Cooperation has consequences. At the UNOG Digital Live workshop last spring, where a member of the UNOG Security Working Group found a reference architecture for securing containers, it was followed by a powerful open reference solution compatible with the architecture specifically described. Years of work, backed by industry leaders, has resulted in an important decision to ensure the confidentiality, integrity, and even availability of container-based workloads. Forrest Bennett FedEx moderated, Reality Bob Wysocki and Anmol Kulkarni connected Microland, Michael Clarke of Renaissance Technology and Adam Hughes of Sylabs explained the architecture and solution. Here is a summary of their discussion.

For Need Reference Architecture Context

The UNOG Security Working Group has focused on developing a reference architecture that addresses vulnerabilities in the confidentiality, integrity, and additional availability of server workloads.containers. It will soon be possible to say that the reference solution is approved by UNOG, this can offer a viable security perspective in a complex environment.dug multi-cloud world. Michael Clark opened the conversation by providing an overview of specific container security vulnerabilities.

Clark noted that the security of the container is not as strong as the underlying infrastructure. The runtime container itself does not have an insurance plan against run-time side-channel attacks from compromised hardware, microarchitectural defects, compromised microcode, or implants. Also, frankly, there is no defense against run-time memory introspection attacks from installed operating environments. Hackers threaten both privacy and container workload performance.

The Linux kernel is not without security problems. There are management and namespace vulnerabilities that could lead to privilege escalation and/or escape from the burial container. Applying container runtime patches does not address either of these situations. The fact that security models vary across Cloud Security Providers (CSPs) exacerbates the complexity. There is literally no comprehensiveabout a set of standards that all CSPs must follow. In short, private cloud security cannot adequately secure a container.

Reference Architecture Purpose

Identify programs that are slowing down your computer.
Check your company’s web browser and internet connection.
Defragment your amazing hard drive.
Update devices that may be slowing down your computer.
Update your storage with a trusted maintenance disk.
Add more memory (RAM)

The ultimate goal of the reference architecture is to address the above issues. Through case-by-case and collaboration, the goal of the UNOG was to “determine what can be done to ensure the secrecy and integrity of this manual workload while it resides and travels through the containerized environment.” Clark explained.

A slow machine is often caused by too many additional programs running, consuming processing power and slowing down the performance of the PC. Some programs are designed to continue running in the background after you close them, or may start automatically when you turn on your computer.

When designing product technology, performance is prioritized over safety. In order to inject a vulnerability, we need to specify trust in the entire natural environment by tracking changes at runtime, many within a container and a richer environment. Then the same Clark explained that we need to treat the workload as a separate entity that we are trying to protect. There are 5 requirements for a reference architecture to improve privacy integrity and optimize workloads.

  • He shouldCan link operational refugee policy to workload.
  • Much of the work needs to be done to ensure that the security policy cannot be interrupted or separated from the workload.
  • The reference architecture should allow for more manual labor, and its security policies and policy management mechanisms cannot be manipulated.
  • In order to get the basic work done as planned, Clark identified these assumptions that needed to be made.

  • Hardware is usually trustworthy.
  • The container environment platform, as well as the environment used to create the container image, must always be trusted.
  • The implementations of the CA criteria and encryption algorithm must be trusted.
  • Environment stability should be determined at or before runtime.
  • The build configuration of the container must be safe and secure.
  • From Reference Architecture To Solution

    The team went on to explain Microland and Sylabs worked together to implement the reference architecture, not to mention about transforming it into a container security solution that is reproducible, inexpensive, and requires minimal integration effort. Bob Wysotsky and Hughes Adam explained the five pillars of the solution.

    1. Host: First, the solution required a real runtime environment. The team chose Virtual Box as a demo because it was available for free and didn’t take long to learn.
    2. A container for each solution. In any case, the team chose Singularity for their containerized solution because it has many valuable security aspects built in. Hughes explained that Singularity is a complete runtime container designed for high performance computing environments. Generally, it is widely used for confidential workloads in academic institutions, government agencies as well as in corporate environments. Until then, the solution uses all available security components, allowing you to maintain security and block the possibility of escalation. Expect users to startRunning workloads as non-privileged users is a Sylabs recommended practice.
    3. You should use the Singularity Image Format (SIF) to process individual files. In each file, users can encapsulate a whole bunch of pieces of software, including all the dependencies that make up the workload. Full image encryption is almost a valuable feature of SIF. Unlike other runtime packages, encrypted filesystems communicate the associated key material directly to the kernel. When decoded, image values ​​only exist in memory, not in memory. This makes SIF images ideal for enterprises because they have regulatory requirements or policies and the need to protect sensitive records and algorithms. FIS may also hold this position for any date, including regular governing documents. When combined with a digital ad hoc policy, the policy is cryptographically tied to the workload.
    4. Supervisor Binary (AB): This is really an open source wrapper for Singularity that you checkt environment, checks its reliability, and ensures that Singularity definitely works when the right policy is likely to be followed.< /li>
    5. Policy Opening Agent (OPA). The policy discovery agent interacts with the supervisor binary to get the latest environment information from replay and compare the state to the licensed workload policy. It only returns our own decrypted key if there is a best match, allowing Singularity to run.

    Wysocki noted that Singularity and its SIF ensure the confidentiality and integrity of the most critical workload, while OPA and SB guarantee confidentiality and integrity at runtime. В


    Bob Wysocki then explained how to practice one type of solution using three running modes.

  • In configuration mode: SB creates an environment footprint that includes the authorized policy. SB then saves the policy and understanding key to OPA.
  • On startup: Now you want to start playing. SB leaves an ecological footprint. The data will be transferred to OPA. OPA withEquates the current point with the authorized state and eventually returns the encryption key if the application matches. When a match is established, the singularity is triggered, the piston is deciphered, and the execution begins.
  • During operation: At this point in the process, the SB enters test mode. If the current policy consistently matches the expected policy, all domains continue to function correctly. At this point, if a does not match, SB will definitely take action to stop all execution time.
  • Read More

    View the full discussion with a demo of the wine bottle protection solution here. Take the opportunity to contribute to one of UNOG’s unique target groups by hosting it here.