In this week's episode of the Cloud Commute podcast by simplyblock, host Chris Engelbert talks to Hannes Ullman from bifrost security, a company building an automatic application firewall. Bifrost is built upon AppArmor, using a training phase to learn the application's network behavior, necessary system calls, and more. Using the data acquired during training, the application firewall will keep your application safe in production.
In this episode of Cloud Commute, Chris and Hannes discuss:
- Bifrost Security: Automating runtime security for containerized environments
- The role of AppArmor and Linux security modules in container security
- Challenges of manual security profiles and automating security with Bifrost
Interested to learn more about the cloud infrastructure stack like storage, security, and Kubernetes? Head to our website (www.simplyblock.io/cloud-commute-podcast) for more episodes, and follow us on LinkedIn (www.linkedin.com/company/simplyblock-io). You can also check out the detailed show notes on Youtube (www.youtube.com/watch?v=gPD1VYFWVGA).
You can find Hannes Ullman on X @kroxelikrax and Linkedin: /hannesullman.
About simplyblock:
Simplyblock is an intelligent database storage orchestrator for IO-intensive workloads in Kubernetes, including databases and analytics solutions. It uses smart NVMe caching to speed up read I/O latency and queries. A single system connects local NVMe disks, GP3 volumes, and S3 making it easier to handle storage capacity and performance. With the benefits of thin provisioning, storage tiering, and volume pooling, your database workloads get better performance at lower cost without changes to existing AWS infrastructure.
👉 Get started with simplyblock: https://www.simplyblock.io/buy-now
🏪 simplyblock AWS Marketplace: https://aws.amazon.com/marketplace/seller-profile?id=seller-fzdtuccq3edzm
00:00:00
It started out as a research project into
00:00:02
containerized environments.
00:00:03
For many people, these kinds of like low level
00:00:07
security mechanisms have been hidden or underutilized.
00:00:11
It's a different kind of beast than your average
00:00:14
Node.js application.
00:00:16
No offense to Node.js developers.
00:00:17
You basically have like the auditing phase.
00:00:20
Then you have like the testing phase.
00:00:22
You see that if you keep it running for a little bit longer,
00:00:25
does something happen, which we didn't record, at some point
00:00:28
you put it into production and you hope that you just
00:00:31
caught all the edge cases.
00:00:33
If they have been used at all, they have been used probably
00:00:35
most as deny rules, setting a few boundaries for where your
00:00:40
containerized workload can't go.
00:00:41
You really want to secure the services further down
00:00:44
the stack because if somebody can inject some malicious
00:00:48
call, your service behaves weird and probably returns
00:00:50
something you would not expect and as you said, reach some
00:00:53
security passwords or whatever.
00:00:57
You're listening to Simplyblock's Cloud
00:00:59
Commute Podcast, your weekly 20 minute podcast
00:01:01
about cloud technologies, Kubernetes, security,
00:01:04
sustainability, and more.
00:01:07
Hello, everyone.
00:01:08
Welcome back to this week's episode of Simplyblock's Cloud
00:01:11
Commute Podcast with me and yet another guest, Hannes, welcome.
00:01:17
Very, very glad to have you.
00:01:19
And maybe just introduce yourself real quick.
00:01:23
Who are you, where you're from, and what do you do?
00:01:29
Well, thank you.
00:01:29
Hi, Chris.
00:01:30
Nice to be here.
00:01:32
My name is Hannes Ullman.
00:01:33
I'm born and raised in Sweden.
00:01:37
Right now, currently living in Stockholm.
00:01:40
And, yeah, I'm a techie from, way back.
00:01:45
Used to be the guy all the friend's family called when
00:01:50
they had computer issues when we were in middle school.
00:01:53
And I probably fixed as many computers that I
00:01:57
have broken them as well.
00:01:59
But, it was, yeah, I learned, learned early days.
00:02:03
But yeah, I'm one of the co founders of
00:02:06
Bifrost at this stage.
00:02:07
And I have a background working in tech for the last
00:02:09
15 years in different areas.
00:02:15
Cool.
00:02:18
Yeah.
00:02:19
So, you're joining us from Bifrost security, right?
00:02:25
So tell us a little bit about Bifrost maybe.
