Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Enemy Within: Running untrusted code with g...

Ian Lewis
June 25, 2019
Technology
4
1k

The Enemy Within: Running untrusted code with gVisor

Containers are a great way to deploy and isolate application resources but they can fall short when it comes to security isolation. How do you improve the security of a container while maintaining the flexible and dynamic resource usage of a container? There are many options for sandbox containers but which is right for you?

In this talk we will explore gVisor sandbox runtime in depth. gVisor is a unique open-source sandbox runtime that allows you to run unmodified applications in containers with a higher level of isolation and low overhead. It implements the OCI runtime specification and integrates well with containerd and Kubernetes. In this talk I will dive into the container security model and use cases for sandbox pods. I will discuss various approaches and their tradeoffs before diving into the architecture of gVisor and how it differs from virtual machine based sandboxes.

Ian Lewis

June 25, 2019
Tweet

More Decks by Ian Lewis

See All by Ian Lewis
Kubernetes Security Best Practices
ianlewis
38
26k
The Enemy Within: Running untrusted code in Kubernetes
ianlewis
0
1.2k
KubeCon EU Runtime Track Recap
ianlewis
3
1.6k
コンテナによるNoOpsオートメーション
ianlewis
2
140
Google Kubernetes Engine 概要 & アップデート @ GCPUG Kansai Summit Day 2018
ianlewis
2
880
Extending Kubernetes with Custom Resources and Operator Frameworks
ianlewis
10
3.7k
Kubernetesのセキュリティのベストプラクティス
ianlewis
12
17k
Scheduling and Resource Management in Kubernetes
ianlewis
2
1.4k
Keynote: The Kubernetes Community
ianlewis
0
210

Other Decks in Technology

See All in Technology
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
15
4k
「最高のチューニング」をしないために / hack@delta 24.10
fujiwara3
21
3.4k
10分でわかるfreeeのQA
freee
1
3.4k
バクラクにおける可観測性向上の取り組み
yuu26
3
420
新卒1年目が向き合う生成AI事業の開発を加速させる技術選定 / ai-web-launcher
cyberagentdevelopers
PRO
7
1.5k
Fargateを使った研修の話
takesection
0
120
物価高なラスベガスでの過ごし方
zakky
0
380
ガバメントクラウド単独利用方式におけるIaC活用
techniczna
3
270
新卒1年目が挑む!生成AI × マルチエージェントで実現する次世代オンボーディング / operation-ai-onboarding
cyberagentdevelopers
PRO
1
170
20241031_AWS_生成AIハッカソン_GenMuck
tsumita
0
110
Apple/Google/Amazonの決済システムの違いを踏まえた定期購読課金システムの構築 / abema-billing-system
cyberagentdevelopers
PRO
1
220
スプリントゴールにチームの状態も設定する背景とその効果 / Team state in sprint goals why and impact
kakehashi
2
100

Featured

See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
Side Projects
sachag
452
42k
BBQ
matthewcrist
85
9.3k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Making Projects Easy
brettharned
115
5.9k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
How GitHub (no longer) Works
holman
311
140k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
9
680
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Statistics for Hackers
jakevdp
796
220k

Transcript

  1. Ian Lewis Developer Advocate, Google Cloud Platform The Enemy Within

    Running Untrusted Code with gVisor

  2. 2 gVisor Ian Lewis (@IanMLewis) Developer Advocate, Google

  3. 3 gVisor • Running untrusted code • User uploaded code

    • Third-party code • Complex code/Complex user input • Code you wrote but you don't trust yourself…. So you want to run some code...

  4. 4 gVisor • SaaS/Serverless • Video/Image transcoding • Machine learning

    Use Cases

  5. 5 gVisor Too much privileged code Application Host Kernel

  6. 6 gVisor Too much privileged code Application Host Kernel open("/path/to/file",

    O_RDWR)

  7. 7 gVisor Too much privileged code Application Host Kernel

  8. 8 gVisor Too much privileged code Application Host Kernel file

    descriptor

  9. 9 gVisor • Protects attackers from escaping the runtime environment

    • Code running in the sandbox is untrusted Container Sandboxes

  10. 10 gVisor • Goal of the sandbox is to reduce

    execution of trusted, privileged code (e.g. kernel code) • Achieved through abstraction/virtualization of host. • Don't want to expose the system to risk of any single bug ◦ Need two layers of isolation Sandbox Isolation

  11. 11 gVisor OS-Level Virtualization (containers) Application Host Kernel Namespace

  12. 12 gVisor Unikernels Application Host Kernel Guest OS Hypervisor

  13. 13 gVisor • Containers ◦ They aren't good security isolation

    boundaries ◦ Only one layer of isolation ◦ Any one bug in the host kernel could lead to a full host compromise • Unikernels ◦ Can't bring your own container (must be specially crafted) Containers & Unikernels are cool but...

