NIST Special Publication 800-190
`
`
`Application Container Security Guide
`
`Murugiah Souppaya
`John Morello
`Karen Scarfone
`
`This publication is available free of charge from:
`https://doi.org/10.6028/NIST.SP.800-190
`
`C O M P U T E R S E C U R I T Y
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`WIZ, Inc. EXHIBIT - 1016
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`
`
`
`
`NIST Special Publication 800-190
`Application Container Security Guide
`
`
`Murugiah Souppaya
`Computer Security Division
`Information Technology Laboratory
`
`John Morello
`Twistlock
`Baton Rouge, Louisiana
`
`Karen Scarfone
`Scarfone Cybersecurity
`Clifton, Virginia
`
`
`This publication is available free of charge from:
`https://doi.org/10.6028/NIST.SP.800-190
`
`
`September 2017
`
`
`
`
`
`
`U.S. Department of Commerce
`Wilbur L. Ross, Jr., Secretary
`
`National Institute of Standards and Technology
`Kent Rochford, Acting Under Secretary of Commerce for Standards and Technology and Acting Director
`
`
`
`

`

`NIST SP 800-190
`
`
`
`
`
`Authority
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`This publication has been developed by NIST in accordance with its statutory responsibilities under the
`Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law
`(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines,
`including minimum requirements for federal information systems, but such standards and guidelines shall
`not apply to national security systems without the express approval of appropriate federal officials
`exercising policy authority over such systems. This guideline is consistent with the requirements of the
`Office of Management and Budget (OMB) Circular A-130.
`
`Nothing in this publication should be taken to contradict the standards and guidelines made mandatory
`and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should
`these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of
`Commerce, Director of the OMB, or any other federal official. This publication may be used by
`nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States.
`Attribution would, however, be appreciated by NIST.
`
`National Institute of Standards and Technology Special Publication 800-190
`Natl. Inst. Stand. Technol. Spec. Publ. 800-190, 63 pages (September 2017)
`CODEN: NSPUE2
`
`This publication is available free of charge from:
`https://doi.org/10.6028/NIST.SP.800-190
`
`Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
`experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
`endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best
`available for the purpose.
`There may be references in this publication to other publications currently under development by NIST in
`accordance with its assigned statutory responsibilities. The information in this publication, including concepts and
`methodologies, may be used by federal agencies even before the completion of such companion publications. Thus,
`until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain
`operative. For planning and transition purposes, federal agencies may wish to closely follow the development of
`these new publications by NIST.
`Organizations are encouraged to review all draft publications during public comment periods and provide feedback
`to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at
`https://csrc.nist.gov/publications.
`
`Comments on this publication may be submitted to:
`National Institute of Standards and Technology
`Attn: Computer Security Division, Information Technology Laboratory
`100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
`Email: 800-190comments@nist.gov
`
`
`
`All comments are subject to release under the Freedom of Information Act (FOIA).
`
`
`
`
`i
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`

`

`NIST SP 800-190
`
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`Reports on Computer Systems Technology
`
`The Information Technology Laboratory (ITL) at the National Institute of Standards and
`Technology (NIST) promotes the U.S. economy and public welfare by providing technical
`leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test
`methods, reference data, proof of concept implementations, and technical analyses to advance
`the development and productive use of information technology. ITL’s responsibilities include the
`development of management, administrative, technical, and physical standards and guidelines for
`the cost-effective security and privacy of other than national security-related information in
`federal information systems. The Special Publication 800-series reports on ITL’s research,
`guidelines, and outreach efforts in information system security, and its collaborative activities
`with industry, government, and academic organizations.
`
`
`
`Abstract
`
`Application container technologies, also known as containers, are a form of operating system
`virtualization combined with application software packaging. Containers provide a portable,
`reusable, and automatable way to package and run applications. This publication explains the
`potential security concerns associated with the use of containers and provides recommendations
`for addressing these concerns.
`
`
`
`Keywords
`
`application; application container; application software packaging; container; container security;
`isolation; operating system virtualization; virtualization
`
`
`
`
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`ii
`
`

