Resolutions for this New Year:
- DNS (preferably DNSSEC)
- 1600dpi (mouse)
- WUXGA (1920×1200)
- I was planning to add an audio resolution, but I’m dithering a bit on this one
I’ll get my coat.
Happy New Year!
Resolutions for this New Year:
I’ll get my coat.
Happy New Year!
… what’s the fun in having an Internet if you can’t, well, “net” on it?
Sometimes – and I hope this doesn’t come as too much of a surprise to my readers – sometimes, there are bad people, and they do bad things with computers. These bad things are often about stopping the good things that computers are supposed to be doing* from happening properly. This is generally considered not to be what you want to happen**.
For this reason, when we architect and design systems, we often try to enforce isolation between components. I’ve had a couple of very interesting discussions over the past week about how to isolate various processes from each other, using different types of isolation, so I thought it might be interesting to go through some of the different types of isolation that we see out there. For the record, I’m not an expert on all different types of system, so I’m going to talk some history****, and then I’m going to concentrate on Linux*****, because that’s what I know best.
In the beginning, computers didn’t talk to one another. It was relatively difficult, therefore, for the bad people to do their bad things unless they physically had access to the computers themselves, and even if they did the bad things, the repercussions weren’t very widespread because there was no easy way for them to spread to other computers. This was good.
Much of the conversation below will focus on how individual computers act as hosts for a variety of different processes, so I’m going to refer to individual computers as “hosts” for the purposes of this post. Isolation at this level – host isolation – is still arguably the strongest type available to us. We typically talk about “air-gapping”, where there is literally an air gap – no physical network connection – between one host and another, but we also mean no wireless connection either. You might think that this is irrelevant in the modern networking world, but there are classes of usage where it is still very useful, the most obvious being for Certificate Authorities, where the root certificate is so rarely accessed – and so sensitive – that there is good reason not to connect the host on which it is stored to be connected to any other computer, and to use other means, such as smart-cards, a printer, or good old pen and paper to transfer information from it.
And then came networks. These allow hosts to talk to each other. In fact, by dint of the Internet, pretty much any host can talk to any other host, given a gateway or two. So along came network isolation to try to stop tha. Network isolation is basically trying to re-apply host isolation, after people messed it up by allowing hosts to talk to each other******.
Later, some smart alec came up with the idea of allowing multiple processes to be on the same host at the same time. The OS and kernel were trusted to keep these separate, but sometimes that wasn’t enough, so then virtualisation came along, to try to convince these different processes that they weren’t actually executing alongside anything else, but had their own environment to do their old thing. Sadly, the bad processes realised this wasn’t always true and found ways to get around this, so hardware virtualisation came along, where the actual chips running the hosts were recruited to try to convince the bad processes that they were all alone in the world. This should work, only a) people don’t always program the chips – or the software running on them – properly, and b) people decided that despite wanting to let these processes run as if they were on separate hosts, they also wanted them to be able to talk to processes which really were on other hosts. This meant that networking isolation needed to be applied not just at the host level, but at the virtual host level, as well******.
Now, in a move which may seem retrograde, it occurred to some people that although hardware virtualisation seemed like a great plan, it was also somewhat of a pain to administer, and introduced inefficiencies that they didn’t like: e.g. using up lots of RAM and lots of compute cycles. These were often the same people who were of the opinion that processes ought to be able to talk to each other – what’s the fun in having an Internet if you can’t, well, “net” on it? Now we, as security folks, realise how foolish this sounds – allowing processes to talk to each other just encourages the bad people, right? – but they won the day, and containers came along. Containers allow lots of processes to be run on a host in a lightweight way, and rely on kernel controls – mainly namespaces – to ensure isolation********. In fact, there’s more you can do: you can use techniques like system call trapping to intercept the things that processes are attempting and stop them if they look like the sort of things they shouldn’t be attempting*********.
And, of course, you can write frameworks at the application layer to try to control what the different components of an application system can do – that’s basically the highest layer, and you’re just layering applications on applications at this point.
