Working Group: CyberSecurity Risk#

Chair: Donald Scobbie (EPCC)

Notes#

  • Presentation (Donald): How to assess import of researcher analysis code to a TRE

  • Investigation of container vulnerability scanning

    • 16 examples for researchers

    • 25 with 1bn+ downloads, recently built, “official” or “sponsored”

    • Scan with Trivy and assess vulnerabilities

  • Results (1bn+ club)

    • Top ~20 resuls all based on Debian

    • Many more unpatched vulnerabilities than would ever be allowed as part of infrastructure or research VM. Not unexpected!

    • Alpine comes out quite well…

  • Container “best practices” may need to be reviewed for TRE use-cases

  • Results (Research examples)

    • Large number of outstanding defects e.g. pytorch has ~1k defects

    • More Ubuntu base images, no Alpine

    • Security clearly not a concern

  • Immediate thoughts

    • Major distros appear to be poorly rated

    • Best practices undermined

      • Build on existing “good” images

      • Difficult to retrofit “security” on existing containers

    • Imperative to share global code base

    • Why does Alpine score so well?

  • CVE review

    • Debian apparently has poor CVE history, but is quite heavily scrutinised vs others

    • Alpine has basically 0 CVEs reported. Appears that no one is looking at it closely! May not be as easy as “switch to Alpine”

  • Coverage blind spots in scanning tools

  • What’s the point?

    • Remote exploits rare compared to breaches due to human error

    • TREs need to conform to compliance / audit requests

    • Being compliant may not adequately address the actual risks

  • Still to investigate

    • Is over-reporting an issue?

    • Does patching make a difference

    • Other scanners beyond Trivy?

    • Hardening reports using Lynis

  • Working Group Next steps

    • Publish initial findings paper

    • Begin monthly WG meetings

    • Community survey

  • Group Discussion

    • UCL TRE group very interested! Contradiction of vulnerable containers vs researchers having choice of software. Can risks such as data egress be mitigated by the environment? Even when users have super-user privileges

    • How to “sell” this to IG groups? (all software is buggy)

    • Can rootless containers be a potential solution?

    • Win7 example. Core infrastructure had to be wrapped. NCSC advice was this is not sustainable. TRE containers are ephemeral though, so is this the same?

    • Will these mitigations cause deployment and infrastructure issues when analyses are scaled-out?

    • What are implications of vulnerabilities in e.g. Quarto? Don’t know! EPCC will baseline container and monitor additional software to show vulnerabilities are no worse

    • Some benefits are unclear beyond ensuring compliance, and come with great effort