00:02:28
Yeah.
00:02:28
Bifrost is a runtime security company.
00:02:33
And we focus on helping organizations and companies
00:02:38
in securing their applications at the runtime part.
00:02:42
So we want to help them analyze and understand the behavior of
00:02:47
their software to understand the better behavior from and
00:02:51
differentiate that from the bad behavior that can cause
00:02:55
exploits and vulnerabilities to be exploited into their
00:02:58
code bases and gain access into things that they, that
00:03:01
others shouldn't get access to.
00:03:04
And yeah, we want to help companies limit the attack
00:03:07
surface and contain their security, contain their
00:03:11
applications at runtime.
00:03:13
Right, right.
00:03:14
And as far as I know, I mean, we've talked a
00:03:17
little bit beforehand, as far as I remember, it all
00:03:21
started as a university project at Lund University.
00:03:24
I don't remember the name.
00:03:25
Sorry.
00:03:26
No, it's pretty close.
00:03:28
It's Lund University in Southern Sweden, which is
00:03:31
actually my alma mater.
00:03:32
So it's pretty, pretty fun to be working with something that
00:03:34
comes from the same university as you, as myself studied.
00:03:38
But yeah.
00:03:39
It started out as a research project into containerized
00:03:42
environments and the security around containers and new
00:03:47
ways of running software.
00:03:49
And that run from I think 2018 to 2020, 2022.
00:03:57
And part of the findings that they had they thought
00:04:04
had potential to be used in a more commercial setting.
00:04:08
And these days, universities across Sweden, or I think
00:04:14
across, Europe in general, have a separate arm that looks
00:04:18
to what type of research is being made at our university
00:04:22
and what could be actually derived from that and what
00:04:24
should be turned into successful products or could be turned
00:04:28
into successful products.
00:04:29
I think this is a longer lifespan in the Life Science
00:04:33
area where you have a lot of universities doing science
00:04:38
within medicine and things like that, that then at some
00:04:41
point ends up at one of the big pharma companies as well.
00:04:45
But over the years, there has been a lot of more shift
00:04:48
towards the tech side of it.
00:04:50
So there has been both software, but also hardware
00:04:53
companies getting founded on successful research
00:04:56
coming out of universities.
00:04:58
Which I think is much more interesting for the students
00:05:02
as well, because you're working towards, which is
00:05:06
eventually actually being used.
00:05:07
I mean, sure for Madison, hopefully it is being used.
00:05:10
But for other things, there's a lot of like
00:05:12
this theoretical research that is probably not a-
00:05:19
never going to get anywhere.
00:05:21
But because of, I guess a lot of the people in the audience
00:05:25
probably are not aware of what the process would be.
00:05:28
How does that look like?
00:05:29
I mean, is the process of the project or the research
00:05:32
actually started with the idea of potentially going into a full
00:05:37
blown product in the end or how do I have to think about that?
00:05:42
Ah, well, in this case, I would say that the research
00:05:45
was done at the EU funded program that was running
00:05:49
across multiple universities and industries in the Europe
00:05:54
zone, but had contributors from all over the place.
00:05:58
But we had this professor in Lund that was focusing more
00:06:02
on the secure cybersecurity part and the runtime part.
00:06:05
And they work within the group.
00:06:09
And when they think that they have something that
00:06:11
they would like to, that should probably get funded
00:06:17
to become something, they can apply to a certain project.
00:06:21
Or a certain program within the university that's, LO
00:06:25
Innovation, it's called, or an innovation program.
00:06:28
And they get help assessing whether their idea or their
00:06:33
research has potential to become something.
00:06:36
And from that, they if they are not fully committed themselves
00:06:42
into to help you to venture out from the university and
00:06:46
get started and start a company and do all the things that that
00:06:51
entails, they have a program to get connected with other
00:06:56
entrepreneurs that can help you as operators of the startup
00:07:00
and help together bring the commercial project to life.
00:07:05
So that's, was actually, yeah, how I got into this project.
00:07:09
Right.
00:07:09
Okay.
00:07:09
Got it.
00:07:10
Got it.
00:07:11
Interesting.
