1 of 33

Minimalism:

Key to Cloud Security

Back

$ whoami

Back

Software Engineer @ Accuknox
Maintainer @ KubeArmor (CNCF Sandbox)
CNCF Ambassador
Google Summer of Code
LFX Mentorship
Open Source Developers Community
Undergraduate Student Graduated wohooo!!

3 of 33

Container

Back

Container

Security

Back

Malicious Actors

Back

Minimalism

Back

Minimal Node Images

Back

Container Optimized OS by Google Cloud
BottleRocket by AWS
RancherOS
…..

9 of 33

Minimal Node Images

Back

Immutable Root File System

10 of 33

Minimal Node Images

Back

Immutable Root File System
Reduced System Bloat

11 of 33

Minimal Node Images

Back

Immutable Root File System
Reduced System Bloat
Hardened Kernel

12 of 33

Minimal Node Images

Back

Immutable Root File System
Reduced System Bloat
Hardened Kernel

Integrity Measurement Architecture (IMA)

13 of 33

Minimal Node Images

Back

Immutable Root File System
Reduced System Bloat
Hardened Kernel

Integrity Measurement Architecture (IMA)
Secure Boot

14 of 33

Rocke Malware

Back

Self-Replication:

The malware copies itself from "/tmp/kthrotlds" to "/usr/sbin/kthrotlds."
It alters the modified time stamp of the copied file, setting it back 416 days.

Shared Object Injection:

The malware writes code to "/usr/local/lib/libcset.c" and compiles it using GCC into a shared object at "/usr/local/lib/libcset.so."
If GCC is not installed, the malware attempts to install it and recompile.

Startup Scripts:

The malware installs an "init.d" startup script at "/etc/init.d/netdns" and a systemd service script at "/usr/lib/systemd/system/netdns.service."
It changes the modified time of these files in a similar manner.�

https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang

15 of 33

Rocke Malware

Back

Self-Replication:

The malware copies itself from "/tmp/kthrotlds" to "/usr/sbin/kthrotlds."
It alters the modified time stamp of the copied file, setting it back 416 days.�Immutable Root File System

Shared Object Injection:

The malware writes code to "/usr/local/lib/libcset.c" and compiles it using GCC into a shared object at "/usr/local/lib/libcset.so."
If GCC is not installed, the malware attempts to install it and recompile.�No system packages/package managers and File Integrity

Startup Scripts:

The malware installs an "init.d" startup script at "/etc/init.d/netdns" and a systemd service script at "/usr/lib/systemd/system/netdns.service."
It changes the modified time of these files in a similar manner.�Secure Boot�

16 of 33

Containers

Back

Containers

Back

Containers

Back

Lightweight Images

Back

Lightweight Images

Back

How many of you folks are aware of ShellShock Vulnerability. For those of you who don’t know. It’s a vulnerability in bash. Bash is a basic utility that we won’t bother thinking about. But the shellshock vulnerability allowed users to execute arbitrary commands in bash opening up loads of attack scenarios. It’s a vulnerability hat has existed for 30 years till 2014. ��But what if you never packaged bash in your containers. Lightweight base images like alpine don’t include it. Here’s a graph from chainguard how the generic python images is filled with vulnerabilities, but chainguard’s lightweight image don’t have it.��It’s not only about known vulnerabilities though. Like how we talked about ShellShock vulnerability which was hidden for 30 years. Our seemingly innocent packages can become source of targets anyday. Hence we should be lightweight so we have to be lightweight about the approach.

21 of 33

Containers

Back

Kubernetes Security Context

LSM Profiles/Labels
Seccomp
Capabilities

Docker Security Opts

Other Container Runtimes Support this as well

Proxy Filters/Service Mesh/Container Networking Interface Rules
Docker Slim to trim down unnecessary filesystem
Like Node Images use lighted base images for container like alpine, wolfi

22 of 33

Role Based Access Control

Back

Uber Social Engineering Attack

Back

Perimeter Security around Sensitive Files using VPN
VPN Access protected through Multi Factor Authentication

24 of 33

Uber Social Engineering Attack

Back

MFA breached through Social Engineering
Attacker Scans Intranet for Sensitive Assets

Finds Shell Script with Admin Password to PAM
Finds secrets to all services through PAM

25 of 33

Back to Containers

Back

we are already compromised?

26 of 33

Back to Containers

Back

we are already compromised

27 of 33

Access Control Inside Containers

Back

Access Control Inside Containers

Back

Setup Observability to gain visibility
Linux Security Modules
Userspace Interception

LD_PRELOAD
Ptrace

29 of 33

Access Control Inside Containers

Back

Setup Observability to gain visibility

Falco
Tracee

Linux Security Modules

AppArmor Rules (supported by k8s security context and docker security opts)

KubeArmor

30 of 33

Conclusion

Back

31 of 33

Conclusion

Back

Need for Multi Layered Minimalistic Approach
Minimal Node Images / Runtime Infrastructure
Setup Perimeter Around Containers to minimize outside access
Minimize Attack Surface Outside and Inside Containers by removing unnecessary dependencies
Setup Perimeter Inside Containers to minimize unnecessary accesses
Minimum Permissions to all users to prevent social engineering attacks

32 of 33

ThankYou

Back

ThankYou

Questions (⁠づ⁠｡⁠◕⁠‿⁠‿⁠◕⁠｡⁠)⁠づ

Back

1 of 33

2 of 33

3 of 33

4 of 33

5 of 33

6 of 33

7 of 33

8 of 33

9 of 33

10 of 33

11 of 33

12 of 33

13 of 33

14 of 33

15 of 33

16 of 33

17 of 33

18 of 33

19 of 33

20 of 33

21 of 33

22 of 33

23 of 33

24 of 33

25 of 33

26 of 33

27 of 33

28 of 33

29 of 33

30 of 33

31 of 33

32 of 33

33 of 33