bingo. one should always assume that userland access on a linux box is a short step away from full system privileges and active exploits are ready for use by an attacker.
docker has started adding hardening with SELinux+Seccomp because theres a realisation that the linux kernel bugs keep coming, but this is just a bandaid. the other problem with this approach is that in practice a hardened config is too restrictive for real-user use and has real maintenance cost so most will never use them (as argued by others in this thread for why the gvisor approach is superior). AppArmor is very poorly maintained, buggy, and not a practical solution
I'm not sure that it is overly simplistic, I think the statement that "containers do not contain" is an intentional oxymoron that points to some ground truths. These ground truths are that a process in a container is running in the same kernel, and although namespaces are meant to isolate some set of resources from other processes, and there are still very many shared resources that might not be isolated at all. This means a lot of attack surface, and exploiting the kernel will grant access to the other processes on the system.
In terms of quantity, 4 is not an accurate picture. I haven't sat down to analyze CVEs (https://www.cvedetails.com/product/47/Linux-Linux-Kernel.htm...), but say out of 50 practically exploitable kernel memory corruption bugs/year 4-5 new bugs every year are reachable from some common namespace configuration for a container. And this just marks what is publicly disclosed, which is a subset of the vulnerabilities attackers know about.
Bounties arent the only outlet for these, see: VEP.
so a) and b) are common in practice. these were not obscure boundary conditions or a corner case. and it was very trivial to exploit.
"all software has vulns" is a slippery slope is my overarching point. you can't use that to say that the the security risks and isolation are comparable to gvisor. gvisor does away with a very significant amount of attack surface in the linux kernel and reimplements it in golang, which eliminates many bug classes.
for a realistic risk assessment you should consider the linux kernel as a bottomless barrel of memory management bugs, which are exploitable from within a container, whereas gvisor will have a much more finite set of bugs
On our team we've got extensive experience in finding compromises in this area, particularly in kernels, and that is why I am adamant that one should not think what docker provides meets the bar for best practices in a security critical environment. Something like gvisor would much more fit the bill.
The idea that it's trivial to break out of any Docker style container just doesn't reflect reality.
-- not just being contrarian here, actually, the reality is that it might be trivial. and it was demonstratively trivial for a long time (see CVE-2019-5736)
As for contained.af -- its not a good indicator, it mostly indicates that the reward doesnt meet the market price for demonstrating an escape from a set of hardened namespaces (which is going to cost more than an escape from "any docker container").
Given that this is a research project i'd hold off on making assumptions that the software has been adequately verified as well. Forgive the loose usage of Rumsfeld-like terminology here, verification implementation errors (Unknown Unknowns) and omissions (Unknown Unknowns) in the verification translate to exploitable software security holes. If the model is sound, it would address all Known Unknowns and to get a verified, working codebase the developers would have to address Known Knows. And there may be some security tech-debt as well which isn't mentioned publicly (Unknown Knowns).
TL;DR dividends dont get a tax deduction, interest from debt for buybacks do, so buybacks are more attractive
Given that interest rates were so low from 2009-2017, many companies actually issued debt not because they needed the money but in order to do stock buybacks. Some companies such as McDonalds have definitely overdipped as their revenues declined significantly, but other companies like Apple and Microsoft were smart to do it while maintaining growth.
Apple had $0 long term debt in 2013. At the end of June 2018 they held $97B!!!
The average debt interest for AAPL and MSFT is somewhere between 2-2.5% interest, and prior to the 2017 Jobs act the interest payments were 100% tax deductible. I think that's a key part of why companies did this, they viewed the debt as basically free money after inflation and the tax deduction. Unfortunately this is less tax revenue for the US government and its citizens, so in effect its us the taxpayers that are funding the debt for the buybacks. The NY Times opinion piece fails to mention this aspect. It would be amazing to hear from a CFO on the topic.
Since the 2017 Jobs act companies are now restricted to 30% of their pretax income being deductible to interest. For fiscally responsible companies like AAPL, MSFT, they're nowhere near to 30%, so the intent of this change is largely moot.
Now for a real financial hacker -- i'd like to ask about a wild idea, what happens 2 years out from now supposing that interest rates remain high. All companies looking to raise debt will have to raise at 4%+ interest, and CECL and the fed reserve rate increases will see banks requiring much larger deposits than toda. The bond holders for MCD, MSFT, AAPL, etc, could look to sell to increase their reserves and also get better returning assets. Will megacorps be able to buy back their own debt above fair market value, but above below their principle amount, in effect having earned money on the debt they issued?
Telecom companies are also another risk, and much larger one in that, because there is no opt out of location sharing with them. Same with analytics on your telco network traffic.
Keeping a log of visitors to your own computing resources is an ethical grey area since when? IP Addresses themselves are most useful for deanonymization/violating privacy when shared across organizations, or converted to accounts from ISPs. Why does GDPR target the storage of them and not the sharing or conversion of this type of data?
One other interesting thing to keep in mind is that GDPR does not exempt public, government organisations. It will be interesting to see what happens with that, if anything.
docker has started adding hardening with SELinux+Seccomp because theres a realisation that the linux kernel bugs keep coming, but this is just a bandaid. the other problem with this approach is that in practice a hardened config is too restrictive for real-user use and has real maintenance cost so most will never use them (as argued by others in this thread for why the gvisor approach is superior). AppArmor is very poorly maintained, buggy, and not a practical solution