Cloud Security
Published in

Cloud Security

When Your Machine Lies To You

A word of caution about container runtime security solutions

Several companies have asked me about container runtime security solutions in my consulting calls (scheduled through IANS Research). Be aware that these solutions interact at a very low level with calls headed for your system kernel. I’m not going to get into the details too much here, but software can operate at different levels within a system — user space or kernel space. The container runtime solutions are a brilliant solution because you don’t have to depend on the security controls within a container or sidecars alone, but they also come with some inherent risks.

Given the number of supply chain attacks we’ve had recently, you’ll want to understand how these systems work at a low level and take measures to implement them securely. Perform a proper vendor assessment to ensure the companies providing this software are taking steps on their side to prevent a supply chain attack, as the consequences of that could be quite harmful given the nature of this software. Use a zero-trust approach for system management and updates.

Different methods exist for interacting with the system hosting the containers. Depending on which approach these vendors use to capture calls to the system kernel, you’ll have different types of risks. With some methods, you may risk bypass of the software intent on capturing system calls. Some may be replacing low level system software. With other approaches to capturing system calls, a history of CVEs exists in the particular manner used to capture the information. Those CVEs that occur deep in the system and could make detection extremely difficult.

All this software captures calls headed for your system kernel. The main problem with anything interacting with your system kernel is that a compromise of the kernel itself could make any output from that machine untrusted. Once an attack has control of the “brain” of your operating system, it can change any log or tool output you see from the operating system itself, so any investigation at the user interface level is pretty much useless at that point. You’ll need to dive much deep into memory, and sometimes malware can even trick memory analysis.

At that point, you’re relying on network traffic and other external means to deduce that something is going wrong since the system itself is lying to you. I’ve included some additional reading on kernel-mode rootkits at the end of this post if you want to dive deeper into this topic.

A container runtime security solution doesn’t replace all the functionality of sidecars. It doesn’t replace all the other security controls you need to protect your applications, containers, and container management solutions. As always, don’t place all your security in the hands of one technology. Leverage a defense-in-depth approach. And be aware that when you leverage low-level solutions that can impact the integrity of the outputs of your system, you’ll need to be extra careful. Ensure your systems are up to date and implement security controls to watch the watcher.

Teri Radichel

If you liked this story please clap and follow:

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2021


Want to learn more about Cybersecurity and Cloud Security? Check out: Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

For a recap of cybersecurity news last week check out the 2nd Sight Lab Cybersecurity News Blog. Malware, vulnerabilities, data breaches, cost of a data breach, cybersecurity laws, and interesting cybersecurity developments.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Teri Radichel


Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty |