linuxkit/reports/sig-security/2017-06-07.md

2017-06-07

Time: 9am PDT (12pm EDT, 5pm BST) see the time in your timezone

Meeting location: https://docker.zoom.us/j/779801882

Announcement: Moby project forum post

Video recording: https://youtu.be/GkjswX75K08

Previous meeting notes: 2017-05-24

Agenda

• Introductions & Administrivia (5 min)
• RFC on "probational"/"hardened"/"staging" channel (15 min)
  • proof-of-concept in LinuxKit repo
  • proposed process for promotion to channel, out of channel
• buildchain security: PIE/ASLR for packages @fntlnz (10 min)
• miragesdk deep dive - @avsm @samoht @yomimono @talex5 (20 min)
  • What is it? Why do we care?
  • RFC: which system daemons should we implement?
  • architecture deep dive
  • demo: dhcp
• Project updates (10 min)
• Next meeting: 2017-06-21
  • landlock demo and deep dive - @l0kod
  • we can propose additional deep dives and discussion topics!

Meeting Notes

Scribe: @mgoelzer

• Introductions for new attendees - welcome!

• probational channel:

  • calling it “Probational Channel” (vs “hardened” to avoid implying that LinuxKit itself is soft)
  • goal is to have a curated channel of what’s in /projects
  • also goal: reduce bit rot
  • RFC here: https://docs.google.com/document/d/1V3R_eF-_JTEcWmw_pKERuRAWMDxZ3iCy_6piLPhtZSA/edit#heading=h.99zlrcqz1kzx
  • goal of RFC is build your project based on a delta against base LinuxKit (e.g., add Wireguard, add Landlock)
  • @cschaufler: let’s have at least one that is all the projects, and then others for explicitly requested combos of projects
  • @justincormack: probation/promotion is orthogonal to the tooling problem.
  • against any tooling in the project, tooling should be upstream.
  • @avsm: just have a Makefile snippet you can include, will help with the bit rot problem

• buildchain security:

  • discussion lead: @fntlnz
  • issues are PIEs, ASLR, signing. Binaries today are not using linker best practices.
  • two concerns:
    • we should be using PIE, ASLR - current state discussed on issue
      • golang compiling produces static PIE executables
      • c compiling benefits from Alpine Linux default flags
    • we have to check that future binaries in LinuxKit builds should be compiled with the appropriate flags
      • including stuff written in other languages like Rust
  • we would benefit from tools to start binary in isolation, look at its runtime environment - works with anything (libc, muscl, etc)
    • @cschaufler: take a look at Yocto’s buildchain checks
    • @avsm: need to modify some language configs as well (for OCaml binaries)
  • @justincormack: runc is not linked correctly
  • @riyazdf: next meeting let’s also discuss how we can go beyond signing, better checks

• mirageSDK

  • discussion lead: @avsm
  • slides: https://speakerdeck.com/avsm/a-modern-services-sdk-for-linuxkit
  • goal is to rebuild the services on top of LinuxKit with advanced security features:
    • type safety
    • container-native daemons
  • daemons: dhcpd in repo today, working on others. Open to feedback for prioritizing future type-safe daemons (ntp, dns, https, etc)
  • containerized, but still written in C and require high system privilege
  • want to make these components less monolithic, more container native.
  • dhcpd:
    • in a cloud environment, you really only need it once. You’re more likely to kill machine than want to change its IP after boot.
    • requires very low level access - eg IP route tables
    • described 3-part priv separated architecture
  • Capnp - RPC system for how these 3 processes communicate
  • @yomimono: demo fuzz testing with American Fuzzy Lop (afl)
    • asciinema of demo: https://asciinema.org/a/3ljccmn19m25uj02kve678xp6
    • afl: http://lcamtuf.coredump.cx/afl/
  • Also focusing on other services: DNS, HTTPS