  14. 14 gVisor Virtual Machines Application Host Kernel Guest OS Hypervisor

    Hardware

  15. 15 gVisor (Type 2) Virtual Machines Application Host Kernel Guest

    OS Hypervisor Hardware

  16. 16 gVisor (Type 1) Virtual Machines Application Host Kernel Guest

    OS Hypervisor Hardware

  17. 17 gVisor • We want more container-like properties ◦ Flexible

    resource usage ▪ Don't want to assign full sets of memory or CPU to the sandbox ▪ Want to be able to reclaim memory if possible ◦ Quick X0ms startup time ▪ Don't want to have a lot of guest OS boot time. ◦ Easier maintenance and integration into container infrastructure VMs are cool but...

  18. 18 gVisor

  19. 19 gVisor Virtual Machines Application OS Virtualized Hardware

  20. 20 gVisor gVisor Virtualization Application Virtualized OS

  21. 21 gVisor gVisor: Two Layers of Isolation Application Guest OS

    (Sentry) Host Kernel Namespace

  22. 22 gVisor gVisor: Two Layers of Isolation Application Guest OS

    (Sentry) Host Kernel Namespace

  23. 23 gVisor • Two layers of isolation • Uses the

    same principle of virtualization as VMs ◦ Virtualization at the OS; Linux Syscall layer • Reduces the host attack surface ◦ Calls to the host OS are controlled by the Sentry ◦ Most syscall logic handled by Sentry ◦ No syscalls are "passed through". Applications cannot pass arbitrary arguments to the host kernel. gVisor

  24. 24 gVisor gVisor Architecture Host Linux Kernel User Kernel runsc

    OCI Kubernetes

  25. 25 gVisor gVisor Architecture KVM/ptrace Gofer Host Linux Kernel Sentry

    Sandbox User Kernel 9P runsc OCI Kubernetes

  26. 26 gVisor gVisor Architecture KVM/ptrace Gofer Host Linux Kernel Sentry

    Sandbox User Kernel 9P runsc OCI Kubernetes seccomp + ns seccomp + ns

  27. 27 gVisor gVisor Architecture KVM/ptrace Gofer Host Linux Kernel Container

    Sentry Sandbox User Kernel 9P runsc OCI Kubernetes seccomp + ns seccomp + ns

  28. 28 gVisor gVisor Architecture KVM/ptrace Gofer Gofer Gofers Containers Containers

    Host Linux Kernel Containers Sentry Sandbox User Kernel 9P runsc OCI Kubernetes seccomp + ns seccomp + ns

  29. 29 gVisor • Two security layers • Minimal access to

    host ◦ No syscall is passed thru the host ◦ Limited host syscalls allowed ◦ User mode • Pure Go ◦ No cgo allowed • Unsafe code is carefully reviewed • Statically linked, few external dependencies • Trust nobody Design Principles

  30. 30 gVisor • Sentry is first layer of defense ◦

    Assume it will be compromised ◦ User mode • Pod cgroup • Namespaces • Terminal chroot • uid/gid: nobody ◦ Drop all capabilities • Seccomp ◦ # of syscalls is the wrong metric Defense in Depth

  31. 31 gVisor • Sentry is first layer of defense ◦

    Assume it will be compromised ◦ User mode • Pod cgroup • Namespaces • Terminal chroot • uid/gid: nobody ◦ Drop all capabilities • Seccomp ◦ # of syscalls is the wrong metric Defense in Depth: Sandbox Sandbox

  32. 32 gVisor • Sentry is first layer of defense ◦

    Assume it will be compromised ◦ User mode • Pod cgroup • Namespaces • Terminal chroot • uid/gid: nobody ◦ Drop all capabilities • Seccomp ◦ # of syscalls is the wrong metric Defense in Depth: Sandbox cgroup Sandbox

  33. 33 gVisor • Sentry is first layer of defense ◦

    Assume it will be compromised ◦ User mode • Pod cgroup • Namespaces • Terminal chroot • uid/gid: nobody ◦ Drop all capabilities • Seccomp ◦ # of syscalls is the wrong metric Defense in Depth: Sandbox cgroup namespace Sandbox

