Containerization and Sandboxing Concepts

Questions and Answers

What is the primary goal of a sandbox?

To create a secure environment for untrusted code (correct)

To manage system resources effectively

To enhance system performance

To improve user experience

Sandboxing completely prevents malicious processes from causing any harm to the host system.

False

What is containerization?

Containerization is the process of packaging an application and all its dependencies into a lightweight, portable runtime image.

Containers can run on any system with the appropriate ______.

container runtime

Match the following terms with their definitions:

Isolation = Limited access to system resources Protection = Prevents damage from malicious processes Portability = Ability to run on various systems Reproducibility = Consistent application behavior in different environments

Which of the following is NOT a feature of sandboxing?

Guaranteed system performance

Containerization is more efficient than using virtual machines because containers share the host OS kernel.

True

Name one challenge associated with implementing strong sandboxing.

Precise control over resource access

What is the primary focus of containerization?

Application packaging and portability

Sandboxing and containerization are the same technologies.

False

Name two technologies designed for containerization.

Docker, Snap, Flatpak, AppImage

Containerization without ___________ is considered irresponsible.

sandboxing

Which of the following statements is true regarding containers?

Containers provide some isolation but not the same level as sandboxing.

Achieving true sandboxing is simple and straightforward.

False

Match the following technologies with their purpose:

Docker = Application packaging and deployment Snap = Application packaging and deployment Flatpak = Application packaging and deployment AppImage = Application packaging and deployment

If a container is compromised, it could affect the entire __________.

system

What is the primary purpose of cgroups?

To control resource usage for processes

Cgroups allow a single group of processes to monopolize system resources.

False

What does the Memory Controller in cgroups do?

Sets a maximum memory limit for a group of processes.

The ______ controller restricts which CPU cores a group of processes can run on.

CPU Set

Which controller manages access to storage devices?

Block I/O Controller

Namespaces and cgroups work independently of one another.

False

What does the CPU Controller in cgroups ensure?

Fair and weighted access to the CPU.

Match the cgroup subsystem with its purpose:

CPU Controller = Enforces limits on CPU time Memory Controller = Sets maximum memory limits Block I/O Controller = Manages access to I/O devices CPU Set Controller = Restricts CPU core usage

Which statement accurately describes the difference between containers and virtual machines (VMs)?

Containers share the kernel of the host operating system.

Docker is a proprietary platform designed specifically for Windows operating systems.

False

What does Docker automate in the context of container deployment?

The deployment of applications inside containers.

Each container in Docker has its own isolated view of the system due to __________.

namespaces

Match the term with its definition:

Docker = Platform for automating application deployment in containers LXC = Earlier technology for containerization using Linux kernel features Namespaces = Provide isolation for system resources within containers cgroups = Limit and manage resource allocation for containers

What was one of the advantages that Docker provided over LXC?

Docker includes tooling and APIs for container management.

Docker originally used LXC for its container runtime.

True

Name one characteristic that makes containers lightweight compared to virtual machines.

Containers share the kernel of the host operating system.

What is a key benefit of unprivileged containers?

They reduce the impact of a security breach.

Unprivileged containers directly expose the host system to container escape risks.

False

What does the Trusted Computing Base (TCB) refer to?

The set of components that must be trusted to enforce security policies.

Meltdown is a hardware vulnerability that exploits ______ execution.

out-of-order

Which of the following describes a challenge posed by unprivileged user namespaces?

They increase the attack surface by allowing virtual root users to access kernel code.

Match the following concepts with their descriptions:

Privileged containers = Map the container's root user to the host's root user. Unprivileged containers = Map the root user inside the container to a non-root user on the host. Meltdown = Exploits out-of-order execution vulnerabilities in CPUs. Trusted Computing Base = Components trusted to enforce security policies.

What is the main purpose of unprivileged containers?

To restrict privileges and reduce the impact of security breaches.

If the kernel or a driver is compromised, it may lead to a total breach of the host system.

True

What does KPTI stand for?

Kernel Page-Table Isolation

KPTI allows user processes to access kernel memory during speculative execution.

False

What is one significant challenge introduced by KPTI during system calls?

System call overhead due to page table switching.

Emulation involves mimicking the behavior of one system on another by recreating its __________ environment.

hardware or software

Match the terms related to KPTI and emulation with their definitions:

KPTI = Isolating kernel memory from user space Emulation = Mimicking one system's behavior on another Performance Penalty = Slower than native execution Page Table Switching = Transitioning between user mode and kernel mode

Which of the following is a consequence of KPTI on system performance?

System call overhead

Emulating an ARM processor on an x86-based system does not require additional processing layers.

False

What is one reason emulation is significantly slower than native execution?

The host system must translate instructions from the emulated system.

Study Notes

Stealing Service

• Cryptominers: Malicious programs use system resources to mine cryptocurrencies without user knowledge.
• Abusing Free CI Tiers: Attackers exploit free tiers of CI services (e.g., GitHub Actions, CircleCI) for resource-intensive tasks (like cryptocurrency mining).

Denying Service

• Fork Bombs (e.g., Morris Worm): A denial-of-service attack where a process replicates itself rapidly, consuming system resources (CPU, memory).
• Zip Bombs: Malicious archive files (like ZIP files) designed to expand to overwhelming sizes when decompressed.
• Users Killing Processes: Users with inappropriate permissions disrupt service workflows by terminating other users' processes.

Sandboxing

• Definition: Securely isolating one or more processes so they cannot interfere with or harm the rest of the system.
• Purpose: Creates a safe zone for untrusted code or applications without risking the host system's security, integrity or functionality.

Containerization

• Definition: Packaging an application and its dependencies into a lightweight and portable runtime image.
• Purpose: Ensures reliable application execution in various environments (local machines, data centers, cloud).

Namespaces

• Isolation: Processes can see only certain parts of the system resources, like filesystems and networks.
• Customize View: Namespaces provide unique views of certain system resources for each process.
• Purposes include containerization and isolation.

User Namespaces

• Isolation of Users: Processes in one namespace are unaware of users in other namespaces.
• Mapping UIDs: User namespaces map host system UIDs (real UIDs) to virtual UIDs within the namespace.
• Example: Host UID 1001 might be mapped to UID 0 (root) inside the namespace.

UTS Namespaces

• Hostname Isolation: Each namespace can have a unique hostname, used for process identification.
• Domain Name Isolation: Each namespace can have a unique domain name, useful in configurations related to networks.
• Benefits: Creating unique system identities for isolated processes, avoiding conflicts between namespaces, and customizing system identities.

Control Groups (cgroups)

• Resource Management: Manage and limit resource consumption by groups of processes (CPU, memory, I/O etc.)
• Limits and Isolation: Set upper limits on resource usage for specified process groups.
• Proportional Sharing: Allow for sharing resources proportionally based on weights.

Software-Based Virtualization (Full Virtualization)

• Definition: The hypervisor completely emulates the underlying hardware.
• How It Works: The hypervisor intercepts and translates privileged OS operations (e.g. hardware access) from the guest OS.

Hardware-Assisted Virtualization

• Definition: The physical CPU provides built-in support to improve efficiency of virtualization.
• Pros: Offers performance benefits, including compatibility and higher performance.

Description

Test your knowledge on the primary goals and features of sandboxing and containerization. This quiz covers definitions, challenges, and technologies associated with these crucial concepts in software development. Explore how they differ and their significance in securing applications.