惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
Vulnerabilities – Threatpost
L
LINUX DO - 热门话题
H
Hacker News: Front Page
Hacker News - Newest:
Hacker News - Newest: "LLM"
L
Lohrmann on Cybersecurity
Cisco Talos Blog
Cisco Talos Blog
O
OpenAI News
S
Securelist
Security Latest
Security Latest
T
Threat Research - Cisco Blogs
H
Heimdal Security Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recorded Future
Recorded Future
Microsoft Azure Blog
Microsoft Azure Blog
MyScale Blog
MyScale Blog
Webroot Blog
Webroot Blog
The Hacker News
The Hacker News
Google Online Security Blog
Google Online Security Blog
Latest news
Latest news
N
Netflix TechBlog - Medium
N
News and Events Feed by Topic
D
Docker
D
DataBreaches.Net
A
About on SuperTechFans
T
Tor Project blog
V
V2EX
G
Google Developers Blog
博客园 - Franky
N
News | PayPal Newsroom
T
The Blog of Author Tim Ferriss
I
InfoQ
H
Help Net Security
V2EX - 技术
V2EX - 技术
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Security Affairs
SecWiki News
SecWiki News
The Register - Security
The Register - Security
人人都是产品经理
人人都是产品经理
NISL@THU
NISL@THU
小众软件
小众软件
B
Blog
T
Threatpost
P
Palo Alto Networks Blog
博客园 - 【当耐特】
L
LangChain Blog
AWS News Blog
AWS News Blog
月光博客
月光博客
宝玉的分享
宝玉的分享

Open Container Initiative

OCI Runtime Spec v1.3 - Open Container Initiative OCI Image and Distribution Specs v1.1 Releases OCI Runtime Spec v1.2 - Open Container Initiative OCI in 2024 and TOB Election Results Summary of Upcoming Changes in OCI Image and Distribution Specs v1.1 OCI at The Container Plumbing Conference OCI in 2023 and TOB Election Results OCI in 2022 and TOB Election Results OCI Member Spotlight – Chainguard Calling All Registries to Submit OCI Conformance! OCI Summit 2021 - Open Container Initiative Introducing fuzzing for runC and Umoci OCI in 2021 and TOB Election Results Consuming Public Content - Open Container Initiative OCI accepts new project, umoci Introducing and open sourcing the OCI Icon Set Container Journal – “OCI Launches Artifacts Project to Reduce Registries Required” New OCI Artifacts Project - Open Container Initiative Open Container Initiative Explained…with Dolls! OCI 2019 Elections and New TOB Lineup 2018’s Biggest Moments + What’s Coming for OCI in 2019 Bringing OCI images to the desktop with Flatpak OCI Image Support Comes to Open Source Docker Registry Open Container Initiative Welcomes Alibaba Cloud as Newest Member PouchContainer – How OCI Specifications Power Alibaba CRI-O – How Standards Power a Container Runtime OCI Member Spotlight – OpenStack (Kata Containers) Teaming up with Docker to Support a Diverse Container Ecosystem The New Stack – “Open Container Initiative Creates a Distribution Specification for Registries” SDxCentral – “OCI Standardizes Container Image Distribution Based on Docker Registry” ZDNet – “​Open Container Initiative nails down container image distribution standard” Container Journal – “OCI Standardizes Container Registry Protocol” Distribution-Spec is Here! - Open Container Initiative OCI Announces 2018 TOB Election Results OCI Member Spotlight – Kontena Windows ITPro – Using Containers? Look for the OCI Seal of Approval SiliconAngle - Why the new Open Container Initiative standard is a milestone for software OCI Welcomes New Project Maintainers OCI Member Spotlight – EasyStack SDxCentral – Open Container Initiative Marks Success, Looks for What’s Next Fostering Diversity and Inclusivity at DockerCon Europe eWeek – Open Container Initiative Specifications Reach 1.0 Milestone GeekWire – Cloud computing’s Open Container Initiative hits the 1.0 release milestone InformationWeek – Unity Rules As OCI Launches 1.0 Container Spec OCI v1.0 – Bringing Containers Closer to Standardization TechCrunch – The Open Container Initiative launches version 1.0 of its container specs The New Stack – OCI’s Long-Awaited Container Runtime and Image Specifications Hit the Streets The Register – Contain(er) your enthusiasm, nerds – Docker-backed OCI runtime spec hits 1.0 ZDNet – Containers consolidation – Open Container Initiative 1.0 released Open Container Initiative (OCI) Releases v1.0 of Container Standards OCI Member Spotlight – CoreOS OCI Member Spotlight – Cycle.io Join OCI for OSCON’s Open Container Day Innovative Cloud Organizations Join the Open Container Initiative to Help Shape Industry Container Standards OCI Member Spotlight – Mesosphere OCI Member Spotlight – Univa OCI Member Spotlight – Wercker OCI Member Spotlight – IBM OCI Member Spotlight – Rancher Labs OCI Moves into 2017 - Open Container Initiative The OCI Applauds containerd and rkt to CNCF OCI Member Spotlight – ContainerShip OCI Member Spotlight – SUSE OCI Member Spotlight – Apcera OCI Member Spotlight – Portworx OCI Member Spotlight – Huawei OCI Member Spotlight – Pivotal OCI Member Spotlight – Fujitsu OCI Member Spotlight – Weaveworks OCI Member Spotlight – Red Hat OCI Member Spotlight – Google help-guide-the-future-of-container-technology-through-the-open-container-initiative - Open Container Initiative developerWorks Webcast Recap – Open Container Initiative at 12 months OCI Member Spotlight – Intel OCI Member Spotlight – Microsoft Docker 1.11 – The first runtime built on containerd and based on OCI technology Celebrating the Open Container Initiative Image Specification New Image Specification Project for Container Images Open Container Initiative Launches a Container Image Format Spec Open Container Format Progress Report Community Rallies Behind Open Container Initiative Industry Leaders Unite to Create Project for Open Container Standards About the Open Container Initiative Community Overview - Open Container Initiative Contact us - Open Container Initiative FAQ - Open Container Initiative Join - Open Container Initiative Leadership - Open Container Initiative OCI Certified - Open Container Initiative OCI distribution-spec v 1.0.0 release notice OCI distribution-spec v 1.0.1 release notice OCI distribution-spec v. 1.1.0 release notice OCI distribution-spec v. 1.1.1 release notice OCI image-spec v. 1.0.1 release notice OCI image-spec v. 1.0.2 release notice OCI image-spec v. 1.1.0 release notice OCI image-spec v. 1.1.1 release notice OCI runtime-spec v. 1.0.1 release notice OCI runtime-spec v. 1.0.2 release notice OCI Runtime Spec v1.1 - Open Container Initiative
Open Sourcing runc Security Audit
map[name:Amye Scavarda Perrin tag:ascavarda] · 2020-01-31 · via Open Container Initiative