  34. 34 gVisor • Sentry is first layer of defense ◦

    Assume it will be compromised ◦ User mode • Pod cgroup • Namespaces • Terminal chroot • uid/gid: nobody ◦ Drop all capabilities • Seccomp ◦ # of syscalls is the wrong metric Defense in Depth: Sandbox cgroup namespace chroot Sandbox

  35. 35 gVisor • Sentry is first layer of defense ◦

    Assume it will be compromised ◦ User mode • Pod cgroup • Namespaces • Terminal chroot • uid/gid: nobody ◦ Drop all capabilities • Seccomp ◦ # of syscalls is the wrong metric Defense in Depth: Sandbox cgroup namespace chroot user / group / capabilities Sandbox

  36. 36 gVisor • Sentry is first layer of defense ◦

    Assume it will be compromised ◦ User mode • Pod cgroup • Namespaces • Terminal chroot • uid/gid: nobody ◦ Drop all capabilities • Seccomp ◦ # of syscalls is the wrong metric Defense in Depth: Sandbox cgroup namespace chroot user / group / capabilities seccomp Sandbox

  37. 37 gVisor • Isolated from user code • Pod cgroup

    • Caller’s user namespace • Chroot to rootfs ◦ Bind mounts • Runs as root ◦ Similar to “docker run” as root ◦ Drop non-FS capabilities • seccomp Defense In Depth: Gofer

  38. 38 gVisor • Isolated from user code • Pod cgroup

    • Caller’s user namespace • Chroot to rootfs ◦ Bind mounts • Runs as root ◦ Similar to “docker run” as root ◦ Drop non-FS capabilities • seccomp Defense In Depth: Gofer Gofer

  39. 39 gVisor • Isolated from user code • Pod cgroup

    • Caller’s user namespace • Chroot to rootfs ◦ Bind mounts • Runs as root ◦ Similar to “docker run” as root ◦ Drop non-FS capabilities • seccomp Defense In Depth: Gofer cgroup Gofer

  40. 40 gVisor • Isolated from user code • Pod cgroup

    • Caller’s user namespace • Chroot to rootfs ◦ Bind mounts • Runs as root ◦ Similar to “docker run” as root ◦ Drop non-FS capabilities • seccomp Defense In Depth: Gofer cgroup reduced namespaces Gofer

  41. 41 gVisor • Isolated from user code • Pod cgroup

    • Caller’s user namespace • Chroot to rootfs ◦ Bind mounts • Runs as root ◦ Similar to “docker run” as root ◦ Drop non-FS capabilities • seccomp Defense In Depth: Gofer cgroup reduced namespaces chroot Gofer

  42. 42 gVisor • Isolated from user code • Pod cgroup

    • Caller’s user namespace • Chroot to rootfs ◦ Bind mounts • Runs as root ◦ Similar to “docker run” as root ◦ Drop non-FS capabilities • seccomp Defense In Depth: Gofer cgroup reduced namespaces chroot reduced capabilities Gofer

  43. 43 gVisor • Isolated from user code • Pod cgroup

    • Caller’s user namespace • Chroot to rootfs ◦ Bind mounts • Runs as root ◦ Similar to “docker run” as root ◦ Drop non-FS capabilities • seccomp Defense In Depth: Gofer cgroup reduced namespaces chroot reduced capabilities seccomp Gofer

  44. 44 gVisor • Be aware of defaults ◦ K8s is

    optimized for ease-of-use, not security ◦ CPU/Memory/Disk limits • Network/Disk isolation ◦ Network access: Use NetworkPolicy ◦ Arbitrary packet injection: Sentry provides isolation ◦ File writes/permissions: Use read-only filesystems ◦ No throttling mechanism: use cgroups What's not protected?

  45. 45 gVisor • Integrated with RuntimeClass ◦ RuntimeClassName: gvisor •

    Minikube ◦ minikube addons enable gvisor ◦ github.com/kubernetes/minikube/tree/master/deploy/addons/gvisor • GKE SandboxBETA ◦ cloud.google.com/kubernetes-engine/sandbox • gvisor-containerd-shim ◦ github.com/google/gvisor-containerd-shim gVisor &

  46. 46 gVisor • https://gvisor.dev/ • https://github.com/google/gvisor • Gitter: https://gitter.im/gvisor/community •

    Mailing lists: gvisor-users, gvisor-dev gVisor is Open Source & Thanks!