Docker's LinuxKit Launches Kernel Security Efforts, Including Next-Generation VPN

darthcamaro writes: Back in April, when Docker announced its LinuxKit effort, the primary focus appeared to just be [tools for] building a container-optimized Linux distribution. As it turns out, security is also a core focus -- with LinuxKit now incubating multiple efforts to help boost Linux kernel security. Among those efforts is the Wireguard next generation VPN that could one day replace IPsec. "Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like Signal," said Nathan McCauley, Director of Security at Docker Inc.
According to the article, Docker also has several full-time employees looking at ways to reduce the risk of memory corruption in the kernel, and is also developing a new Linux Security Module with more flexible access control policies for processes.

Linux is behind yet again

[Anonymous Coward]

As usual, Windows is more secure than Linux and doesn't need these upgrades. Everything is half-assed and amateurish with Linux

Re:

[Anonymous Coward]

Totally agree.

I remember a company trying to foist a complex and complicated virtualized "system" in 2011 on the company that I used to work a few years ago.

I had more fun poking holes in all of the security flaws int hat "system".

And the vendor's response to all of the security flaws? Yeah, we'll fix them... if you pay us a whole lot more money.

BTW... the company, and a well-known one at that, that tried to sell that pile of $#!@ is still is business and still making loads of money.

Oh get double-stuffed!

[Anonymous Coward]

Slashdot: ""Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like Signal," said Nathan McCauley,

eweek: ""Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like WhatsApp," McCauley said.

Bite me, slashdot. Don't just take mainstream-marketing-bullshit and replace WhatsApp with Signal, 'cause it's more nerdy. It's still weapons-grade bullshit, next you're gonna tell us it's mil

Re:

[110010001000]

Exactly. Signal is as secure as WhatsApp, meaning "who knows"? Signals servers are run by a single corporation. They go on about how "federated messaging" is stuck in the 90s, but that is complete bullshit.

Re:Oh get double-stuffed!

[Kjella]

Exactly. Signal is as secure as WhatsApp, meaning "who knows"? Signals servers are run by a single corporation. They go on about how "federated messaging" is stuck in the 90s, but that is complete bullshit.

Bullshit. Message transport has nothing to do with security, doesn't matter if you send a PGP message over SMTP (decentralized) or Facebook (centralized) as long as the cryptography is sound. And the clients are open source, the cryptography is vetted and all that. And if you don't want their servers recording any metadata the server code is open source too, with minor modifications you have your own Signal protocol network. Federation is mainly just a messy hybrid of client to server and server to server communication, either go full P2P and deal with all those routing/discovery/web-of-trust/revocation/denial-of-service/spam complications or just run one central server.

The main reason to use it over PGP is that Signal gives you backwards secrecy, the algorithm is constantly upgrading the keys meaning even if you record messages and compromise a device later you can't decrypt anything other than the most recent ones. If you manage to get a private PGP key, you can decrypt every message sent to that key from the dawn of time. It doesn't do 90% of what PGP tries to do, but it does the last 10% much, much better. And most of all, simpler. Most people don't check Signal's MITM protection and doesn't care when they're notified of key changes, but the same people are not likely to use PGP at all. But since a few will check doing bulk surveillance would be discovered, while everyone intentionally or unintentionally in the middle can wiretap plaintext email all day long.

Re:

[Anonymous Coward]

It's called forward secrecy, dumbass.

Re:

[0ptix]

Because of a combination of two reasons:
1) The protocol used by signal and their implementation are both open and well studied.
2) The Signal protocol (like many modern secure p2p-communication protocols such as Allo, Whatsapp, Wickr, etc.) uses end-to-end encryption and authentication. So the central server (along with the rest of the network infrastructure between end points) can do little more then deny service to uses.

Caveat: AFAIK beyond service denial, at worst the servers could do some traffic analysi

Trusting docker?

[Anonymous Coward]

They're well-known for their cookie-cutter, "docker", which probably fits their business model to a tee but fails to provide all sorts of things you might want from a fully-fledged containering thing. Oh and then there's the compatability-with-itself issues, administrative access to hosts from within containers called "not a bug, but a feature" apparently with complete disregard or misunderstanding of security principles, and so on. And so now they're taking their secret sauce to VPNs and other security too

Reinventing the wheel?

[Anonymous Coward]

I've used OpenVPN without any problems (well, other than the fact the configuration is a bit of a pain) since 2002.

Re:

[greenfruitsalad]

maybe you know, maybe you don't, maybe other people will find this interesting - openvpn 2.4 can now be configured to be (so far) completely indistinguishable from regular https traffic when used with --tls-crypt option and run on the appropriate port.

Why Systemd?

[Futurepower(R)]

I'd very much like to know that, also. Anyone have an explanation for Systemd [wikipedia.org]?

Is "opaque" a way for Red Hat to make more money giving support?