So here’s where I get to the chance to mention one of my favourite topics: systems. As I’ve said before, by “system” here I don’t mean an individual computer (hence my definition of host, above), but a set of components that work together. The thing about isolation is that it works best when applied to a system.
Let me explain. A system, at least as I’d define it for the purposes of this post, is a set of components that work together but don’t have knowledge of external pieces. Most important, they don’t have knowledge of different layers below them. Systems may impose isolation on applications at higher layers, because they provide abstractions which allow higher systems to be able to ignore them, but by virtue of that, systems aren’t – or shouldn’t be – aware of the layers below them.
A simple description of the layers – and it doesn’t always hold, partly because networks are tricky things, and partly because there are various ways to assemble the stack – may look like this.
Application (top layer) Container System trapping Kernel Hardware virtualisation Networking Host (bottom layer)
As I intimated above, this is a (gross) simplification, but the point holds that the basic rule is that you can enforce isolation upwards in the layers of the stack, but you can’t enforce it downwards. Lower layer isolation is therefore generally stronger than higher layer isolation. This shouldn’t come as a huge surprise to anyone who’s used to considering network stacks – the principle is the same – but it’s helpful to lay out and explain the principles from time to time, and the implications for when you’re designing and architecting.
Because if you are considering trust models and are defining trust domains, you need to be very, very careful about defining whether – and how – these domains spread across the layer boundaries. If you miss a boundary out when considering trust domains, you’ve almost certainly messed up, and need to start again. Trust domains are important in this sort of conversation because the boundaries between trust domains are typically where you want to be able to enforce and police isolation.
The conversations I’ve had recently basically ran into problems because what people really wanted to do was apply lower layer isolation from layers above which had no knowledge of the bottom layers, and no way to reach into the control plane for those layers. We had to remodel, and I think that we came up with some sensible approaches. It was as I was discussing these approaches that it occurred to me that it would have been a whole lot easier to discuss them if we’d started out with a discussion of layers: hence this blog post. I hope it’s useful.
*although they may well not be, because, as I’m pretty sure I’ve mentioned before on this blog, the people trying to make the computers do the good things quite often get it wrong.
**unless you’re one of the bad people. But I’m pretty sure they don’t read this blog, so we’re OK***.
***if you are a bad person, and you read this blog, would you please mind pretending, just for now, that you’re a good person? Thank you. It’ll help us all sleep much better in our beds.
****which I’m absolutely going to present in an order that suits me, and generally neglect to check properly. Tough.
*****s/Linux/GNU Linux/g; Natch.
******for some reason, this seemed like a good idea at the time.
*******for those of you who are paying attention, we’ve got to techniques like VXLAN and SR-IOV.
********kernel purists will try to convince you that there’s no mention of containers in the Linux kernel, and that they “don’t really exist” as a concept. Try downloading the kernel source and doing a search for “container” if you want some ammunition to counter such arguments.
*********this is how SELinux works, for instance.
Don’t increase the technical complexity of a process just because you’ve got a cool technology that you could throw at it.
I’m attending Open Source Summit 2017* this week in L.A., and went to an interesting “fireside chat” on blockchain moderated by Brian Behlendforf of Hyperledger, with Jairo*** of Wipro and Siva Kannan of Gem. It was a good discussion – fairly basic in terms of the technical side, and some discussion of identity in blockchain – but there was one particular part of the session that I found interesting and which I thought was worth some further thought. As in my previous post on this topic, I’m going to conflate blockchain with Distributed Ledger Technologies (DLTs) for simplicity.
Siva presented three questions to ask when considering whether a process is a good candidate for moving to the blockchain. There’s far too much bandwagon-jumping around blockchain: people assume that all processes should be blockchained. I was therefore very pleased to see this come up as a topic. I think it’s important to spend some time looking at when it makes sense to use blockchains, and when it’s not. To paraphrase Siva’s points:
I liked these as a starting point, and I was glad that there was a good conversation around what a trust problem might mean. I’m not quite sure it went far enough, but there was time pressure, and it wasn’t the main thrust of the conversation. Let’s spend a time looking at why I think the points above are helpful as tests, and then I’m going to add another.
