vArmor is a cloud-native container sandbox system. It leverages Linux’s AppArmor LSM, BPF LSM and Seccomp technologies to implement enforcers.
It can be used to strengthen container isolation, reduce the kernel attack surface, and increase the difficulty and cost of container escape or lateral movement attacks.
You can leverage vArmor in the following scenarios to provide sandbox protection for containers within a Kubernetes cluster.
vArmor was created by the Elkeid Team of the endpoint security department at ByteDance. And the project is still in active development.
Note: To meet stringent isolation requirements, it is advisable to give priority to utilizing hardware-virtualized containers (e.g., Kata Containers) for compute isolation, in conjunction with network isolation provided by CNI’s NetworkPolicy.
You can specify the enforcer through the spec.policy.enforcer
field of policy objects (VarmorPolicy/VarmorClusterPolicy). In addition, you can also use different enforcers individually or in combination, such as: AppArmorBPF, AppArmorSeccomp, AppArmorBPFSeccomp etc.
The prerequisites required by different enforcers are as shown in the following table.
Enforcer | Requirements | Recommendations |
---|---|---|
AppArmor | 1. Linux Kernel 4.15 and above 2. The AppArmor LSM is enabled | GKE with Container-Optimized OS AKS with Ubuntu 22.04 LTS VKE with veLinux 1.0 Debian 10 and above Ubuntu 18.04.0 LTS and above veLinux 1.0 etc. |
BPF | 1. Linux Kernel 5.10 and above (x86_64) 2. containerd v1.6.0 and above 3. The BPF LSM is enabled | EKS with Amazon Linux 2 GKE with Container-Optimized OS VKE with veLinux 1.0 (with 5.10 kernel) AKS with Ubuntu 22.04 LTS * ACK with Alibaba Cloud Linux 3 * OpenSUSE 15.4 * Debian 11 * Fedora 37 veLinux 1.0 with 5.10 kernel etc. * Manual enabling of BPF LSM is required |
Seccomp | 1. Kubernetes v1.19 and above | All Linux distributions |
The vArmor policy can operate in five modes: AlwaysAllow, RuntimeDefault, EnhanceProtect, BehaviorModeling and DefenseInDepth.
When the policy is running in EnhanceProtect mode, built-in rules and custom interfaces can be used to harden the container.
For more information, please refer to Policy Modes and Built-in Rules.
For more information click here.
ModTask is an advanced C# tool designed for red teaming operations, focusing on manipulating scheduled…
HellBunny is a malleable shellcode loader written in C and Assembly utilizing direct and indirect…
SharpRedirect is a simple .NET Framework-based redirector from a specified local port to a destination…
Flyphish is an Ansible playbook allowing cyber security consultants to deploy a phishing server in…
A crypto library to decrypt various encrypted D-Link firmware images. Confirmed to work on the…
LLMs (e.g., GPT-3.5, LLaMA, and PaLM) suffer from hallucination—fabricating non-existent facts to cheat users without…