CopyFail: From Pod to Host

33 points by tptacek 20 hours ago

FYI: I had tried this exploit with rootless podman containers to write to read-only mounts, but the exploit failed. I am not sure if the default container runtime in Podman is resistant against these attacks or if it assumes Docker running containers with higher privileges, but at least it was a pleasant observation. (kernel 6.18)

AlfieJones - 2 hours ago

It feels like AI is speeding up bug discovery faster than security can keep up. Curious if this is temporary or just the new normal.

bbmp - 2 hours ago

It only getting worse now that AI is also writing bug faster than humans

louwrentius - 2 hours ago

Maybe I’m missing something but because of this kind of risk, an old fashioned virtual machine feels like a more robust security boundary.

itintheory - 9 minutes ago

<always has been meme>
While containers have some useful properties, it was never intended to be, and never really functioned as a strict security boundary. We've duct-taped around that, and it's reasonably good now, but that only goes so far.
hun3 - 33 minutes ago

No, "virtual machine" alone doesn't make things safer.
Shrink your attack surface.
Use a completely locked down seccomp. Use nsjail or gVisor for containers. Use microvm or libkrun for full OS.
Lesser attack surface is what matters. Virtualization is only half of the story.