`

`NIST SP 800-190
`
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`Acknowledgements
`
`The authors wish to thank their colleagues who have reviewed drafts of this document and
`contributed to its technical content during its development, in particular Raghuram Yeluri from
`Intel Corporation, Paul Cichonski from Cisco Systems, Inc., Michael Bartock and Jeffrey
`Cichonski from NIST, and Edward Siewick. The authors also acknowledge the organizations that
`provided feedback during the public comment period, including Docker, Motorola Solutions,
`StackRox, United States Citizenship and Immigration Services (USCIS), and the US Army.
`
`
`
`Audience
`
`The intended audience for this document is system and security administrators, security program
`managers, information system security officers, application developers, and others who have
`responsibilities for or are otherwise interested in the security of application container
`technologies.
`
`This document assumes that readers have some operating system, networking, and security
`expertise, as well as expertise with virtualization technologies (hypervisors and virtual
`machines). Because of the constantly changing nature of application container technologies,
`readers are encouraged to take advantage of other resources, including those listed in this
`document, for more current and detailed information.
`
`
`
`All registered trademarks or trademarks belong to their respective organizations.
`
`Trademark Information
`
`
`
`iii
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`

`

`NIST SP 800-190
`
`
`Executive Summary
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`Operating system (OS) virtualization provides a separate virtualized view of the OS to each
`application, thereby keeping each application isolated from all others on the server. Each
`application can only see and affect itself. Recently, OS virtualization has become increasingly
`popular due to advances in its ease of use and a greater focus on developer agility as a key
`benefit. Today’s OS virtualization technologies are primarily focused on providing a portable,
`reusable, and automatable way to package and run applications (apps). The terms application
`container or simply container are frequently used to refer to these technologies.
`
`The purpose of the document is to explain the security concerns associated with container
`technologies and make practical recommendations for addressing those concerns when planning
`for, implementing, and maintaining containers. Many of the recommendations are specific to a
`particular component or tier within the container technology architecture, which is depicted in
`Figure 1.
`
`Figure 1: Container Technology Architecture Tiers and Components
`
`Organizations should follow these recommendations to help ensure the security of their container
`technology implementations and usage:
`
`Tailor the organization’s operational culture and technical processes to support the new
`way of developing, running, and supporting applications made possible by containers.
`
`The introduction of container technologies might disrupt the existing culture and software
`development methodologies within the organization. Traditional development practices, patching
`techniques, and system upgrade processes might not directly apply to a containerized
`environment, and it is important that employees are willing to adapt to a new model. Staff should
`be encouraged to embrace the recommended practices for securely building and operating apps
`within containers, as covered in this guide, and the organization should be willing to rethink
`existing procedures to take advantage of containers. Education and training covering both the
`technology and the operational approach should be offered to anyone involved in the software
`development lifecycle.
`
`
`
`iv
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`

`

`NIST SP 800-190
`
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`Use container-specific host OSs instead of general-purpose ones to reduce attack surfaces.
`
`A container-specific host OS is a minimalist OS explicitly designed to only run containers, with
`all other services and functionality disabled, and with read-only file systems and other hardening
`practices employed. When using a container-specific host OS, attack surfaces are typically much
`smaller than they would be with a general-purpose host OS, so there are fewer opportunities to
`attack and compromise a container-specific host OS. Accordingly, whenever possible,
`organizations should use container-specific host OSs to reduce their risk. However, it is
`important to note that container-specific host OSs will still have vulnerabilities over time that
`require remediation.
`
`Only group containers with the same purpose, sensitivity, and threat posture on a single
`host OS kernel to allow for additional defense in depth.
`
`While most container platforms do an effective job of isolating containers from each other and
`from the host OS, it may be an unnecessary risk to run apps of different sensitivity levels
`together on the same host OS. Segmenting containers by purpose, sensitivity, and threat posture
`provides additional defense in depth. By grouping containers in this manner, organizations make
`it more difficult for an attacker who compromises one of the groups to expand that compromise
`to other groups. This increases the likelihood that compromises will be detected and contained
`and also ensures that any residual data, such as caches or local volumes mounted for temp files,
`stays within its security zone.
`
`In larger-scale environments with hundreds of hosts and thousands of containers, this grouping
`must be automated to be practical to operationalize. Fortunately, container technologies typically
`include some notion of being able to group apps together, and container security tools can use
`attributes like container names and labels to enforce security policies across them.
`
`Adopt container-specific vulnerability management tools and processes for images to
`prevent compromises.
`
`Traditional vulnerability management tools make many assumptions about host durability and
`app update mechanisms and frequencies that are fundamentally misaligned with a containerized
`model. For example, they often assume that a given server runs a consistent set of apps over
`time, but different application containers may actually be run on different servers at any given
`time based on resource availability. Further, traditional tools are often unable to detect
`vulnerabilities within containers, leading to a false sense of safety. Organizations should use
`tools that take the declarative, step-by-step build approach and immutable nature of containers
`and images into their design to provide more actionable and reliable results.
`
`These tools and processes should take both image software vulnerabilities and configuration
`settings into account. Organizations should adopt tools and processes to validate and enforce
`compliance with secure configuration best practices for images. This should include having
`centralized reporting and monitoring of the compliance state of each image, and preventing non-
`compliant images from being run.
`
`v
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`