00:07:12
I've never spoken to anyone who had that like kind of
00:07:16
background coming from a university and the project
00:07:19
being spun off into a company.
00:07:21
That's, I mean, you always hear about those things, but,
00:07:26
as I said, I've never had the chance to talk to anyone.
00:07:28
That's really interesting.
00:07:31
So let's get back to Bifrost then.
00:07:33
Bifrost, as you said, it's a security solution.
00:07:38
I'm not sure if it's a hundred percent specific
00:07:41
to Kubernetes, but at least it is Kubernetes related.
00:07:44
And as far as I know, it uses AppArmor to
00:07:48
automatically spin up profiles for, AppArmor, right?
00:07:53
Is that correct?
00:07:54
Yeah, that's correct.
00:07:56
And AppArmor is one of a few different Linux security
00:08:00
modules that has been around for quite some time.
00:08:06
And the idea behind it is that you can set a few,
00:08:15
or as many as you want, rules around what a given
00:08:19
application is allowed to do.
00:08:21
And when containers came along, these LSMs were then converted
00:08:27
into to also be able to contain your containerized workloads.
00:08:34
And of course you don't have to run this in Kubernetes.
00:08:36
We have started with Kubernetes because we believe that it's
00:08:39
a very strong foundation and a way of running
00:08:44
containerized workloads that has gained traction over the
00:08:47
10 years that it has been.
00:08:51
And but it's not solely contained by Kubernetes.
00:08:57
But, and there is a lot, there's a few others as well.
00:08:59
We have SELinux.
00:09:01
It's a computing one.
00:09:02
There's a lot of work being done now in eBPF, which is
00:09:07
also, something that you can help and do these kinds
00:09:10
of things with as well.
00:09:11
So we are investigating those as well as we build this out.
00:09:15
But, we're, yeah, AppArmor is the one we've started with.
00:09:18
Right.
00:09:19
I think AppArmor is the one that was initially started
00:09:23
by Google for Android, or was that as eLinux?
00:09:28
I may just be guessing that.
00:09:30
That's an origin story I haven't heard.
00:09:32
I think appArmor came out of Novel, and was later
00:09:38
acquired by Canonical.
00:09:41
And the majority parts of Ubuntu has been using
00:09:47
AppArmor for a long time over, I think almost up to 10
00:09:50
to 15 years now, to contain applications for the blueprint.
00:09:55
Okay.
00:09:55
Fair enough.
00:09:55
Maybe I'm completely messing that up.
00:09:58
But I think it's the one that the Android environment
00:10:01
also, or the Android.
00:10:03
Yeah, Google.
00:10:04
Google for sure is using it because they have also based
00:10:09
their cloud optimized OS that runs on their default
00:10:12
Kubernetes engine that supports AppArmor out of the box.
00:10:18
So it comes shipped with it on by default.
00:10:21
Okay, maybe, the audience will lynch me for that.
00:10:26
And he got it completely wrong.
00:10:29
I mean, perfect.
00:10:31
Yeah.
00:10:32
I'll help you shield you from a little bit of that, I hope.
00:10:35
Just generate an AppArmor profile for me.
00:10:40
But to be honest, I think it probably comes from the
00:10:43
fact that android is maybe the biggest AppArmor user.
00:10:47
And that's probably why I thought it came out of Google.
00:10:50
Yeah.
00:10:51
Fair enough.
00:10:53
Yeah.
00:10:55
So how does, how do I have to think about that?
00:10:57
It- how does it know how to generate those profiles?
00:11:04
How does it know what the application needs
00:11:06
or doesn't need?
00:11:07
Now that's a good question.
00:11:09
I think that for many people, these kind of like low level
00:11:14
security mechanisms have been hidden or underutilized.
00:11:19
And there's been a couple of reasons for that.
00:11:21
One, they are in close to the kernel.
00:11:24
So it's a different kind of beast than your average
00:11:30
Node.js application.
00:11:32
No offense to Node.js developers or anything like that.
00:11:37
But it is.
00:11:38
And it's also tricky to use in the manual sense.
00:11:43
They come with a way to run them both as allow or deny.
00:11:48
Whatever it is.
00:11:50
And if they have been used at all, they have been used
00:11:53
probably most as deny rules, setting a few boundaries
00:11:57
for where your containerized workload can't go.
00:12:00
And they have, up until now, mostly been manual.
00:12:05
Manual labor.
00:12:06
So line by line, you manually describe what your
00:12:10
application is allowed to do or not allowed to do.
00:12:14
And you have wildcards and everything like that.
00:12:17
But it's tricky and a manual process.
00:12:21
And with everything else in the dev tool chain these days
00:12:24
being automated for speed and velocity of development,
00:12:28
the ones focusing on these low level mechanisms,
00:12:31
they are hard to keep up.
00:12:33
So they are, they go unutilized.
00:12:36
But that's one of the main thing about Bifrost is we try to
00:12:39
change that and we try to help you automate this process as
00:12:43
well, as most of us should, so that we can build the profiles
00:12:48
automatically for you for every new build that gets deployed
00:12:51
to your Kubernetes cluster.
00:12:53
So that we can continuously audit during the development
00:12:58
phase of your application or the development sprints or wherever.
00:13:02
So that we always get the latest developments of what
00:13:05
your application is doing.
00:13:07
And then we can automatically create the security profiles
00:13:10
that evolves with the builds that you produce.
00:13:14
So that you can kind of contain the application
00:13:17
as it grows of behavior.
00:13:19
Right.
00:13:21
Few weeks ago, we had Anders Eknert on the show.
00:13:27
And he's working for- blanking out with the
00:13:32
company name right now.
00:13:34
Styra.
00:13:35
Or, yeah.
00:13:35
I listened to that podcast for a while back.
00:13:38
And we know each other a little bit.
00:13:40
And we meet each other on the Stockholm tech
00:13:43
scene as well a few times.
00:13:44
Ah, yeah.
00:13:45
Okay.
00:13:45
Yeah, that makes sense.
00:13:46
That makes sense.
00:13:47
So he was talking about ota, like the o POL-
00:13:51
OPA, the open policy agent.
00:13:53
Opa.
00:13:54
Yeah, yeah.
00:13:55
And I think the idea is kind of similar just
00:13:58
from the understanding.
00:13:59
AppArmor is obviously deeper in the stack because it shields
00:14:04
the application from using certain operating system or
00:14:09
other applications, whereas OPA was more on the like,
00:14:15
on the service level, basically between different services.
00:14:18
But it sounds like those two things would be like a
00:14:21
perfect match to be combined and used in tandem, right?
00:14:25
Yeah, no, I think that they combine each other or
00:14:31
complement each other a lot.
00:14:32
But they are working on different levels.
00:14:35
But what we are trying to do with AppArmor and Bifrost
00:14:38
is that we want to move.
00:14:42
Zero trust is a very used term this, today.
00:14:47
But, I mean, kind of a zero trust on the CIS call level
00:14:51
so that you only want your software to do the CIS calls
00:14:55
and all the IOs that you wanted to do and nothing else should
00:15:01
be allowed based on that.
00:15:02
So that's the idea with us that we help you contain the
00:15:06
application by looking at its behavior and then crafting
00:15:10
profiles that allow for that certain behavior and then
00:15:12
can block behavior that lies outside of that boundary.
00:15:17
Right.
00:15:17
So in this case, it's probably closer to something like a web
00:15:21
application firewall, where you monitor this behavior
00:15:25
of the application or of the traffic for a while.
00:15:28
And then you say, okay, these seem to be like the things or
00:15:32
that is the traffic pattern we expect from the application.
00:15:35
And everything else, we just gonna block.
00:15:37
Basically like the, what is it?
00:15:39
WAF?
00:15:40
Yeah.
00:15:41
Yeah.
00:15:41
That's very close.
00:15:42
That's very close.
00:15:43
And I mean, there is a lot of other monitoring tools
00:15:46
that use like, Falco and Tracy and things like that
00:15:50
that looks to see and tries to monitor for bad behavior.
00:15:55
And we think that we can take that one step further
00:15:58
by doing that in the-
00:16:00
By basically setting up the good behavior rules
00:16:03
based on the audit part.
00:16:05
And then relying on protecting that in runtime, in production
00:16:11
with the security profiles that we can produce.
00:16:13
So you mentioned eBPF earlier.
