Skip to content

Commit

Permalink
Apply suggestions from code review
Browse files Browse the repository at this point in the history 
Co-authored-by: 3u13r <[email protected]>
  • Loading branch information
@m1ghtym0 @3u13r
m1ghtym0 and 3u13r committed Apr 18, 2024
1 parent 967d18a commit b0f11a6
Showing 1 changed file with 7 additions and 7 deletions.
14 changes: 7 additions & 7 deletions docs/docs/basics/security-benefits.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ It allows for cloud adoption by maintaining a hardware-based separation from the
## Components of a Contrast deployment

Contrast implements the [Confidential Containers](confidential-containers.md) concept.
Confidential Containers significantly decrease the size of the trusted computing base (TCB) of a Kubernetes deployment, by isolating each container within its own confidential micro-VM environment.
Confidential Containers significantly decrease the size of the trusted computing base (TCB) of a Kubernetes deployment, by isolating each pod within its own confidential micro-VM environment.
The TCB is the totality of elements in a computing environment that must be trusted not to be compromised.
A smaller TCB results in a smaller attack surface. The following diagram shows how Confidential Containers remove the *cloud & datacenter infrastructure* and the *physical hosts*, including the hypervisor, the host OS, the Kubernetes control plane, and other components, from the TCB (red).
In the confidential context, represented by green, only the workload containers along with their confidential micro-VM environment are included within the Trusted Computing Base (TCB).
Expand All @@ -26,8 +26,8 @@ A Contrast deployment has five core components:

* **The workload containers**: A container image that runs in an isolated [Confidential Container](confidential-containers.md) environment.
* **The runtime policies**: A policy that defines the runtime environment for the workload containers.
* **The manifest**: A manifest file defining the reference values of an entire confidential deployment. It contains the policy hashes for all pods of the deployment and the expected hardware reference values for the Confidential Container runtime environment.
* **The Coordinator**: An attestation service that runs itself in a Confidential Container in the Kubernetes cluster. The Coordinator is configured with the manifest. User-facing, you can verify this service and the effective manifest using remote attestation, providing you with a concise attestation for the entire deployment. Cluster-facing, it verifies all pods and their policies based on remote attestation procedures and the manifest.
* **The manifest**: A manifest file defining the reference values of an entire confidential deployment. It contains the policy hashes for all pods of the deployment and the expected hardware reference values for the Confidential Container runtime.
* **The Coordinator**: An attestation service that runs in a Confidential Container in the Kubernetes cluster. The Coordinator is configured with the manifest. User-facing, you can verify this service and the effective manifest using remote attestation, providing you with a concise attestation for the entire deployment. Cluster-facing, it verifies all pods and their policies based on remote attestation procedures and the manifest.
* **The protected data**: The data that's processed by the workload containers.

Contrast helps protect the workload and its runtime environment's integrity and confidentiality from inspection and tampering.
Expand Down Expand Up @@ -64,7 +64,7 @@ In each scenario, Contrast ensures exclusive data access and processing capabili
To help protect the workload from an untrusted workload operator and the infrastructure, Contrast implements the following security controls:

* An attestation process detects modifications to the workload image or its confidential container. This control helps protect the workload's integrity pre-attestation.
* A runtime policy and helps prevent the workload operator from accessing or compromising the instance at runtime. This control helps protect a workload's integrity and confidentiality post-attestation.
* A runtime policy and prevents the workload operator from accessing or compromising the instance at runtime. This control protects a workload's integrity and confidentiality post-attestation.

### Attestation process

Expand Down Expand Up @@ -129,7 +129,7 @@ This table describes potential threats and mitigation strategies related to the
| Threat | Mitigation | Mitigation implementation |
|----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------|
| An attacker intercepts the network connection of the launcher or image repository. | An attacker can change the image URL and control the workload binary. However these actions are reflected in the attestation report. The image repository isn't controlled using an access list, therefore the image is assumed to be viewable by everyone. You must ensure that the workload container image doesn't contain any secrets. | Within the Contrast container image |
| An attacker modifies the workload image on disk after it was downloaded and measured. | This threat is mitigated by a read-only partition that's integrity-protected. The workload image is protected by dm-verity. | Within the Contrast container image |
| An attacker modifies the workload image on disk after it was downloaded and measured. | This threat is mitigated by a read-only partition that's integrity-protected. The workload image is protected by dm-verity. | Within the Contrast pod VM image |
| An attacker modifies a container's runtime environment configuration in the Kubernetes control plane. | The attestation process and the runtime policies detects unsafe configurations that load non-authentic images or perform any other modification to the expected runtime environment. | Within the runtime policies |

#### Attacks on the Coordinator attestation service
Expand All @@ -138,8 +138,8 @@ This table describes potential threats and mitigation strategies to the attestat

| Threat | Mitigation | Mitigation implementation |
|-----------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------|
| An attacker intercepts the Coordinator deployment and modifies the image or hijacks the runtime environment. | This threat is mitigated by having an attestation procedure and attested, encrypted TLS connections to the Coordinator. The attestation evidence for the Coordinator image is distributed with our releases and protected by supply chain security. | Within the CLI and the Coordinator |
| An attacker intercepts the network connection between the workload and the Coordinator and reads secret keys from the wire. | This threat is mitigated by having an attested, encrypted TLS connection. This connection helps protect the token from passive eavesdropping. An attacker can't impersonate the Coordinator because they're missing the Coordinator's private key. The attacker can't create valid workload certificates that would be accepted in Contrast's service mesh. An attacker can't impersonate a valid workload container because the container's identity is guaranteed by the attestation protocol. | Within the network between your workload and the Coordinator. |
| An attacker intercepts the Coordinator deployment and modifies the image or hijacks the runtime environment. | This threat is mitigated by having an attestation procedure and attested, encrypted TLS connections to the Coordinator. The attestation evidence for the Coordinator image is distributed with our releases, protected by supply chain security and fully reproducible. | Within the CLI, and the Coordinator |
| An attacker intercepts the network connection between the workload and the Coordinator and reads secret keys from the wire. | This threat is mitigated by having an attested, encrypted TLS connection. This connection helps protect the token from passive eavesdropping. The attacker can't create valid workload certificates that would be accepted in Contrast's service mesh. An attacker can't impersonate a valid workload container because the container's identity is guaranteed by the attestation protocol. | Within the network between your workload and the Coordinator. |
| An attacker exploits parsing discrepancies, which leads to undetected changes in the attestation process. | This risk is mitigated by having a parsing engine written in memory-safe Go that's tested against the attestation specification of the hardware vendor. The runtime policies are available as an attestation artifact for further inspection and audits to verify their effectiveness. | Within the Coordinator |
| An attacker uses all service resources, which brings the Coordinator down in a denial of service (DoS) attack. | This reliability risk is mitigated by having a distributed, Coordinator service that can be easily replicated and scaled out as needed. | Within the Coordinator |
#### Attacks on workloads
Expand Down

0 comments on commit b0f11a6

Please sign in to comment.