The examples that were presented were two of the classic ones used when we’re talking about blockchain: inter-bank transfer reconciliation and healthcare payments. In both cases, there are multiple parties involved, and the time it takes for completion seems completely insane for those of us used to automated processes: in the order of days. This is largely because the processes are run by central authorities when, from the point of view of the process itself, the transactions are actually between specific parties, and don’t need to be executed by those authorities, as long as everybody trusts that the transactions have been performed fairly. More about the trust part below.
If the process is simple, and requires a single step or transaction, there’s very little point in applying blockchain technologies to it. The general expectation for multi-partite processes is that they involve multiple parties, as well as multiple parts. If there are only a few steps in a transaction, or very few parties involved, then there are probably easier technological solutions for it. Don’t increase the technical complexity of a process just because you’ve got a cool technology that you can throw at it******.
Above, I used the phrase “as long as everybody trusts that the transactions have been performed fairly”******. There are three interesting words in this phrase*******: “everybody”, “trusts” and “fairly”. I’m going to go through them one by one:
This point about encoding rules into a process is a really, really major one, to which I intend to return at a later date, but for now let’s assume (somewhat naively, admittedly) that this is doable and risk-free.
This was a rule that I suggested, and which caused some discussion. It seems to me that there are some processes where a move to a blockchain may benefit certain parties, but not others. For example, the amount of additional work required by a small supplier of parts to a large automotive manufacturer might be such that there’s no obvious benefit to the supplier, however much benefit is manifestly applicable to the manufacturer. At least one of the panellists was strongly of the view that there will always be benefit to all parties, but I’m not convinced that the impact of implementation will always outweight such benefit.
… it’s not a perfect fit for every process. Organisations – and collections of organisations – should always carefully consider how good a fit blockchain or DLT may be before jumping to a decision which may be more costly and less effective than they might expect from the hype.
*was “LinuxCon and ContainerCon”**.
***he has a surname, but I didn’t capture it in my notes****.
****yes, I write notes!
*****this is sometime referred to as the “hammer problem” (if all you’ve got is a hammer, then everything looks like a nail)
******actually, I didn’t: I missed out the second “as”, and so had to correct it in the first appearance of the phrase.
*******in the context of this post. They’re all interesting in the own way, I know.
********this may sound like magic. Given my grasp of the mathematics involved, I have to admit that it might as well be*********.
*********thank you Arthur C. Clarke.
“I think I’ve just been got by a phishing email…”
I attended Black Hat USA a few weeks ago in Las Vegas*. I also spent some time at B-Sides LV and DEFCON. These were my first visits to all of them, and they were interesting experiences. There were some seriously clever people talking about some seriously complex things, some of which were way beyond my level of knowledge. There were also some seriously odd things and odd people**. There was one particular speaker who did a great job, and whose keynote made me think: Alex Stamos, CSO of Facebook.
The reason that I want to talk about Stamos’ talk is that I got a phone call a few minutes back from a member of my family. It was about his iCloud account, which he was having problems accessing. Now: I don’t use Apple products***, so I wasn’t able to help. But the background was the interesting point. I’d had a call last week ago from the same family member. He’s not … techno-savvy. You know the one I’m talking about: that family member. He was phoning me on last week in something of a fluster.
“I think I’ve just been got by a phishing email,” he started.
Now: this is a win. Somebody – whether me or the media – has got him to understand what a phishing email is. I’m not saying he could spell it correctly, mind you – or that he’s not going to get hit by one – but at least he knows.
“OK,” I said.
“It said that it was from Apple, and if I didn’t change my password within 72 hours, I’d lose all of my data,” he explained.
Ah, I thought, one of those.
