Skip to content

Add brood-box and go-microvm to Defensive Tools #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JAORMX wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add brood-box and go-microvm to Defensive Tools #8

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 9 additions & 7 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Note:
- [国内首个云上容器ATT&CK攻防矩阵发布,阿里云助力企业容器化安全落地 (2020-06-18)](https://developer.aliyun.com/article/765449)
- [MITRE ATT&CK Containers Matrix (2021-04-29)](https://attack.mitre.org/matrices/enterprise/containers/)
- [最佳实践:发布国内首个K8S ATT&CK攻防矩阵 (青藤, 2021-08-25)](https://mp.weixin.qq.com/s/-FTJRl1ZK2Etgq7KO17r7w)
- [2021西部云安全峰会召开:云安全优才计划发布,腾讯云安全攻防矩阵亮相 (2021-09-26)](https://mp.weixin.qq.com/s/IBTE_s-8ZO8Ac3m040-eTA)
- [2021西部云安全峰会召开:"云安全优才计划"发布,腾讯云安全攻防矩阵亮相 (2021-09-26)](https://mp.weixin.qq.com/s/IBTE_s-8ZO8Ac3m040-eTA)
- [云原生安全:基于容器ATT&CK矩阵模拟攻防对抗的思考 (2021-11-01)](https://www.freebuf.com/articles/security-management/303010.html)
- [Containers' Security: Issues, Challenges, and Road Ahead (IEEE Access 2019)](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8693491)
- [企业应用容器化的攻与防 (JINQI-CON 2019)](https://github.com/neargle/slidefiles/blob/main/2019%20jingqicon%20-%20Red%20vs%20Blue%20for%20containerized%20application.pdf)
Expand Down Expand Up @@ -76,7 +76,7 @@ Note:
- [etcd未授权访问的风险及修复方案详解 (2021-04-09)](https://www.anquanke.com/post/id/236831)
- [New Attacks on Kubernetes via Misconfigured Argo Workflows (2021-07-20)](https://www.intezer.com/blog/container-security/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/)
- [Creating Malicious Admission Controllers (2021-08-09)](https://blog.rewanthtammana.com/creating-malicious-admission-controllers)
- [Dont let Prometheus Steal your Fire (2021-10-12))](https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/)
- [Don't let Prometheus Steal your Fire (2021-10-12))](https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/)
- [Attack Cloud Native Kubernetes (HITB 2021)](https://github.com/neargle/slidefiles/blob/main/2021%20HITB%20-%20Attack%20Cloud%20Native%20Kubernetes.pdf)
- [Metasploit in Kubernetes (2021-11-04)](https://github.com/rapid7/metasploit-framework/tree/master/kubernetes)
- [【技术推荐】云原生之Kubernetes安全 (2021-12-18)](https://mp.weixin.qq.com/s?__biz=MzI4NjE2NjgxMQ==&mid=2650258483&idx=1&sn=d05b33fa3112b1c0351dee2fca986ae8&chksm=f3e20647c4958f51a10688de8413ae142793a0f9b7ebdc07c537b5c72cf71c026e1e865de268#rd)
Expand All @@ -98,7 +98,7 @@ Note:
- [CVE-2018-1002103:远程代码执行与虚拟机逃逸](https://github.com/brant-ruan/cloud-native-security-book/blob/main/appendix/CVE-2018-1002103:远程代码执行与虚拟机逃逸.pdf)
- [Kubernetes hostPort allow services traffic interception when using kubeproxy IPVS (CVE-2019-9946, 2019-03-28)](http://blog.champtar.fr/CVE-2019-9946/)
- [Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care, (2019-08-28)](https://unit42.paloaltonetworks.com/non-root-containers-kubernetes-cve-2019-11245-care/)
- [When its not only about a Kubernetes CVE... (CVE-2020-8555, 2020-06-03)](https://medium.com/@BreizhZeroDayHunters/when-its-not-only-about-a-kubernetes-cve-8f6b448eafa8)
- [When it's not only about a Kubernetes CVE... (CVE-2020-8555, 2020-06-03)](https://medium.com/@BreizhZeroDayHunters/when-its-not-only-about-a-kubernetes-cve-8f6b448eafa8)
- [Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558, 2020-07-27)](https://unit42.paloaltonetworks.com/cve-2020-8558/)
- [Kubernetes man in the middle using LoadBalancer or ExternalIPs (CVE-2020-8554, 2020-12-08)](https://blog.champtar.fr/K8S_MITM_LoadBalancer_ExternalIPs/)
- [Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554, 2020-12-21)](https://unit42.paloaltonetworks.com/cve-2020-8554/)
Expand Down Expand Up @@ -177,8 +177,8 @@ Note:

