Xen project Mailing List

This is excellent fodder. Regarding this info.: There have been dozens of Linux privilege escalation vulnerabilities through the system call layers over the years: any one of these vulnerabilities would give an attacker control of all containers on the system.

Are are there any specific examples of Linux privilege escalation vulnerabilities you can share?

Thanks,

On Tue, Feb 11, 2014 at 2:42 PM, Anil Madhavapeddy <anil@xxxxxxxxxx> wrote:

The recent x32 ABI exploit in Linux puts the dangers of depending too much trust in containers in sharp relief.

http://www.zdnet.com/low-level-exploit-sends-ubuntu-opensuse-kernel-bug-hunting-7000025872/

Perhaps the simplest thing is to look for a list of recent CVE vulnerabilities and highlight which ones would be blocked by Xen, KVM and containers. I've not seen such a list elsewhere on the web.

-anil

On 11 Feb 2014, at 19:36, George Dunlap <george.dunlap@xxxxxxxxxxxxx> wrote:

> There does seem to be a really big push for containers, and I do think we need to think about how to get a counter-message out.
>
> The basic facts are that containers probably are lower overhead, in terms of memory and cpu overhead, than virtualizing a full OS (though probably not for cloud OSes like OSv or Mirage -- particularly if running in PV or PVH mode on Xen).
>
> But they are absolutely less secure than hypervisors. The system call interface is much more porous than the hypervisor interface. There have been dozens of Linux privilege escalation vulnerabilities through the system call layers over the years: any one of these vulnerabilities would give an attacker control of all containers on the system.
>
> By contrast, Xen has had only one vulnerability that allows a guest to break into the hypervisor, and that due to a processor bug: and it only worked in PV mode, on Intel boxes. I don't know what KVM's record is, but I'm sure it's similar.
>
> So containers are completely inappropriate for a public cloud environment, where users who don't trust each other share the same hardware. Nor are they appropriate if you want to make sure that successfully attacking one server cannot easily attack other servers.
>
> The place where they make the most sense is in private clouds, particularly if there aren't any public-facing services, or if the public-facing services are lower value, where security is less critical than performance.
>
> Just tossing this out there -- would it make sense at all to coordinate with KVM (or even VMWare) people about this? Are RedHat or Canonical doing anything with containers? I think the OSv guys should be on-side; particularly if it gives them an opportunity to make a case for their approach.
>
> -George
>
> On 02/11/2014 07:08 PM, Sarah Conway wrote:
>> FYI,
>>
>> Below is VARGuy coverage of the latest Docker release. (1.0 version is
>> expected in April.) With these new releases, supposedly Docker can now
>> "meet the demands of cloud computing and PaaS solutions." They are
>> positioning it as the next logical step for PaaS, pigeon-holing
>> hypervisors as only beneficial to IaaS.
>>
>> The article goes on to say: "Unlike the virtualization hypervisors that
>> power most virtual servers today, Docker doesn't virtualize an entire
>> operating system. Instead, it provides virtualized application
>> containers that run on top of a "bare-metal" host operating system. By
>> virtualizing at the application level, Docker can offer greater
>> portability, efficiency and security."
>>
>> http://thevarguy.com/virtualization-applications-and-technologies/021014/docker-open-source-container-virtualization-rise?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheVarGuy+%28The+VAR+Guy%29
>>
>> An article from Dec. 2013:
>>
>> http://www.networkworld.com/community/blog/containers-new-hypervisors
>>
>> Some additional messaging from their web site:
>>
>> Seven months after launching, the Docker ecosystem is expanding rapidly:
>> Docker has been downloaded over 200,000 times, has received over 7,500
>> Github stars, and is receiving contributions from more than 200
>> community developers. Over 2,500 "Dockerized" applications are now
>> available at the Docker public index, and third party projects and
>> partnerships built on top of Docker span PaaS, operating systems,
>> hosting services, CI platforms, and more. Over 50 user-created case
>> studies are available from companies such as eBay, Cloudflare,
>> Rackspace/Mailgun, Yandex, Cambridge Health Care, and RelateIQ.
>>
>> I suggest we finesse our messaging against container technologies like
>> Docker, which are gaining traction in the press right now. Feedback from
>> the AB on this point would be appreciated. It will likely be a question
>> that comes up in the near future. We could also try to piggy-back any
>> Docker 1.0 coverage that might be coming out in the April timeframe,
>> offering reporters a counter opinion/view on containers vs.
>> virtualization, etc.
>
>
> _______________________________________________
> Publicity mailing list
> Publicity@xxxxxxxxxxxxxxxxxxxx
> http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity
>

_______________________________________________
Publicity mailing list
Publicity@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity

Sarah Conway

PR Manager

The Linux Foundation
sconway@xxxxxxxxxxxxxxxxxxx

(978) 578-5300 Cell

Skype: sarah.k.conway

Re: [Publicity] Docker Open Source Container Virtualization on the Rise