BruCON 0x0A has ended
Back To Schedule
Friday, October 5 • 12:00 - 13:00
Outside the Box: Breakouts and Privilege Escalation in Container Environments

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Containers have quickly become a standard feature of most application and infrastructure stacks. The benefits of containers are numerous, with ease of use being a primary motivator. This has seen adoption by numerous cloud service providers. Application containers are expected to be a $2.7bn market by 2020[1]. The most popular container solution, Docker, has had 14 million hosts accessing their public Docker Hub, pulling down 12 billion container images[2]. At least 40% of organizations using Docker are also using a container orchestration service such as Kubernetes, Mesos, Amazon ECS, or Google Container Engine[3]. 

Escaping these container solutions is seen as a hard problem, requiring kernel vulnerabilities, bespoke ROP chains, or framework flaws. This is not the case! In this talk we will explore, from an attacker's perspective, real-world exploitable setups we've encountered. We will demonstrate numerous container escapes, including exposed Docker daemons and Kubernetes API access in multi-tenant environments, weak Linux capability blacklists and seccomp bypasses. These are not theoretical vulnerabilities or contrived lab examples, but actual misconfigurations we've seen in large cloud service providers. 

Many container operators and developers don't understand the implication of certain configurations and the attack surface presented by the confluence of the container technology's surface area and Linux kernel and other subsystem interactions. Secure design and configuration of a container environment requires a deep understanding of Unix sockets, networking, namespaces, and an equally deep understanding of container RPC and orchestration endpoints. Small, easy to overlook missteps like using the wrong network namespace or exporting the wrong port, or overlooking one of the hundreds of Linux syscalls can have disastrous results. 

The talk will provide a methodology that security professionals can use when assessing containerized environments and we will demonstrate attacks against common deployments. We will also cover configuration recommendations for engineers to avoid these mistakes and tools you can use to check for a safe configuration. 

avatar for Craig Ingram

Craig Ingram

Craig is a Principal Platform Security Engineer at Salesforce with over 12 years experience working in the security industry. At Salesforce Craig is hands-on with secure SDL/DevOps implementation and automation, penetration testing, and security research including reverse engineering... Read More →
avatar for Etienne Stalmans

Etienne Stalmans

Etienne is a member of the Public Cloud Security Group at Salesforce, and a security researcher with a keen interest in protocol reversing and finding ways to abuse functionality in everyday products. He completed a MSc in Network Security, focusing on Botnets and DNS. He has spoken... Read More →

Friday October 5, 2018 12:00 - 13:00 CEST
01. Westvleteren University