![]() Until Microsoft teamed up with Docker, Windows was lacking some of the core features that were needed in order for containers to work properly, mainly namespaces, control groups (cgroups) and layer capabilities. ![]() Further research could help us better understand the threat model of Windows containers. This post demonstrates we can learn a lot from reverse engineering Windows containers. Furthermore, I found out that Windows filters system calls in kernel space, thus preventing a container process from escalating its privileges and escaping the container. I’ve found that job objects are used in a similar way control groups (cgroups) are used in Linux, and that server silo objects were used as a replacement for namespaces support in the kernel. Reverse engineering the kernel was needed to better understand Microsoft’s implementation of containers. Currently, there is little information about the internal implementation of the feature in Windows. ![]() Windows, unlike Linux, is not open-source and because the container feature, in particular, is barely documented it is much more difficult to find said vulnerabilities. Judging by the number of severe vulnerabilities found in containers for Linux in recent years, it is likely that some vulnerabilities exist in containers for Windows as well. A few years ago Microsoft realized that and teamed up with Docker to offer a container solution for Microsoft Windows. In recent years containers have become increasingly popular. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |