When it comes to security, containers are the little brothers of virtual machines. Containers try to be secure, but they are just not as good at it as virtual machines.
That’s the accepted wisdom, anyway, and it’s why some people run containers inside virtual machines. It’s also why there’s a whole ecosystem of companies like Twistlock dedicated to making containers more secure.
What you don’t hear much about is people using containers as the foundation of a security system — in fact, the idea of doing just that is a bit of an eyebrow-raiser.
But that’s exactly what a company called Polyverse is doing. The company is run by Alex Gounares, a former chief technology officer at AOL.
Polyverse’s product offering is a container system that provides a “moving target” defense. Here’s what that means.
“Say you get a virus or an APT [Advanced Persistent Threat] in your data center. You have got to wipe your servers and rebuild them,” Gounares explains. “But with containers, rebuilding a system is a lot easier than before, because the system, or a portion of the system, can be described in a Docker file. So what we do is we continuously rebuild an entire containerized environment — we reset it (to a known good state) every 5 seconds.”
Making Things Difficult for Hackers
What this means is if a hacker does get in to your system they only have a few seconds to get up to no good before the system is reset and any malware removed. Gounares says the Polyverse software takes care of state management, and the whole process is more like a kind of load balancing.
“The process is continuous,” he explains. “So say you have a website handling traffic: In the background we spin up a new instance of the web site, and new traffic goes to the new instance. The old site completes its current transactions and is then destroyed, just in case it is infected. Then the whole process repeats itself.”
He adds that while databases are less easy to handle, the system works with “modern databases” that can be load-balanced and restarted and can run on multiple machines which can come and go. “We do it, but not every five seconds for a database,” he says. But he points out the average duration of an APT is 232 days, so even if a database is reset to a known good state somewhat less than every five seconds, this is still an improvement. “Why give attackers months to work rather than seconds?” he says.
Polyverse has another string for its bow as well, and that’s what it calls code scrambling. When a customer is running open-source code (or their own applications to which they have access to the source code), this source code can be run through Polyverse’s custom compiler.
This emits executable code that functions identically to the standard executable for that application, but which is different in various technical details such as where particular registers are.
It is scrambled, in other words, and that means if a hacker has access to the standard source code they can identify a vulnerability and craft an exploit, but the exploit won’t work in the scrambled version of the executable. Using a random number as a seed, Gounares estimated it is possible to generate quadrillions of different executables that are all functionally identical from a single piece of source code.
Combining Rapid Container Cycling and Code Scrambling for Better Security
The coup de grace is the combination of these two technologies: rapid container cycling (aka load balancing), where the contents of each new container is an application in a known good state, while running a different version of scrambled code every time.
All of this means an attacker has just a few seconds to analyze an application, find a vulnerability, build an exploit, and then launch the exploit, before the application is reset with a new executable that (probably) won’t be susceptible to the exploit. A few seconds later the entire thing repeats itself.
Of course, compiling code takes time — more than a few seconds — so executables have to be compiled in advance and held in a queue. That sounds like a potential vulnerability. And it’s not clear how vulnerabilities in Docker itself might affect the security of applications being run using Polyverse’s software (or indeed vulnerabilities in Polyverse’s software itself).
And all this container activity uses resources, although Gounares says the pace of recycling can be dialed down so that it does not require more than the amount of spare processor cycles on the host machine. “Modern hardware is phenomenally capable with a ton of spare room. So we have no impact on performance or user experience,” he says.
One thing we can say about all this is that it’s an interesting use of containers. Usually the concern with containers is the lack of security infrastructure to surround them.
But with this model, the containers are the security.
Paul Rubens is a technology journalist and contributor to ServerWatch, EnterpriseNetworkingPlanet and EnterpriseMobileToday. He has also covered technology for international newspapers and magazines including The Economist and The Financial Times since 1991.