Cloud Native Security: Container Escape and Mitigation Strategies

This article from Meituan's information security team explores cloud native security, focusing on container escape as a key risk model. The authors provide a comprehensive analysis of container security from both attacker and defender perspectives.

The article begins by defining cloud native as a technology system and methodology where applications are designed from the ground up for cloud environments, leveraging cloud's elasticity and distributed advantages. Key cloud native technologies include containers, service mesh, microservices, immutable infrastructure, and declarative APIs.

The authors present a cloud native security technology landscape, organizing security into layers: hardware security (trusted environments), host security, container orchestration (Kubernetes as the "operating system" for the cloud), and application layers including microservices, service mesh, containers (Docker), and container images.

Container security is abstracted into three phases: build-time security (Build), deployment-time security (Deployment), and runtime security (Runtime). The article focuses on runtime security, particularly container escape risks.

The authors identify three main attack surfaces for container escape: Linux kernel vulnerabilities, container itself, and insecure deployment configurations. They explain that containers share the host kernel and use Namespace and Cgroup technologies for isolation, making kernel vulnerabilities particularly dangerous.

For Linux kernel vulnerabilities, the article explains the general methodology for kernel privilege escalation and how it differs from container escape, which requires breaking namespace restrictions. The classic Dirty Cow vulnerability is used as an example, demonstrating how to exploit it using the vDSO (Virtual Dynamic Shared Object) technique to achieve container escape.

Regarding container vulnerabilities, the article discusses Docker's architecture and how vulnerabilities in components like runc can lead to container escape. The CVE-2019-5736 vulnerability in runc is explained in detail, showing how it can be exploited through malicious images or during container execution.

The article also covers insecure deployment configurations, such as privileged containers, containers running as root, and improper capability settings. It references best practices from the Center for Internet Security (CIS) and mentions automated tools like gVisor.

For mitigation strategies, the authors discuss two main approaches: isolation through secure containers and hardening through secure kernels. They compare gVisor and Kata Containers as secure container implementations, explaining their architectures and trade-offs. The article favors gVisor for its lightweight design but acknowledges Kata Container's better suitability for enterprise environments.

The secure kernel section addresses kernel patch management challenges, including patch lifecycle delays, kernel version fragmentation, and customization issues. The authors propose implementing security features to defend against classes of vulnerabilities before patches are available, citing examples like SLAB_FREELIST_HARDENED.

The implementation strategy involves selecting security features from mainline Linux, backporting from Red Hat, or porting from Grsecurity/PaX. The authors emphasize careful evaluation, performance testing, and gradual deployment.

The article concludes with an ideal scenario where security features are developed collaboratively with kernel teams, thoroughly tested, and eventually contributed back to the Linux community.