“So I clicked on the link and changed my password. But I realised after about 5 minutes and changed it again,” he continued.
“Where did you change it that time?” I asked.
“On the Apple site.”
“Then you’re probably OK.” I gave him some advice on things to check, and suggested ringing Apple and maybe his bank to let them know. I also gave him the Stern Talk[tm] that we’ve all given users – the one about never clicking through a link on an email, and always entering it by hand.***** He called me back a few hours later to tell me that the guy he’d spoken to at Apple had reassured him that his bank details weren’t in danger, and that a subsequent notification he’d got that someone was trying to use his account from an unidentified device was a good sign, because it meant that the extra layers of security that Apple had put in place were doing their job. He was significantly (and rightly) relieved.
“So what has this to do with Stamos’ keynote?” you’re probably asking. Well, Stamos talked about how many of the attacks and vulnerabilities that we worry about much of the time – zero days, privilege escalations, network segment isolation – make up the tiniest tip of the huge pyramid of security issues that affect our users. Most of the problems are around misuse of accounts or services. And most of the users in the world aren’t uberhackers or even script kiddies – they’re not even people like those in the audience****** – but people with sub-$100******* smartphones.
And he’s right. We need to think about these people, too. I’m not saying that we shouldn’t worry about all the complex and scary technical issues that we’re paid to understand, fix and mitigate. They are important, and if we don’t fix them, we’re in for a world of pain. But our jobs – what we get paid for – should also include thinking about the other people: people who Facebook and Apple make a great deal of money from, and who they quite rightly care about. The question is: do we, the rest of the industry? And how are we going to know that we’re thinking like a 68 year old woman in India or a 15 year old boy in Brazil? (Hint: part of the answer is around diversity in our industry.)
Apple didn’t do too bad a job, I think – though my family member is still struggling with the impact of the password reset. And the organisation I talked about in my previous post on the simple things we should do absolutely didn’t. So, from now on, I’m going to try to think a little harder about what impact the recommendations, architectures and designs I come up with might have on the “hidden users” – not the sysadmins, not the developers, not the expert users, but people like my family members. We need to think about security for them just as much as for security for people like us.
*weird place, right? And hot. Too hot.
**I walked out of one session at DEFCON after six minutes as it was getting more and more difficult to resist the temptation to approach the speaker at the podium and punch him on the nose.
***no, I’m not going to explain. I just don’t: let’s leave it at that for now, OK? I’m not judging you if you do.****
****of course I’m judging you. But you’ll be fine.
*****clearly whoever had explained about phishing attacks hadn’t done quite as good a job as I’d hoped.
******who, he seemed to assume, were mainly Good Guys & Gals[tm].
*******approximately sub-€85 or sub-£80 at time of going to press********: please substitute your favoured currency here and convert as required.
********I’m guessing around 0.0000000000000001 bitcoins. I don’t follow the conversion rate, to be brutally honest.
“People won’t listen to you or take you seriously unless you’re an old white man, and since I’m an old white man I’m going to use that to help the people who need it.” —Patrick Stewart, Actor
A couple of weeks ago, I wrote an April Fool’s post: “Changing the demographic in IT security: a radical proposal“. It was “guest-written” by my dog, Sherlock, and suggested that dogs would make a good demographic from which to recruit IT professionals. It went down quite well, and I had a good spike of hits, which was nice, but I wish that it hadn’t been necessary, or resonated so obviously with where we really are in the industry*.
Of special interest to me is the representation of women within IT security, and particularly within technical roles. This is largely due to the fact that I have two daughters of school age**, and although I wouldn’t want to force them into a technical career, I want to be absolutely sure that they have as much chance both to try it – and then to succeed – as anybody else does, regardless of their gender.
