Awesome Cloud Native Security

This repository is used to collect AWESOME resources on the topic of cloud native security found during research.

Hope to be helpful :)

0 General

• Hacking and Hardening Kubernetes Clusters by Example (KubeCon 2017)
• 2018绿盟科技容器安全技术报告 (2018-11)
  • 2020绿盟科技云原生安全技术报告 (2021-01)
• A Measurement Study on Linux Container Security: Attacks and Countermeasures (ACSAC 2018)
• Kubernetes Security: Operating Kubernetes Clusters and Applications Safely (Book, 2018-09-28)
  • Container Security: Fundamental Technology Concepts that Protect Containerized Applications (Book, 2020-04-01)
• MITRE ATT&CK framework for container runtime security with Falco. (2019-05-10)
• Containers' Security: Issues, Challenges, and Road Ahead (IEEE Access 2019)
• Threat matrix for Kubernetes (Microsoft, 2020-04-02)
  • Secure containerized environments with updated threat matrix for Kubernetes (2021-03-23)
• 国内首个云上容器ATT&CK攻防矩阵发布，阿里云助力企业容器化安全落地 (2020-06-18)
• Sysdig 2021 Container Security and Usage Report (2021-01-01)

1 Offensive

1.1 General

• 云原生环境渗透工具考察 (2020-06-22)
• 红蓝对抗中的云原生漏洞挖掘及利用实录 (2021-03-02)

1.2 Kubernetes

1.2.1 General

• Walls Within Walls: What if your attacker knows parkour? (KubeCon 2019)
  • Walls Within Walls: What if Your Attacker Knows Parkour? (Video)
• k0otkit：针对K8s集群的通用后渗透控制技术 (CIS 2020)
  • k0otkit: Hack K8s in a K8s Way (Paper)
  • k0otkit: Hack K8s in a K8s Way (Video)
• Advanced Persistence Threats: The Future of Kubernetes Attacks (RSA 2020)
  • Advanced Persistence Threats: The Future of Kubernetes Attacks (Video)
• Compromising Kubernetes Cluster by Exploiting RBAC Permissions (RSA 2020)
  • Compromising Kubernetes Cluster by Exploiting RBAC Permissions (Video)
• Command and KubeCTL: Real-world Kubernetes Security for Pentesters (Shmoocon 2020)
  • Deep Dive into Real-World Kubernetes Threats (2020-02-12)

1.2.2 Vulnerabilities and Exploits

• Understanding about CVE-2017–1002101 on kubernetes (2018-03-19)
  • Fixing the Subpath Volume Vulnerability in Kubernetes (2018-04-04)
• The Story of the First Kubernetes Critical CVE (CVE-2018-1002105, 2018-12-04)
  • CVE-2018-1002105（k8s特权提升）原理与利用分析报告 (2018-12-08)
• Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care, (2019-08-28)
• Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558) (2020-07-27)
• Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554, 2020-12-21)

1.3 Container

1.3.1 General

• Abusing Privileged and Unprivileged Linux Containers (2016-06-01)
• Houdini’s Escape: Breaking the Resource Rein of Linux Control Groups (CCS 2019)
  • Houdini’s Escape: Breaking the Resource Rein of Linux Control Groups (Video)
• A Methodology for Penetration Testing Docker Systems (Bachelor Theses, 2020-01-17)
  • 针对容器的渗透测试方法 (2020-04-17)
• 里应外合：借容器root提权 (2020-12-03)
• CVE-2021-21287: 容器与云的碰撞——一次对MinIO的测试 (2021-01-30)

1.3.2 Container Escape

• Dirty COW - (CVE-2016-5195) - Docker Container Escape (2017-09)
• A Compendium of Container Escapes (Black Hat 2019)
• In-and-out - Security of Copying to and from Live Containers (Open Source Summit 2019)
• CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host (2019-02-13)
  • Escaping a Broken Container - 'namespaces' from 35C3 CTF (2019-04-15)
  • 容器逃逸成真：从CTF到CVE-2019-5736 (2019-11-20)
• 容器逃逸技术概览 (2020-02-21)
• Escaping Virtualized Containers (Black Hat 2020)
  • Kata Containers逃逸研究 (2020-09-25)
• host模式容器逃逸漏洞（CVE-2020-15257）技术分析 (2020-12-02)
  • ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again (2020-12-10)
  • 容器逃逸CVE-2020-15257 containerd-shim Exploit开发 (2020-12-14)
• How We Escaped Docker in Azure Functions (2021-01-27)

1.4 Serverless

• Hacking Serverless Runtimes (Black Hat 2017)
  • Hacking Serverless Runtimes (Whitepaper)
• Serverless Toolkit for Pentesters (2018-11-11)
• Serverless Red Team Infrastructure: Part 1, Web Bugs (2018-09)
• 针对AWS Lambda的运行时攻击 (2020-12-02)

1.6 Service Mesh

• A Survey of Istio’s Network Security Features (2020-03-04)
• Istio访问授权再曝高危漏洞 (CVE-2020-8595, 2020-03-13)

1.7 API Gateway

• 腾讯蓝军安全提醒：开源云原生API网关Kong可能会成为攻击方进入企业内网的新入口(CVE-2020-11710) (2020-04-15)

1.8 Windows Containers

• Well, That Escalated Quickly! How Abusing Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in The Hypervisor via Shadow Containers (Black Hat 2017)
  • Well, That Escalated Quickly! (Whitepaper)
• Windows Server Containers Are Open, and Here's How You Can Break Out (2020-07-15)
• Who Contains the Containers? (2021-04-01)

1.9 Tools

• kube-hunter
• serverless_toolkit
• k0otkit - Manipulate K8s in a K8s way
• CDK - Zero Dependency Container Penetration Toolkit
• Metarget

2 Defensive

2.1 Standards and Benchmarks

• NIST.SP.800-190 Application Container Security Guide (2017-09-25)
• NIST.IR.8176 Security Assurance Requirements for Linux Application Container Deployments (2017-10)
• OWASP Container Security Verification Standard
• CIS Kubernetes Benchmark
• CIS Docker Benchmark

2.2 Container

• Understanding and Hardening Linux Containers (2016-06-29)
• 探索Sysdig Falco：容器环境下的异常行为检测工具 (2019-09-25)
• 云原生之容器安全实践 (2020-03-12)
• 容器环境相关的内核漏洞缓解技术 (2020-08-31)

2.3 Secure Container

• Making Containers More Isolated: An Overview of Sandboxed Container Technologies (2019-06-06)
• 深度解析 AWS Firecracker 原理篇 – 虚拟化与容器运行时技术 (2019-12-09)
• 以Docker为代表的传统容器到了生死存亡之际 (2019-12-24)
• Kata Containers创始人：安全容器导论 (2019-12-26)

2.4 Network

• BASTION: A Security Enforcement Network Stack for Container Networks (USENIX 2020)

2.5 Practices

• 国外顶尖容器安全产品是怎么做的 (2020-12-04)
• Detecting MITRE ATT&CK: Defense evasion techniques with Falco (2021-02-02)
• Detecting MITRE ATT&CK: Privilege escalation with Falco (2021-03-02)

2.6 Tools

• docker-bench-security
• Falco

3 Incidents

• Lessons from the Cryptojacking Attack at Tesla (2018-02-20)
• Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub (2019-10-15)
• Detect large-scale cryptocurrency mining attack against Kubernetes clusters (2020-04-08)
• Misconfigured Kubeflow workloads are a security risk (2020-06-10)
• Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes (2021-02-03)