Linus Torvalds is sometimes unstable. He doesn't know how to deal with his conflicts. Two examples:

The Creator Of Linux Has An Attitude And A Foul Mouth, And People Are Angry At Him (Again) [businessinsider.com]

Linus Torvalds in NSFW Red Hat rant [theregister.co.uk].

Re:

[F.Ultra]

You do realise that systemd is not part of the Linux kernel where Linus decides what should go in or not?

Yes, but Linus could be helpful.

[Futurepower(R)]

Yes, but he could have a strong opinion that might be very influential.

Re:

[F.Ultra]

Well since he is both a pragmatist and smart then I suppose that he have nothing at all against systemd, and for those that don't like systemd there are i.e Devuan, Gentoo, Alpine and so on.

Re:

[sad_]

that is all user land, Linus isn't involved in that. he's also not ranting against google for whatever they do wrong with android.

Linux VPN support sucks

[AaronW]

Something needs to happen.

Last night I tried to get pptp to work with our corporate VPN and it failed miserably. I ran Wireshark to figure out what the problem is and the Linux PPP stack just can't handle the options that it was being sent (bug opened on pppd). Next I tried to connect to my home firewall VPN which used to work and again this failed miserably because the Linux PPP stack refused to turn off the async char map negotiation (which isn't used for PPTP).

I've also struggled to get ipsec in any form to work (no success) nor have I been able to get openvpn to work, requiring all the generation of certs and whatnot. PPTP, despite being quite insecure, at least used to work before the modern PPP brokeness.

The problem with VPNs is that the solutions are overly complicated with a bazillion different options.

IPSec + L2TP!?!?! This is insane. PPTP is just plain broken as well.

I want something as simple as how PPTP used to work but without all the broken security (i.e. MD5 password hashes) and get rid of PPP.

OpenVPN isn't bad

[Sycraft-fu]

It is fairly easy to set up and supports new protocols. Linux seems to support it reasonably well and its Windows implementation isn't totally retarded.

However really, it is worth your while to invest time and effort in learning IPSec. I know it is a pain in the ass, I've done a ton with it. However it is powerful. The reason it is complex is that it can be used for basically everything. It is a general purpose encryption and authentication method for IP. It is also a mandatory part of the IPv6 spec so going forward it is just going to be a thing that all systems will have.

It also has the benefit of being widely supported. While not a lot talks OpenVPN, nearly everything already talked IPSec.

Re:

[decep]

Linux VPN support is actually very good. You just should not be using PPTP. OpenVPN or some of the other user space type VPNs are great for connecting remote users.

I agree that L2TP is insane for individual user VPNs, but for site-to-site VPNs, IPSec is the only option you should trust. The problem with a lot of user space VPN solutions, like OpenVPN, is once you have authenticated, it just kind of acts like a router for packets. You have to use a secondary controls like a firewall to control access. T

Re:

[bsDaemon]

IKEv2 IPsec via StrongSwan or LibreSwan really isn't that difficult on Linux. Problem is a lot of these corp vpn products that don't have a Common Cirteria or FIPS mode don't support it, and many of these other technologies have to do lame hacks to get things like NAT traversal to work.

Re:

[AaronW]

Years ago I worked on an ipsec product and was successful getting it to work. The problem is that since then the complexity has increased significantly. Making matters worse is that different commercial products do it differently. Linux to linux is one thing, because one can easily verify that all of the appropriate settings are the same. Linux to a commercial box, on the other hand, is a big problem.

For example, my home router, a Mikrotik box, has a bazillion options for ipsec but trying to figure out the

Re:

[tlhIngan]

Actually, what's worse is SSL-VPNs, because there are no standards for them. They are insanely simple and very popular because they can be used from behind practically any firewall that allows SSL through. (This is vitally essential since many corporate firewalls block everything except 80, 443 and 21, and if you consult and need to VPN to home base, you need a VPN that can go through the firewall)

The problem is all the SSL-VPN vendors are basically incompatible with each other - between Dell/SonicWall, Ope

Re:

[AaronW]

We have Sonicwall at work. Unfortunately it requires running Java in the browser to connect to it through Linux.

After you figure it out... run it in a container

[gosand]

Once you figure out how to connect... run it in a docker container.
I set up an ubuntu container with openconnect and freerdp, and a couple of simple scripts. I can connect to my corporate VPN and RDP into my Win10 laptop from my Linux box in about 10 seconds. I could do it faster but I have it prompt me for the password. We use Azure for multi-factor authentication.

If you do it this way then your container connects to the vpn keeping all of your other traffic off the corporate network.

Correction regarding WireGuard's author

[Anonymous Coward]

Docker is not responsible for WireGuard at all. A Gentoo developer (Jason A Donenfeld, AKA 'zx2c4') is responsible for WireGuard. As far as I know, he does not work for Docker.

The wording in the summary is poor and doesn't reflect that. TFA (correctly) mentions WireGuard as an external project.