`

`NIST SP 800-190
`
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`Consider using hardware-based countermeasures to provide a basis for trusted computing.
`
`Security should extend across all tiers of the container technology. The current way of
`accomplishing this is to base security on a hardware root of trust, such as the industry standard
`Trusted Platform Module (TPM). Within the hardware root of trust are stored measurements of
`the host’s firmware, software, and configuration data. Validating the current measurements
`against the stored measurements before booting the host provides assurance that the host can be
`trusted. The chain of trust rooted in hardware can be extended to the OS kernel and the OS
`components to enable cryptographic verification of boot mechanisms, system images, container
`runtimes, and container images. Trusted computing provides a secure way to build, run,
`orchestrate, and manage containers.
`
`Use container-aware runtime defense tools.
`
`Deploy and use a dedicated container security solution capable of preventing, detecting, and
`responding to threats aimed at containers during runtime. Traditional security solutions, such as
`intrusion prevention systems (IPSs) and web application firewalls (WAFs), often do not provide
`suitable protection for containers. They may not be able to operate at the scale of containers,
`manage the rate of change in a container environment, and have visibility into container activity.
`Utilize a container-native security solution that can monitor the container environment and
`provide precise detection of anomalous and malicious activity within it.
`
`
`
`
`
`
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`vi
`
`

`

`NIST SP 800-190
`
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`2
`
`
`Table of Contents
`Executive Summary ..................................................................................................... iv
`1
`Introduction ............................................................................................................ 1
`1.1 Purpose and Scope ........................................................................................ 1
`1.2 Document Structure ........................................................................................ 1
`Introduction to Application Containers ................................................................ 3
`2.1 Basic Concepts for Application Virtualization and Containers ......................... 3
`2.2 Containers and the Host Operating System .................................................... 5
`2.3 Container Technology Architecture ................................................................. 7
`2.3.1 Image Creation, Testing, and Accreditation .......................................... 9
`2.3.2 Image Storage and Retrieval ................................................................ 9
`2.3.3 Container Deployment and Management ........................................... 10
`2.4 Container Uses ............................................................................................. 11
`3 Major Risks for Core Components of Container Technologies ....................... 13
`3.1
`Image Risks .................................................................................................. 13
`3.1.1 Image vulnerabilities ........................................................................... 13
`3.1.2 Image configuration defects ............................................................... 13
`3.1.3 Embedded malware ............................................................................ 14
`3.1.4 Embedded clear text secrets .............................................................. 14
`3.1.5 Use of untrusted images ..................................................................... 14
`3.2 Registry Risks ............................................................................................... 14
`3.2.1 Insecure connections to registries ...................................................... 14
`3.2.2 Stale images in registries ................................................................... 14
`3.2.3 Insufficient authentication and authorization restrictions .................... 14
`3.3 Orchestrator Risks ........................................................................................ 15
`3.3.1 Unbounded administrative access ...................................................... 15
`3.3.2 Unauthorized access .......................................................................... 15
`3.3.3 Poorly separated inter-container network traffic ................................. 15
`3.3.4 Mixing of workload sensitivity levels ................................................... 16
`3.3.5 Orchestrator node trust ....................................................................... 16
`3.4 Container Risks ............................................................................................ 16
`3.4.1 Vulnerabilities within the runtime software .......................................... 16
`
`vii
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`

