A Compendium of Container Escapes

The presentation discusses container escapes and how to break out of a container, covering vulnerabilities in container engines, insecure deployment and configuration, and kernel exploitation.

• Containers provide security properties but isolation itself is not a security property of containers
• The presentation covers ways to break out of a container, including vulnerabilities in container engines, insecure deployment and configuration, and kernel exploitation
• The kernel can be exploited to escape a container
• The presentation focuses on Linux and widely deployed runtimes and environments
• The presentation provides practical information on how to break out of a container

The presentation highlights the importance of understanding container security and the potential for vulnerabilities in container engines. The presenters note that while containers provide security properties, isolation itself is not a security property of containers. They emphasize the need to understand how to break out of a container, covering vulnerabilities in container engines, insecure deployment and configuration, and kernel exploitation. The presentation provides practical information on how to break out of a container, which can be useful for cybersecurity and DevOps experts. The presenters also note that the kernel can be exploited to escape a container, highlighting the importance of understanding container security.

Containers are a hot topic because of the simplicity they bring to the process of software development, shipping, and deployment. They are insanely useful for eliminating environmental constraints such as library version conflicts, and for the overall organization and hygiene of software. Containers also provide some security properties, including version management, an expression of intent, and often reduced attack surface. However, it is important to understand that although the organizational isolation of containers is what enables these security properties, isolation itself is not a security property of containers.As such, it becomes important to understand the security properties of containers, how they have been escaped in the past, and how they are likely to be escaped in the future. This year kicked off with a container escape vulnerability in runc, used by various container engines, which seemed to come as a shock for many users of containers. The goal of this talk is to broaden the awareness of the how and why container escapes work, starting from a brief intro to what makes a process a container, and then spanning the gamut of escape techniques, covering exposed orchestrators, access to the Docker socket, exposed mount points, /proc, all the way down to overwriting/exploiting the kernel structures to leave the confines of the container.