Immutability for PCF: Security in a Cloud Native World
Bracket Computing has been working closely with the Cloud Foundry community to create new tools to harden a PCF foundation and make it truly immutable. Bracket has developed a unique architecture that applies security and immutability controls via a virtualization layer that Bracket calls a Metavisor. The Metavisor is a hypervisor that sits between the guest OS or runtime and the hypervisor of the cloud underneath. The Stem Cell image is wrapped with a Metavisor, allowing the Metavisor to boot first, and then chainload the Stem Cell on top of the Metavisor. This approach means that the Metavisor remains resident in a separate memory space from the Stem Cell VM, effectively attached to but isolated from the Stem Cell. Enforcing immutability at this layer means that the controls can not be bypassed even if an attacker gains root access to the Stem Cell VM.
This talk will focus on five areas required to achieve infrastructure immutability for PCF:
- Kernel immutability. Protecting critical aspects of the kernel such as the system call tables.
- File immutability. Locking down critical parts of the file system. Executable code should be read but not written to. Config files should be read but not executed. And log files should be written to but not executed.
- Memory immutability. Many attacks will use applciation vulnerabilities to escalate privileges of a process in memory. This should never happen and can be disallowed.
- Process immutability. Critical processes can be monitored to ensure they are properly functioning. Certain processes, say a web server, should never spawn a new process such as a root shell. This is a very common attack technique that can be disallowed with truly immutable infrastructure.
- Network immutability. Random network connections should not be allowed. A network whitelist model where only approved connections to authenticated hosts are allowed is a very effective technique to prevent the lateral spread of malware.