
new.
So
let's
say
our
application
depends
on
this
binary
and
then
it
will
eventually
run
like
shell
out
and
accept
this
binary.
So
we
are
trying
so
as
an
attacker,
we
are
trying
to
remove
that
binary
and
create
a
new
one
in
its
place.
A
A
So
what
are
the
disadvantages
of
this
whole
life
and
notify
based
eventing?
First
of
all,
it's
a
user
space
program.
It
could
slow
down
the
container
application
due
to
the
kernel
mode
user
mode
transition.
Also,
we
are
calculating
in
this
particular
case,
since
we
are
calculating
those
hashes
it
could
it.
It
is
also
slower,
but
we
have
seen
most
of
the
most
of
these
events
or
most
of
the
execution
for
a
long
running
application.
A
So
also
again,
like
I
mean
it
is
not
a
general
thing,
it
depends
on
the
application
as
well
how
many
events
or
new
ends
it
will
generate
at
runtime,
but
in
a
typical
application
it
should
not
generate
more
applications.
It
will
only
generate
them
at
the
boot
time.
So
with
this
will
only
will
only
increase
the
boot
up
time
of
the
application.
A
The
the
second
disadvantage
is.
These
events
are
stored
in
memory,
so
if
they
are
not
processed,
it
could
lead
to
memory
exhaustion
on
the
node,
although,
like
in
in
our
example
code
like
we
saw,
we
created
an
unlimited
queue
with
unlimited
marks,
so
yeah
we
can
limit
that
we
can.
We
can
have
different
parameters
so
that
the
number
of
events
that
are
stored
are
less
the.
The
third
disadvantage
is
we.
A
A
So
if
someone
loads
the
file
into
memory
and
then
jumps
to
it
directly
using
mfd
system
call,
then
no
event
will
be
generated.
If
not,
if
I
want
to
know
it
if
notify
works
at
the
file
system
level,
so
yeah
that
will
be
skipped
and
then
we
won't
know
something
like
this
has
happened,
so
that's
possible,
but
then
again
we
can.
A
A
It
is
possible
that,
and
and
so
with
python
the
events
that
will
be
generated,
where
will
be
only
for
curl
and
the
python
interpreter
itself.
So
the
problem
is,
since
both
were
shipped
with
the
container
image.
They
both
will
be
allowed
and
we
won't
know
it
so
the
app
so
here
the
application
has
to
be
smarter
and
figure
out
like
such
bypasses
are
being
employed.
A
We
can
even
we
can
even
disallow
stdion
for
for
python
interpreter
or
whatever,
and
the
final
problem
is
like.
We
need
to
be
careful
as
a
as
application
designer
like
what
events
we
subscribe
to,
because
it
is
easy
to
create
deadlocks
with
fm
notify.
Let's
say
if
we
subscribe
to
read
events
and
our
enforcer
app
also
is
reading
files
from
the
container
root
fs.
Then
it
will
generate
even
more
events
in
the
process
and
yeah.
It
could
quickly
spoil
it
down
into
deadlocks
so
yeah.
A
These
are
a
bunch
of
disadvantages
of
this,
but
yeah
going
forward
on
the
roadmap
of
what
we're
working
on
the
we
we
plan
on
creating
fine
grain
policies
where
users
can
provide
some
deny
list,
for
example,
of
let's
say
some
interpreters.
They
don't
want
to
have
stedia
in
access
and
things
like
that
so
yeah
and
I
think
with
that.
That's
that's
the
end
of
my
talk.