Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Check your privilege: CoreOS's container tech rkt gets priv-escalation defense on Intel chips

Code canned when it oversteps the mark

CoreOS's Linux container manager rkt – pronounced "rock-it" for those willing to pay for a few vowels – can now defend against privilege escalation attacks on virtual machines hosting Intel Clear Containers.

Clear Containers, launched last year, represents Intel's effort to combine the isolation provided by virtual machines with the deployment advantages of containers, in conjunction with hardware acceleration.

Through KVM stage1, rkt for more than a year has supported virtual machine-based containers. Now CoreOS has given rkt the ability to automatically shut down a container subject to a privilege escalation attack and to restart a new instance of the container.

"What we've done is patched the kernel and we trap various important system calls like open and exec," said Brandon Philips, CTO of CoreOS, in a phone interview with The Register.

If you're running containers on bare metal, Philips said, "you want increased isolation and an additional layer of privilege separation."

As CoreOS security engineer Matthew Garrett describes in a blog post, the modifications to the kernel allow it to notify the hypervisor when processes are created and destroyed.

Communication between the two software components allows them to coordinate their respective states. And theses state can be confirmed whenever a process requires permission verification.

"For example, when a process requests that a file be opened, the kernel now calls out to the hypervisor," said Garrett. "The hypervisor is then able to examine the process state and ensure that it remains consistent with its internal representation of process state."

If inconsistency is detected, if the kernel's state differs from the hypervisor state, that indicates unauthorized modification. When that happens, an administrator can be notified and the compromised container can be discontinued or restarted.

Philips said the changes to rkt makes a large class of attacks more difficult.

Vulnerabilities that aren't addressed, like "Dirty COW" and attacks within the userspace, may eventually be addressed by other Linux-oriented security efforts like the Kernel Self Protection Project and the GRSecurity project. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like