Fun-reliable side-channels for cross-container communication
10 days ago
- #Container Security
- #Side-Channel Communication
- #Linux Kernel
- Discovery of a Linux kernel side-channel enabling cross-container communication without shared volume mounts or namespace modifications.
- Works in default Docker and Kubernetes configurations, even without network access.
- Utilizes the nsfs (namespace filesystem) and time namespaces, which are shared by default among containers and host processes.
- POSIX Advisory Locks on /proc/self/ns/time provide a mechanism for containers to detect and communicate with each other.
- Demonstrated with a cross-container IRC-style chatroom (h4x0rchat) using this side-channel.
- Potential security implications as it bypasses container isolation, though seen more as a feature than a vulnerability.
- Defensive measures discussed, including attempts to block access via AppArmor and manual unsharing of time namespaces.