| *** changcheng has quit IRC | 01:05 | |
| *** cgfuh has quit IRC | 01:37 | |
| *** sameo has joined #kata-dev | 05:48 | |
| *** sameo has quit IRC | 06:49 | |
| *** jodh has joined #kata-dev | 07:16 | |
| *** sameo has joined #kata-dev | 07:28 | |
| *** davidgiluk has joined #kata-dev | 07:52 | |
| *** sgarzare has joined #kata-dev | 07:59 | |
| kata-irc-bot | <youngha> Hi all :slightly_smiling_face:, I am writing a technical document about kata(especially for security) in Korean. And I got a couple of questions. Did I come to the right channel? | 08:01 |
|---|---|---|
| stefanha | youngha: This is the right place although some people are online later in the day. You can also email kata-dev@lists.katacontainers.io. | 08:07 |
| *** lpetrut has joined #kata-dev | 11:27 | |
| kata-irc-bot | <youngha> I know that Kata-container provides strong isolation through lightweight VM, I want to know more details about security perspective. Does Kata container have a solution to container threat models like container escape or other things? | 11:36 |
| stefanha | youngha: Kata adds a layer. Instead of host kernel + untrusted container, you have host kernel + sandbox VM + guest kernel + untrusted container. | 12:22 |
| stefanha | youngha: If the untrusted container escapes then it finds itself inside the sandbox VM. It is unable to directly access other containers running in other sandboxes. | 12:23 |
| stefanha | youngha: It also protects the host kernel. Imagine there is a kernel exploit, then maybe the untrusted container can control the guest kernel. But it still needs to escape the sandbox VM with a different exploit before it can attack the host kernel. | 12:24 |
| stefanha | (This is a bit simplified because there are a few places where the guest can attack the host kernel, but overall the attack surface is small.) | 12:25 |
| *** devimc has joined #kata-dev | 12:43 | |
| *** pcaruana has quit IRC | 13:10 | |
| *** eernst has quit IRC | 13:16 | |
| *** pcaruana has joined #kata-dev | 13:39 | |
| kata-irc-bot | <youngha> If I understand correctly, then attack like Dirty Cow(CVE-2016-5195) can only effect inside the sandbox VM, right? Is there any possibility that untrusted container can attack host kernel through kata-agent? | 13:59 |
| *** lpetrut has quit IRC | 14:05 | |
| stefanha | youngha: The untrusted container has very limited interactions with the host kernel, certain types of page faults or interrupts. The attack surface is very small and well-tested in the real world. | 14:06 |
| stefanha | youngha: If an untrusted container escapes by compromising the guest kernel or kata-agent, then it needs to escape the sandbox VM (one way is by attacking the host kernel). | 14:07 |
| stefanha | youngha: Once the attacker has compromised the guest kernel inside the sandbox VM they have a slightly attack surface: virtio-net, virtio-blk, virtio-9p, virtio-serial, etc, | 14:09 |
| stefanha | but this is still much smaller than the syscall interface that a container on the host would have | 14:09 |
| stefanha | youngha: Kata isn't theoretically absolutely safe, but it adds an extra layer on top of the container isolation that you already have, which is a good thing. | 14:10 |
| *** pcaruana has quit IRC | 14:12 | |
| kata-irc-bot | <eric.ernst> Thanks Stefan. Defense in depth, @youngha | 14:13 |
| *** lpetrut has joined #kata-dev | 14:29 | |
| *** lpetrut has quit IRC | 14:47 | |
| *** sameo has quit IRC | 15:29 | |
| *** devimc has quit IRC | 15:48 | |
| *** devimc has joined #kata-dev | 15:48 | |
| *** altlogbot_2 has quit IRC | 16:01 | |
| *** altlogbot_1 has joined #kata-dev | 16:01 | |
| *** irclogbot_2 has quit IRC | 16:02 | |
| *** irclogbot_1 has joined #kata-dev | 16:03 | |
| *** irclogbot_1 has quit IRC | 16:07 | |
| *** irclogbot_1 has joined #kata-dev | 16:07 | |
| *** sameo has joined #kata-dev | 16:31 | |
| *** sgarzare has quit IRC | 16:44 | |
| *** igordc has joined #kata-dev | 16:49 | |
| *** jodh has quit IRC | 17:02 | |
| *** igordc has quit IRC | 17:04 | |
| *** igordc has joined #kata-dev | 17:15 | |
| *** igordc has quit IRC | 17:26 | |
| *** devimc has quit IRC | 17:48 | |
| *** igordc has joined #kata-dev | 18:36 | |
| *** eernst has joined #kata-dev | 18:51 | |
| *** eernst has quit IRC | 18:56 | |
| *** eernst has joined #kata-dev | 18:58 | |
| *** eernst has quit IRC | 19:02 | |
| *** davidgiluk has quit IRC | 19:10 | |
| *** eernst has joined #kata-dev | 19:10 | |
| *** eernst has quit IRC | 19:15 | |
| *** eernst has joined #kata-dev | 19:17 | |
| *** eernst has quit IRC | 19:22 | |
| *** sameo has quit IRC | 19:32 | |
| *** eernst has joined #kata-dev | 19:43 | |
| *** eernst has quit IRC | 19:46 | |
| *** eernst has joined #kata-dev | 19:47 | |
| *** lpetrut has joined #kata-dev | 20:34 | |
| *** lpetrut has quit IRC | 20:38 | |
| *** eernst has quit IRC | 22:23 | |
| *** fuentess has quit IRC | 22:38 | |
| *** eernst has joined #kata-dev | 22:43 | |
| *** eernst has quit IRC | 22:44 | |
| *** eernst has joined #kata-dev | 22:46 | |
| *** igordc has quit IRC | 22:48 | |
| *** eernst has quit IRC | 22:51 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!