But I think we should feel that other issues of under-representation should be of equal concern. Professionals from ethnic minorities and with disabilities are also under-represented within IT security, and this is, without a doubt, a Bad Thing[tm]. I suspect that the same goes for people in the LGBTQ+ demographics. From my perspective, diversity is something which is an unalloyed good within pretty much any organisation. Different viewpoints don’t just allow us to reflect what our customers see and do, but also bring different perspectives to anything from perimeter defence to user stories, from UX to threading models. Companies and organisations are just more flexible – and therefore more resilient – if they represent a wide ranging set of perspectives and views. Not only because they’re more likely to be able to react positively if they come under criticism, but because they are less likely to succumb to groupthink and the “yes-men”*** mentality.
Part of the problem is that we hire ourselves. I’m a white male in a straight marriage with a Western university education and a nuclear family. I’ve got all of the privilege starting right there, and it’s really, really easy to find people like me to work with, and to hire, and to trust in business relationships. And I know that I sometimes get annoyed with people who approach things differently to me, whose viewpoint leads them to consider alternative solutions or ideas. And whether there’s a disproportionate percentage of annoyances associated with people who come from a different background to me, or that I’m just less likely to notice such annoyances when they come from someone who shares my background, there’s a real danger of prejudice kicking in and privilege – my privilege – taking over.
So, what can we do? Here are some ideas:
These are my views. The views of someone with privilege. I’m sure they’re not all right. I’m sure they’re not all applicable to everybody’s situation. I’m aware that there’s a danger of my misappropriating a fight which is not mine, and of the dangers of intersectionality.
But if I can’t stand up from my position of privilege***** and say something, then who can?
*Or, let’s face it, society.
**I’m also married to a very strong proponent of equal rights and feminism. It’s not so much that it rubbed off on me, but that I’m pretty sure she’d have little to do with me if I didn’t feel the same way.
***And I do mean “men” here, yes.
****My wife challenged me to put this in. Because I don’t do it, and I should.
*****“People won’t listen to you or take you seriously unless you’re an old****** white man, and since I’m an old white man I’m going to use that to help the people who need it.” —Patrick Stewart, Actor
******Although I’m not old.*******
*******Whatever my daughters may say.
… containers are both very much like and very much unlike VMs…
I want to talk about security in DevOps – also known as “DevSecOps”* – on this blog, but it’s going to have to wait for a subsequest post. I’ve been speaking at a few conferences and seminars recently on this topic, and I’ve started to preface the discussion with a quick question: “Who here understands what a container is?”. And you don’t get that many hands going up**. So I’ve started giving a little explanation of what containers*** are before going much further.
To be clear: can you do DevOps without containers? Can you do DevSecOps without containers? The answer to both is “yes”. But containers lend themselves so well to the DevOps approach – and to DevSecOps, it turns out – that even though it’s possible to do DevOps without them, I’m going to assume that most people will use them.
I was in a meeting with a number of colleagues a few months ago, and one of them was presenting on containers. Not everybody around the table was particularly expert in the technology, so he was starting simple. He made a statement, which said something like “There’s no mention of containers in the Linux kernel source code”. This, it turned out, was a dangerous statement to make, given some of the attendees, and within a few seconds, both my boss (sitting next to me) and I were downloading the recent kernel source tarballs and performing a count of the exact number of times that the word “container” occurred. It turned out that his statement wasn’t entirely correct. To give you an idea, I’ve just tried it on an old version that I happened to have on my laptop (4.9.2), and I got a result of 15,273 lines including the word “container”****. My boss and I had a bit of a smirk and ensured that we corrected him at the next break.
What my colleague meant to say – and he clarified later – is that the concept of a container doesn’t really exist as a clear element within the Linux kernel. In other words, containers use a number of abstractions, components, tools and mechanisms from the Linux kernel, but there’s nothing very special about these: they can be used for other purposes as well. So, there’s “no such thing as a container, according to the Linux kernel”.
What, then, is a container? Well, I come from a virtualisation – hypervisor and VM – background, and the way that I tend to think of it is that containers are both very much like and very much unlike VMs. I realise that this may initially not sound very helpful, but let me explain.
