Hertz: Abusing privileged and unprivileged Linux containers

Thiswhite paper by Jesse Hertz [PDF] examines various ways to compromise andescape from containers on Linux systems. "A common configuration forcompanies offering PaaS solutions built on containers is to have multiplecustomers' containers running on the same physical host. By default, bothLXC and Docker setup container networking so that all containers share thesame Linux virtual bridge. These containers will be able to communicatewith each other. Even if this direct network access is disabled (using the-icc=false flag for Docker, or using iptables rules for LXC), containersaren't restricted for link-layer traffic. In particular, it is possible(and in fact quite easy) to conduct an ARP spoofing attack on anothercontainer within the same host system, allowing full middle-person attacksof the targeted container's traffic."