Recently, the internationally renowned information security conference BlackHat USA 2024 was held in Las Vegas, USA. Participants fromByteDance Cloud Security Team's open-source system vArmor was selected for Blackhat Arsenaland was presented on-site at the conference named《BlackHat USA 24 Arsenal - vArmor A Sandbox System for Hardening Cloud-Native Containers》Topic sharing.

As a global top-level summit in the security industry, BlackHat has always been strict in its selection and evaluation of security technology topics submitted from all over the world and the Arsenal weapon display presented. Among them, the BlackHat Arsenal weapon display is one of the major characteristics originating from BlackHat. This display invites speakers to demonstrate their cutting-edge research and offensive tools to the audience on-site, and to communicate with them face-to-face, thereby enriching the security toolset of the security community.

What is vArmor?

Faced with issues and pain points such as weak Linux container isolation, lack of mitigation measures before vulnerability repairs, high thresholds for existing reinforcement methods, and the lack of a cloud-native perspective in reinforcement capabilitiesByteDance Cloud Security Team independently developed and open-sourced the cloud-native container sandbox - vArmor. It strengthens the sandbox security of containers by leveraging the Linux kernel's LSM (AppArmor & BPF) and Seccomp technology, thereby enhancing container isolation, reducing the attack surface of the kernel, and increasing the difficulty and cost of container escape and lateral movement.

vArmor follows the Kubernetes Operator design pattern, allowing users to strengthen workloads by operating the sandbox system through declarative API. This enables a closer perspective on the sandbox strengthening of containerized microservices.(Further reading: Officially open source! ByteDance's self-developed cloud-native container sandbox vArmor)
With the wide application of cloud-native technology, the demand for strengthening containerized microservices by enterprises will continue to grow. The original intention and goal of vArmor's design is to minimize the gap between 'security protection' and 'development and operations' as much as possible, and to provide a low-threshold, high-usability, lightweight solution for Linux container strengthening in the cloud-native environment.

What are the new features this time?

Since the open source, vArmor has made significant improvements in terms of functionality, stability, and security, such as:

• ·The global policy VarmorClusterPolicy API has been introduced, which can apply security policies to workloads in all namespaces.
• ·New strategy primitives have been added for BPF enforcer, and support for Seccomp enforcer has been added, along with more built-in rules; currently, vArmor supports the use of multiple enforcers (AppArmor/BPF/Seccomp) separately or in combination, making it possible to take advantage of the strengths of different enforcers to perform fine-grained mandatory access control on container file access, process execution, network externalization, and system calls.
• ·Behavioral modeling support has been added for AppArmor & Seccomp enforcer, which can model the behavior (capability, file access, process execution, system calls, etc.) of multi-instance applications. The modeling results can be used for auxiliary policy making, deep defense, and permission minimization, etc.
• ·The Policy Advisor has been introduced, which can select built-in rules based on the context information and behavior model of the target application and generate policy templates. This further reduces the threshold for customizing strengthening strategies.

For more new features and changes, please see the projectreleaseRecord.

Future plans

vArmor has collected many feedbacks from the open source community and further improved the stability and compatibility of the system with the help of the community. In the next step, the vArmor project will continue to iterate and evolve according to the roadmap, constantly improving in terms of functionality, usability, stability, observability, and compatibility. Everyone is welcome to participate in community construction and feedback.

Project address: https://github.com/bytedance/vArmor
Community discussion: Welcome to join the open source communication group through Feishu for follow-up exchanges and feedback.