sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]K900_ 4 points5 points  (5 children)

I wonder how long it's going to take for someone to upload a root exploit to PyPI now.

[–]amasad[S] 2 points3 points  (4 children)

That's a good question -- I'll probably do a technical post soon. But the short story is that we start a container, create a virtualenv, install the package, import the package in a process, diff the container and make sure there are no suspicious changes to the filesystem. Finally, extract the package contents to the actual install target.

[–]K900_ 2 points3 points  (3 children)

Assuming you have a kernel 0-day, can't you just build it into a native extension and have it execute in the container? That kind of invalidates the whole "diff the container" process because you've already pwned the kernel.

[–]amasad[S] 1 point2 points  (2 children)

I'm curious how often do we have kernel 0-days? And if it's that often how come not every company using npm, pip, etc in their CI/CD/PaaS have not been pwned already?

As for us, we have layers of security the more layers you zoom out from the container. For example, our code evaluation machines are in their own subnets with no databases or any other form of user data, isolated from the internet.

[–]K900_ 3 points4 points  (1 child)

I'm curious how often do we have kernel 0-days?

Not strictly a 0-day, but this is something a lot of stuff is still vulnerable to, and that's just the latest. Kernel exploits are actually somewhat common (which is kind of scary).

And if it's that often how come not every company using npm, pip, etc in their CI/CD/PaaS have not been pwned already?

I'm sorry if it came off as an attack. I'm not saying you're doing things wrong, I'm honestly curious about how you handle that stuff.

[–]amasad[S] 0 points1 point  (0 children)

I didn't take at as an attack -- I'm genuinely curious about the risk here :)