`

`NIST SP 800-190
`
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`3.4.2 Unbounded network access from containers ...................................... 16
`3.4.3 Insecure container runtime configurations .......................................... 17
`3.4.4 App vulnerabilities .............................................................................. 17
`3.4.5 Rogue containers ............................................................................... 17
`3.5 Host OS Risks .............................................................................................. 17
`3.5.1 Large attack surface ........................................................................... 17
`3.5.2 Shared kernel ..................................................................................... 18
`3.5.3 Host OS component vulnerabilities .................................................... 18
`3.5.4 Improper user access rights ............................................................... 18
`3.5.5 Host OS file system tampering ........................................................... 18
`4 Countermeasures for Major Risks ...................................................................... 19
`4.1
`Image Countermeasures .............................................................................. 19
`4.1.1 Image vulnerabilities ........................................................................... 19
`4.1.2 Image configuration defects ............................................................... 19
`4.1.3 Embedded malware ............................................................................ 20
`4.1.4 Embedded clear text secrets .............................................................. 20
`4.1.5 Use of untrusted images ..................................................................... 20
`4.2 Registry Countermeasures ........................................................................... 21
`4.2.1 Insecure connections to registries ...................................................... 21
`4.2.2 Stale images in registries ................................................................... 21
`4.2.3 Insufficient authentication and authorization restrictions .................... 21
`4.3 Orchestrator Countermeasures .................................................................... 22
`4.3.1 Unbounded administrative access ...................................................... 22
`4.3.2 Unauthorized access .......................................................................... 22
`4.3.3 Poorly separated inter-container network traffic ................................. 22
`4.3.4 Mixing of workload sensitivity levels ................................................... 23
`4.3.5 Orchestrator node trust ....................................................................... 24
`4.4 Container Countermeasures ......................................................................... 24
`4.4.1 Vulnerabilities within the runtime software .......................................... 24
`4.4.2 Unbounded network access from containers ...................................... 24
`4.4.3 Insecure container runtime configurations .......................................... 25
`4.4.4 App vulnerabilities .............................................................................. 25
`
`viii
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`

`

`NIST SP 800-190
`
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`4.4.5 Rogue containers ............................................................................... 26
`4.5 Host OS Countermeasures ........................................................................... 26
`4.5.1 Large attack surface ........................................................................... 26
`4.5.2 Shared kernel ..................................................................................... 27
`4.5.3 Host OS component vulnerabilities .................................................... 27
`4.5.4 Improper user access rights ............................................................... 27
`4.5.5 Host file system tampering ................................................................. 27
`4.6 Hardware Countermeasures ......................................................................... 28
`5 Container Threat Scenario Examples ................................................................. 30
`5.1 Exploit of a Vulnerability within an Image ...................................................... 30
`5.2 Exploit of the Container Runtime .................................................................. 30
`5.3 Running a Poisoned Image ........................................................................... 30
`6 Container Technology Life Cycle Security Considerations ............................. 32
`6.1
`Initiation Phase ............................................................................................. 32
`6.2 Planning and Design Phase .......................................................................... 32
`6.3
`Implementation Phase .................................................................................. 33
`6.4 Operations and Maintenance Phase ............................................................. 34
`6.5 Disposition Phase ......................................................................................... 35
`7 Conclusion ........................................................................................................... 36
`
`
`List of Appendices
`Appendix A— NIST Resources for Securing Non-Core Components .................... 38
`Appendix B— NIST SP 800-53 and NIST Cybersecurity Framework Security
`Controls Related to Container Technologies ........................................................... 39
`Appendix C— Acronyms and Abbreviations ............................................................ 46
`Appendix D— Glossary .............................................................................................. 48
`Appendix E— References ........................................................................................... 50
`
`
`List of Tables and Figures
`
`Figure 1: Container Technology Architecture Tiers and Components .............................iv
`Figure 2: Virtual Machine and Container Deployments ................................................... 5
`Figure 3: Container Technology Architecture Tiers, Components, and Lifecycle Phases 8
`Table 1: NIST Resources for Securing Non-Core Components .................................... 38
`
`ix
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`

`

`NIST SP 800-190
`
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`Table 2: Security Controls from NIST SP 800-53 for Container Technology Security ... 39
`Table 3: NIST SP 800-53 Controls Supported by Container Technologies ................... 43
`Table 4: NIST Cybersecurity Framework Subcategories Supported by Container
`Technologies .......................................................................................................... 43
`
`
`
`x
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`