00:16:15
And I guess a lot of the automatic auditing is done
00:16:19
via eBPF integrations or eBPF, whatever you call them when
00:16:24
they run this in the kernel.
00:16:27
Yeah.
00:16:27
So right now we're mostly using AppArmor for the audit
00:16:31
parts as well, because AppArmor has an audit mode that helps
00:16:35
you understand and get the logs out of the given system.
00:16:38
But we could use AppArmor, we could use eBPF for that as well.
00:16:44
And-
00:16:45
But we get the audit data from a given workload based
00:16:50
on the AppArmor audit mode.
00:16:53
And then you have two different modes that you run the actual
00:16:57
security profiles when you get them from our service that
00:17:02
you can either run them in a complain mode, which is a non
00:17:05
destructive mode, where it's basically just complaining
00:17:08
when you step outside of the boundary that the profile is
00:17:12
drawing up for your workload.
00:17:13
But then you can also get to a more strict stage where it's
00:17:18
an enforced mode, where you actually enforce the profile.
00:17:22
Right.
00:17:23
So you basically have like the auditing phase.
00:17:26
Then you have like the testing phase.
00:17:28
You see that if you keep it running for a little bit
00:17:31
longer, does something happen, which we didn't record?
00:17:35
And then at some point you put it into production
00:17:37
and you hope that you just caught all the edge cases.
00:17:42
Yeah, no, I think-
00:17:44
Yeah, exactly.
00:17:45
No, I think from the ones that we have started working with
00:17:48
on so far, they are running a few profiles in complain
00:17:53
mode, in production as well, just to make sure that they
00:17:56
don't trash anything and catch all those edge cases.
00:18:00
And we help them analyze the few complaints that
00:18:05
we have seen so far.
00:18:06
And then once you get to a state where you're kind of
00:18:09
boxed in, you rather want to be on the enforced mode where
00:18:12
you proactively would block a bad behavior if that occurs
00:18:15
or an anomaly that anything that we haven't seen before.
00:18:19
Right.
00:18:20
Okay, okay.
00:18:21
So from a user's perspective, what would be
00:18:24
like the biggest benefit?
00:18:26
I mean, I could claim-
00:18:28
but why do I need that?
00:18:30
Right.
00:18:32
I guess one obvious thing would be like a CV or somebody manages
00:18:38
to get root permission or root permission on the container.
00:18:42
But apart from that, if I don't have any malicious
00:18:47
traffic, why would I care?
00:18:49
Well, that's a good thing.
00:18:50
I mean, I think that the whole shift left mentality that
00:18:57
has tried to focus on making sure that we get that to the
00:19:01
vulnerabilities in the at the root cause, we still see a lot
00:19:07
of applications that goes out to production with a number
00:19:10
of vulnerabilities in them.
00:19:12
And that's just fact.
00:19:13
You need to ship features as well.
00:19:15
And there's sometimes there aren't a fix that you can bump.
00:19:17
And there's more breaking changes in the fix or things
00:19:21
like that that makes it so that we have vulnerabilities.
00:19:24
And research behind them, why we, that this become became a
00:19:29
venture out of the university was that when you look to a
00:19:32
given software stack, based on open source components that has
00:19:36
vulnerabilities in them that can be used to break into the
00:19:40
container and then in some cases also break in through the, to
00:19:44
the node and things like that.
00:19:47
If you look to the behavior of what that's actually doing,
00:19:50
when it's supposed to be doing what it's built to do,
00:19:53
you only allow that behavior.
00:19:56
And then a majority of those vulnerabilities become
00:19:59
mute because they can't do the step two or the step
00:20:02
three and the exploit chain
00:20:06
that they have.
00:20:08
And being able to contain your application while you're
00:20:12
still have a lot of velocity in building new features and
00:20:16
building and updating your product, still having something
00:20:20
that can automatically contain it and understand it as it
00:20:25
evolves is one thing that we think is an added benefit.
00:20:29
And also, as a platform team, you might be working with
00:20:33
multiple dev teams across your companies that is doing a lot of
00:20:37
different types of development, that is building different types
00:20:40
of services in the containers.
