Code Monkey home page Code Monkey logo

Comments (12)

drwetter avatar drwetter commented on July 24, 2024

Hi Lukas,

thanks! @wurstbrot: would you mind making the sources available?

Cheers, Dirk

from docker-security.

wurstbrot avatar wurstbrot commented on July 24, 2024

Hi @gramsimamsi ,
thank you, changed it to "container outbreak".
What do you think about adding "Privilege Escalation in Deamon" or "Exploits" as a leaf of "Container Outbreak" (e.g. dirty cow)?

I will create a separate PR to add source slides so everyone will be able to "copy"/"fork" and change it.

from docker-security.

gramsimamsi avatar gramsimamsi commented on July 24, 2024

Hi @wurstbrot ,
sorry for the misunderstanding - "container breakout" is the correct one :)

PrivEsc through daemon is definitely another valid problem.
Only problem would be the structure of leafs IMO, since kernel exploits may also be used for container breakouts in a similar way.

...on the other hand, other kernel or daemon exploits might be used for DOS, too.

from docker-security.

wurstbrot avatar wurstbrot commented on July 24, 2024

@gramsimamsi my fault.

"...on the other hand, other kernel or daemon exploits might be used for DOS, too" or network... Therefore, I added a note next to DoS

Please check page 68 again, I improved PrivEsc
The structure is also changed due to PrivEsc

In addation, I changed "kernel exploit" to "kernel vulnerability".

Comments?

from docker-security.

gramsimamsi avatar gramsimamsi commented on July 24, 2024

Looks good so far! I'd add another leaf to Container Breakout though - "privileged containers".

Since we have user namespace remapping in docker + kubernetes, processes can run as root inside a container, but not be root outside the container context (helps in cases where i.e. other vulns allow the container to poke around outside his context).

Privileged containers pose a threat as processes are still considered root outside the container context. Even privileged containers not running as root might pose a threat, as the UID given through a "USER X" line in a dockerfile might map to an existing user on the host with access to more files/resources/...

from docker-security.

wurstbrot avatar wurstbrot commented on July 24, 2024

@gramsimamsi thank you! Please check the mind map on slide 74 again.

from docker-security.

gramsimamsi avatar gramsimamsi commented on July 24, 2024

You're welcome - looks great now, I've got nothing more to add :)

from docker-security.

drwetter avatar drwetter commented on July 24, 2024

from docker-security.

hartwork avatar hartwork commented on July 24, 2024

So risky bind mounts are considered covered by "processes as root" in https://raw.githubusercontent.com/OWASP/Docker-Security/master/assets/threats.png as of today — is that correct?

from docker-security.

wurstbrot avatar wurstbrot commented on July 24, 2024

@hartwork: @drwetter announced to create an other one and will not maintain the current one. Therefore, I have not placed my updates here.
Everyone can copy and adjust the mind map, just for your information.

Please find the current mind map on https://docs.google.com/presentation/d/1SWCyscCQ0YGW3_Y6vCwI4ZY_Q5-TOQ-eoVZaT6qwofc/edit?usp=sharing slide 89.

Does that solves your question?

from docker-security.

hartwork avatar hartwork commented on July 24, 2024

Does that solves your question?

Yes! (So this ticket may not be as done as it appeared to me earlier.)

For a direct link to page 89 if anyone needs it: https://docs.google.com/presentation/d/1SWCyscCQ0YGW3_Y6vCwI4ZY_Q5-TOQ-eoVZaT6qwofc/edit#slide=id.g5d977fc8c0_6_3103

from docker-security.

drwetter avatar drwetter commented on July 24, 2024

@hartwork : If a ticket is done it'll be closed ;-)

I have a started a threat model map I created for my talk in Amsterdam (https://www.owasp.org/images/d/df/Dirk_Wetter_-_Docker_Top10-AMS.pdf). It is in SVG format (that's what I meant by sources) but still is not as good as it wanted to be. So Timo's is for now the working revision now, despite the wording which @gramsimamsi correctly pointed out.

from docker-security.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.