Check your privilege: CoreOS's container tech rkt gets priv-escalation defense on Intel chips

Code canned when it oversteps the mark

CoreOS's Linux container manager rkt – pronounced "rock-it" for those willing to pay for a few vowels – can now defend against privilege escalation attacks on virtual machines hosting Intel Clear Containers.

Clear Containers, launched last year, represents Intel's effort to combine the isolation provided by virtual machines with the deployment advantages of containers, in conjunction with hardware acceleration.

Through KVM stage1, rkt for more than a year has supported virtual machine-based containers. Now CoreOS has given rkt the ability to automatically shut down a container subject to a privilege escalation attack and to restart a new instance of the container.

"What we've done is patched the kernel and we trap various important system calls like open and exec," said Brandon Philips, CTO of CoreOS, in a phone interview with The Register.

If you're running containers on bare metal, Philips said, "you want increased isolation and an additional layer of privilege separation."

As CoreOS security engineer Matthew Garrett describes in a blog post, the modifications to the kernel allow it to notify the hypervisor when processes are created and destroyed.

Communication between the two software components allows them to coordinate their respective states. And theses state can be confirmed whenever a process requires permission verification.

"For example, when a process requests that a file be opened, the kernel now calls out to the hypervisor," said Garrett. "The hypervisor is then able to examine the process state and ensure that it remains consistent with its internal representation of process state."

If inconsistency is detected, if the kernel's state differs from the hypervisor state, that indicates unauthorized modification. When that happens, an administrator can be notified and the compromised container can be discontinued or restarted.

Philips said the changes to rkt makes a large class of attacks more difficult.

Vulnerabilities that aren't addressed, like "Dirty COW" and attacks within the userspace, may eventually be addressed by other Linux-oriented security efforts like the Kernel Self Protection Project and the GRSecurity project. ®


Biting the hand that feeds IT © 1998–2017