Skip to content

Latest commit

 

History

History
82 lines (41 loc) · 5.81 KB

README.md

File metadata and controls

82 lines (41 loc) · 5.81 KB

container-security

Resources for container security research, such as Docker, Kubernetes, etc.

Kernel and architecture

Namespaces in operation by Michael Kerrisk - whitepaper

Control groups series by Neil Brown - whitepaper

2018, KubeCon, CloudNativeCon:"Container Isolation at Scale (Introducing gVisor) by Dawn Chen and Zhengyu He" - slide - video

2018:"A history of low-level Linux container runtimes" by Daniel J. Walsh - article

2015:"The History of Containers" by by thildred - article

2015, LinuxCon:"Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic" by Jérôme Petazzoni - slide

2013:"Resource management: Linux kernel Namespaces and cgroups" by Rami Rosen - slide

Escaping

2018:"CVE-2017-1002101:kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath" - article - exp

2017:"Escaping Docker container using waitid() – CVE-2017-5123" by Daniel Shapira - article

2016:"Abusing Privileged and Unprivileged Linux Containers" by NCC Group - whitepaper

2015: "Chw00t: How to break out from various chroot solutions" by Balázs Bucsay - slide

2014:"Container escape through open_by_handle_at (shocker exploit)" - vuln - exp

Docker

2016:"Docker & Security" by Florian Barth and Matthias Luft - slide

2016, BSides:"Docker: Security Myths, Security Legends" by Rory McCune - video

2015, BlackHat:"Vulnerability Exploitation In Docker Container Environments" by Anthony Bettini - video - slide - whitepaper

Kubernetes

2018:"Hard Multi-Tenancy in Kubernetes by Jessie Frazelle" - article

Exploring Container Security Articles by Google

Exploring container security: An overview - article

Exploring container security: Node and container operating systems - article

Exploring container security: Digging into Grafeas container image metadata - article

Exploring container security: Protecting and defending your Kubernetes Engine network - article

Exploring container security: Running a tight ship with Kubernetes Engine 1.10 - article

Exploring container security: Using Cloud Security Command Center (and five partner tools) to detect and manage an attack - article

Exploring container security: Isolation at different layers of the Kubernetes stack - article

Hardening

2016:"Understanding and Hardening Linux Containers" by NCC Group - whitepaper

Miscs

2018:"How modern containerization trend is exploited by attackers" - article

2018:"How one of our Kubernetes clusters got pwned Shopify" - article

2015, Defcon 23:"Linux Containers: Future or Fantasy?" by Aaron Grattafiori - video - slide

Best Practices

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. https://github.com/docker/docker-bench-security

The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices. https://github.com/aquasecurity/kube-bench