The main way in which a container is like a container is like a VM is that it’s a unit of execution. You bundle something up – an image – which you can then run on a suitably equipped host platform. Like a VM, it’s a workload on a host, and like a VM, it runs at the mercy of that host. Beyond providing workloads with the resources that they need to do their job (CPU cycles, networking, storage access, etc.), the host has a couple of jobs that it needs to do:
The ways that this is achieved for VMs and containers is fundamentally different, with isolation, with VMs being kept isolated by hypervisors making use of hardware capabilities, and containers being kept isolated via software controls provided by the Linux kernel******. These controls revolve around various “namespaces” which ensure that one container can’t see other containers’ files, users, network connections, etc. – nor those of the host. These can be supplemented by tools such as SELinux, which provide capabilities controls for further isolation of containers.
The problem with the description above is that if you’re even vaguely hypervisor-aware, you probably think that a container is just like a VM, and it really isn’t.
A container is, first and foremost *******, a packaging format. “WHAT?” you’re saying, “but you just said it was something that was executed.” Well, yes, but much of the reasons containers are so interesting is that it’s very easy to create the images from which they’re instantiated, and those images are typically much, much smaller than for VMs. For this reason, they take up very little memory, and can be spun up and spun down very, very quickly. Having a container that sits around for just a few minutes, or even seconds (OK, milliseconds, if you like) is an entirely sensible and feasible idea. For VMs, not so much.
Given that containers are so lightweight and easy to replace, people have started using them to create micro-services – minimal components split out of an application which can be used by one or many other micro-services to built whatever you want. Given that you only plan to put what you need for a particular function or service within a container, you’re now free to make it very small, which means that writing new ones and throwing away the old ones becomes very practicable. We’ll follow up on this when we talk about DevOps next time. We’ll also talk about some of the impacts this might have on security, and hence DevSecOps.
Hopefully this has been a useful intro, and you feel excited and motivated to learn more about DevSecOps next time. (And if you don’t, just pretend.)
*I think because SecDevOps reads oddly, and DevOpsSec tends to get pluralised, and then you’re on an entirely different topic.
**I should note that this isn’t just to British audiences, who are reserved and don’t like drawing attention to themselves: this is to Canadian and US audiences who, well … are different in that regard.
***I’m going to be talking about Linux containers: I’m aware there’s history here, so it’s worth noting. In case of pedantry.
**** I used grep -ir container linux-4.9.2 | wc -l in case you’re interested*****.
***** to be fair, a number of those uses, at a quick glance, have nothing to do with containers in the way we’re discussing them “Linux containers”, but refer to abstractions which can be said to container other elements, and are, therefore, logically referred to as containers.
****** there are clever ways to combine VMs and containers to benefit from the strengths of each – I’m not going to go into those today.
******* well, apart from the execution bit that we just covered, obviously.
… given that I probably wouldn’t be writing this blog if I weren’t paid by my employer, I don’t feel to bad about mentioning our Summit…
I get paid*. By Red Hat. Not to write these blog posts, but to do a job of work. The musings which make up this blog aren’t necessarily directly connected to the views of my employer (see standard disclaimer), but given that I try to conduct my work with integrity and to blog about stuff I believe in, there’s a pretty good correlation**.
Anyway, given that I probably wouldn’t be writing this blog if I weren’t paid by my employer, I don’t feel to bad about mentioning our Summit this week. It’s my first one, and I’m involved in two sessions: one on moving to a hybrid (or multi-) cloud model, and one about the importance of systems security and what impact Open Source has on it (and vice versa). There’s going to be a lot of security-related content, presented by some fantastic colleagues, partners and customers, and, depending on quite how busy things are, I’m hoping to post snippets here.
In the meantime, I’d like to invite anybody who reads this blog and will be attending the Red Hat Summit to get in touch – it would be great to meet you.
*which is, in my view, a Good Thing[tm].
**see one of my favourite xkcd cartoons.