`

`NIST SP 800-190
`
`
`1
`
`Introduction
`
`1.1 Purpose and Scope
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`The purpose of the document is to explain the security concerns associated with application
`container technologies and make practical recommendations for addressing those concerns when
`planning for, implementing, and maintaining containers. Some aspects of containers may vary
`among technologies, but the recommendations in this document are intended to apply to most or
`all application container technologies.
`
`All forms of virtualization other than application containers, such as virtual machines, are
`outside the scope of this document.
`
`In addition to application container technologies, the term “container” is used to refer to concepts
`such as software that isolates enterprise data from personal data on mobile devices, and software
`that may be used to isolate applications from each other on desktop operating systems. While
`these may share some attributes with application container technologies, they are out of scope for
`this document.
`
`This document assumes readers are already familiar with securing the technologies supporting
`and interacting with application container technologies. These include the following:
`
`• The layers under application container technologies, including hardware, hypervisors,
`and operating systems;
`• The administrative tools that use the applications within the containers; and
`• The administrator endpoints used to manage the applications within the containers and
`the containers themselves.
`
`Appendix A contains pointers to resources with information on securing these technologies.
`Sections 3 and 4 offer additional information on security considerations for container-specific
`operating systems. All further discussion of securing the technologies listed above is out of scope
`for this document.
`
`1.2 Document Structure
`
`The remainder of this document is organized into the following sections and appendices:
`
`• Section 2 introduces containers, including their technical capabilities, technology
`architectures, and uses.
`• Section 3 explains the major risks for the core components of application container
`technologies.
`• Section 4 recommends countermeasures for the risks identified in Section 3.
`• Section 5 defines threat scenario examples for containers.
`• Section 6 presents actionable information for planning, implementing, operating, and
`maintaining container technologies.
`• Section 7 provides the conclusion for the document.
`
`1
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`

`

`NIST SP 800-190
`
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`• Appendix A lists NIST resources for securing non-core components of container
`technologies.
`• Appendix B lists the NIST Special Publication 800-53 security controls and NIST
`Cybersecurity Framework subcategories that are most pertinent to application container
`technologies, explaining the relevancy of each.
`• Appendix C provides an acronym and abbreviation list for the document.
`• Appendix D presents a glossary of selected terms from the document.
`• Appendix E contains a list of references for the document.
`
`
`
`
`
`2
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`

`

`NIST SP 800-190
`
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`2
`
`Introduction to Application Containers
`
`This section provides an introduction to containers for server applications (apps). First, it defines
`the basic concepts for application virtualization and containers needed to understand the rest of
`the document. Next, this section explains how containers interact with the operating system they
`run on top of. The next portion of the section illustrates the overall architecture of container
`technologies, defining all the major components typically found in a container implementation
`and explaining the workflows between components. The last part of the section describes
`common uses for containers.
`
`2.1 Basic Concepts for Application Virtualization and Containers
`
`NIST Special Publication (SP) 800-125 [1] defines virtualization as “the simulation of the
`software and/or hardware upon which other software runs.” Virtualization has been in use for
`many years, but it is best known for enabling cloud computing. In cloud environments, hardware
`virtualization is used to run many instances of operating systems (OSs) on a single physical
`server while keeping each instance separate. This allows more efficient use of hardware and
`supports multi-tenancy.
`
`In hardware virtualization, each OS instance interacts with virtualized hardware. Another form of
`virtualization known as operating system virtualization has a similar concept; it provides
`multiple virtualized OSs above a single actual OS kernel. This approach is often called an OS
`container, and various implementations of OS containers have existed since the early 2000s,
`starting with Solaris Zone and FreeBSD jails.1 Support initially became available in Linux in
`2008 with the Linux Container (LXC) technology built into nearly all modern distributions. OS
`containers are different from the application containers that are the topic of this guide because
`OS containers are designed to provide an environment that behaves much like a normal OS in
`which multiple apps and services may co-exist.
`
`Recently, application virtualization has become increasingly popular due to advances in its ease
`of use and a greater focus on developer agility as a key benefit. In application virtualization, the
`same shared OS kernel is exposed virtually to multiple discrete apps. OS components keep each
`app instance isolated from all others on the server. In this case, each app sees only the OS and
`itself, and is isolated from other apps that may be running on this same OS kernel.
`
`The key difference between OS virtualization and application virtualization is that with
`application virtualization, each virtual instance typically runs only a single app. Today’s
`application virtualization technologies are primarily focused on providing a portable, reusable,
`and automatable way to package and run apps. The terms application container or simply
`container are frequently used to refer to these technologies. The term is meant as an analogy to
`shipping containers, which provide a standardized way of grouping disparate contents together
`while isolating them from each other.
`
`
`
`1
`
`For more information on the concept of jails, see https://www.freebsd.org/doc/handbook/jails.html.
`
`3
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
`
`
`
`

`

`NIST SP 800-190
`
`
`
`
`
`APPLICATION CONTAINER SECURITY GUIDE
`
`
`Unlike traditio