In this paper, we’ll discuss several security pitfalls with Linux containers. Many of them are intrinsic to the design of the container systems, or may be the result of insecure defaults. We’ll analyse historical container attacks, and how they are currently mitigated. We will then examine several novel or poorly documented attacks possible against both privileged and unprivileged Linux containers. This paper is geared towards penetration testers, but also provides insight for administrators and developers looking to prevent common attacks against their container systems.
Author: Jesse Hertz