#### 1.3.3 Container DoS

- [Houdinis Escape: Breaking the Resource Rein of Linux Control Groups (CCS 2019)](http://www.cs.memphis.edu/~xgao1/paper/ccs19.pdf)
- [Houdinis Escape: Breaking the Resource Rein of Linux Control Groups (Video)](https://www.youtube.com/watch?v=PPo9sQnJaec)
- [Houdini's Escape: Breaking the Resource Rein of Linux Control Groups (CCS 2019)](http://www.cs.memphis.edu/~xgao1/paper/ccs19.pdf)
- [Houdini's Escape: Breaking the Resource Rein of Linux Control Groups (Video)](https://www.youtube.com/watch?v=PPo9sQnJaec)
- [Docker组件间标准输入输出复制的DoS攻击分析 (网络信息安全学报 2020)](http://www.infocomm-journal.com/cjnis/CN/10.11959/j.issn.2096-109x.2020074)
- [Demons in the Shared Kernel: Abstract Resource Attacks Against OS-level Virtualization (CCS 2021)](https://wenboshen.org/assets/papers/LogicalDoS.pdf)

Expand All @@ -196,7 +196,7 @@ Note:

### 1.6 Service Mesh

- [A Survey of Istios Network Security Features (2020-03-04)](https://research.nccgroup.com/2020/03/04/a-survey-of-istios-network-security-features/)
- [A Survey of Istio's Network Security Features (2020-03-04)](https://research.nccgroup.com/2020/03/04/a-survey-of-istios-network-security-features/)
- [Istio访问授权再曝高危漏洞 (CVE-2020-8595, 2020-03-13)](https://mp.weixin.qq.com/s/IHJAsO2SktNXqQGNLuTYUQ)
- [Attack in a Service Mesh (CIS 2020)](https://github.com/neargle/slidefiles/blob/main/2020%20CIS%20-%20Attack%20in%20a%20Service%20Mesh%20-%20Public.pptx.pdf)
- [Istio Security Assessment (2021-07-13 (disclosed), 2020-08-06 (accomplished) by Istio with NCC Group)](https://istio.io/latest/blog/2021/ncc-security-assessment/NCC_Group_Google_GOIST2005_Report_2020-08-06_v1.1.pdf)
Expand Down Expand Up @@ -282,6 +282,8 @@ Note:
- [kubescape - kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA](https://github.com/armosec/kubescape)
- [veinmind-tools](https://github.com/chaitin/veinmind-tools)
- [cnspec - cloud-native security and policy project](https://cnspec.io)
- [brood-box - Hardware-isolated microVM sandbox for running coding agents securely](https://github.com/stacklok/brood-box)
- [go-microvm - Go framework for launching hardware-isolated microVMs](https://github.com/stacklok/go-microvm)

## 3 Incidents

Expand Down Expand Up @@ -309,4 +311,4 @@ Note:
- [NSA, Partners Release Cybersecurity Advisory on Brute Force Global Cyber Campaign (2021-07-01)](https://www.nsa.gov/news-features/press-room/Article/2677750/nsa-partners-release-cybersecurity-advisory-on-brute-force-global-cyber-campaign/)
- [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments (2021-07)](https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF)
- [DockerHub再现百万下载量黑产镜像,小心你的容器被挖矿 (2021-08-30)](https://mp.weixin.qq.com/s?__biz=MzU3ODAyMjg4OQ==&mid=2247490656&idx=1&sn=8d86694b96f7c78aaba149bc123b620f)
- [Misconfigured Kafdrop Puts Companies Apache Kafka Completely Exposed (2021-12-06)](https://spectralops.io/blog/misconfigured-kafdrop-puts-companies-apache-kafka-completely-exposed/)
- [Misconfigured Kafdrop Puts Companies' Apache Kafka Completely Exposed (2021-12-06)](https://spectralops.io/blog/misconfigured-kafdrop-puts-companies-apache-kafka-completely-exposed/)