Last last year, Cure53 performed a security audit of runc. runc is a CLI tool for spawning and running containers according to the OCI specification.

There were two different focuses for the security audit, the first being a general security audit, and the second dedicated to manual code auditing aimed at finding implementation-related issues that can lead to security bugs.

First, the general security audit inspected the overall code quality from a meta-level perspective. Some of the indicators taken into account encompassed test coverage, security vulnerability disclosure process, approaches to threat modeling and general code hardening measures.

In the future, OCI will be improving its security reporting practices, as the audit noted that the project could benefit from additional incentives for reporting security issues.

Second, Cure53 describes the key aspects of the manual code audit together with manual pentesting and, since only one major issue was spotted, attests to the thoroughness of the audit and confirms the high quality of the runc project.

The whole audit is available here.

CVE-2019-19921

The race condition described in RUN-01-001 (CVE-2019-19921) is related to a more general problem with handling file paths textually, as well as assumptions made about procfs which were inaccurate and possible to work-around with some ingenuity. Aleksa Sarai (one of the maintainers of runc) has been working on solving this more general problem since June of last year, culminating in a new library called “libpathrs” which intends to solve this problem. The core idea is to use a file-descriptor based approach (combined with openat2 — a new syscall developed by Aleksa to help solve this problem which will be available in Linux 5.6) in order to resolve the core exploitable race conditions present in path lookup. An overview of this problem and further outstanding problems was given by Aleksa as a talk at Linux.conf.au 2020, and is available online.

Unfortunately, this work is still a work-in-progress and is not yet ready for use within runc, and thus a temporary hotfix has been applied which disallows the core part of the procfs-based attack. It should be noted that this hotfix can be worked around by making the root of a container the volume of another container or by explicitly specifying the mountpoint of procfs inside a volume (thus, public clouds are recommended to review how much control untrusted users have over their mount configuration and should apply security policies as appropriate).