00:20:41
And this is a way to raise the level of security,
00:20:47
between those teams without actually having to, work with
00:20:50
every developer to have them understand how you actually can
00:20:54
use a service like Bifrost or security profiles in general.
00:20:59
I think you mentioned something very important.
00:21:01
I just want to make sure it doesn't get lost because you
00:21:05
talked about the attack chains.
00:21:08
So these days, an attack or trying to take over a system
00:21:12
is normally not a single thing, but it is a chain or a
00:21:18
connection of either multiple CVEs, multiple vulnerabilities,
00:21:24
whatever you want to call them, or even jumping through
00:21:27
multiple systems or multiple microservices, trying to
00:21:31
figure out how stuff happens.
00:21:33
Yeah, no, that's-
00:21:34
Yeah, that's true.
00:21:35
And I mean, there could be misconfigurations running at
00:21:38
some point where, if you had not given a security profile
00:21:45
that would just be tailored to the specific workloads behavior
00:21:49
that you would be able to use that misconfiguration to
00:21:52
get secrets out or something that can help you move
00:21:54
laterally quicker across a network and across a cluster.
00:22:01
Right.
00:22:01
Right.
00:22:01
That makes a lot of sense because now it also means
00:22:04
you really want to secure the services further down the stack
00:22:08
because if somebody can inject, you said multiple development,
00:22:13
if somebody can inject some malicious call that you wouldn't
00:22:16
expect and now your service behaves completely weird, we
00:22:21
all know have you roll testing?
00:22:24
Right?
00:22:24
So now, your service behaves weird and probably you returned
00:22:28
something you would not expect.
00:22:30
And as you said, maybe breach some security
00:22:34
passwords or whatever.
00:22:36
Yeah, that makes sense.
00:22:38
Unfortunately, we're already out of time.
00:22:41
I would have so many more questions.
00:22:43
But one final question.
00:22:46
The one, basically, I ask everything.
00:22:49
What is on the horizon?
00:22:50
What do you think is like the next important
00:22:53
thing, the next big thing?
00:22:54
What is like the interesting thing you see
00:22:59
in terms of specifically,
00:23:00
I guess, security?
00:23:01
You're hard pressed not to have me say AI.
00:23:04
But, which I think.
00:23:10
It's hard to avoid.
00:23:11
But I think the-
00:23:14
if we get it closer to application development,
00:23:16
I think AI is a tool like many others, and that
00:23:21
will bring productivity.
00:23:22
And with productivity comes higher velocity.
00:23:25
And with higher velocity comes many more changes.
00:23:29
And I think that in of itself that will give
00:23:34
attack vectors will be-
00:23:35
there will be more attack vectors in the future just by
00:23:38
having the sheer speed on the velocity of software development
00:23:43
being increased by AI.
00:23:45
That will bring for more interesting areas both from, of
00:23:49
course, how that can be utilized against us in terms of all the
00:23:56
ways you can attack software and humans in terms to get access.
00:24:01
Because still of course ransomware also have a large
00:24:06
portion of them happening because people are socially
00:24:08
engineered to give up secrets that they shouldn't.
00:24:11
But I think it will work in tandem.
00:24:15
So I think it will, we will see an increased velocity
00:24:19
in everything happening from good things to bad things.
00:24:23
And that I think is, it's going to be an interesting
00:24:26
decade to say the least for the digital area.
00:24:30
I think that is a perfect way of ending the episode.
00:24:34
There is good and bad things on the horizon.
00:24:38
All right.
00:24:39
Yeah.
00:24:40
Thank you for being here.
00:24:41
It was a pleasure having you.
00:24:43
I wish you all the best with Bifrost.
00:24:46
I think it's a really interesting product.
00:24:49
Thank you.
00:24:49
Thank you for having me.
00:24:51
No, my pleasure.
00:24:53
And for the audience, next week, same time, same place.
00:24:57
I hope you listen in again.
00:24:58
And thank you very much as well.
00:25:03
The Cloud Commute Podcast is sponsored by SimpliBlock.
00:25:06
Your own elastic block storage engine for the cloud.
00:25:09
Get higher IOPS and low predictable latency
00:25:11
while bringing down your total cost of ownership.
00:25:13
www.simplybock.Io