RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

1. Docker Might not be your friend Trojanizing Docker like a Sir Roberto Muñoz (robsky) - @skyeinthewildDaniel García (cr0hn) - @ggdaniel

2. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild <spam>About Us</spam> • Creator/co-creator many security tools • Security researcher / ethical hacking • Chapter Leader OWASP Madrid • Python developer https://www.linkedin.com/in/garciagarciadaniel https://www.linkedin.com/in/roberto-muñoz-fernández-8389a313/ • SecDevOPs • Security researcher • Former BOFH (Because even developers need heroes)

3. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild What’s this talk about? 1. What’s Docker 2. The Docker environment 3. What’s a C.I. / C.D. cycle? 4. Dissecting Docker images 5. Abusing Docker registry? 6. Conclusions

4. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild What’s this talk about? 1. What’s Docker 2. The Docker environment 3. What’s a C.I. / C.D. cycle? 4. Dissecting Docker images 5. Abusing Docker registry? 6. Conclusions

5. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild WHAT’S DOCKER? If you feel like the monkeys of 2001 odyssey, this is chapter is important to you

6. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - A brief definition

7. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - A brief definition

8. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM

10. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM IS NOT VIRTUALIZATION

14. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts

20. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Dockerfile Image Container

27. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Different

28. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Different But similar

29. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Different But similar

30. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild THE DOCKER ENVIRONMENT Neighbourhood colleagues

31. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment

35. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Registry

36. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Registry Docker Orchestrators

37. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Host Docker Registry Docker Orchestrators

38. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Host Docker Registry Docker Image builder Docker Orchestrators

39. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Host Docker Registry Docker Image builder Docker Orchestrators

40. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild WHAT’S A C.I. / C.D CYCLE? Ensure that your boss does not see this, he could realise that you are not really necessary…. fired! fired! fired!

41. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Summary - Definitions 1. Continuous Integration - C.I: “Is the practice of merging all developer working copies to a shared mainline several times a day.” 2.Continuous Deployment - C.D: “Is a software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time.” Source Wikipedia

42. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle

43. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle

44. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process

45. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process Restart the process is hard

48. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I. - New approach https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html

51. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I. + C.D. - New approach with Docker

52. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator

63. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild DISSECTING DOCKER IMAGES Shut up and tell me how I can break it down

64. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?

71. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Global Metadata Global metadata JSON file • Global info about image • Modification history • A SHA256 hash of each layer. Stored in order.

72. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Manifest Manifest file • A reference to global config file. • List of tags for the image. • List of layers. IN ORDER

73. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Repositories Repositories • Repository witch belong the image. • Repository tags available. • A reference to the last layer.

74. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layers Image layers • A docker image can contains any number of layers • Each layer has their own folder. • Each layer has 3 files: • json • layer.tar • VERSION

75. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content

76. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content

77. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content • Layer metadata • Reference to the parent layer

78. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content • Layer metadata • Reference to the parent layer • Layer version

79. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content • Layer metadata • Reference to the parent layer • Layer version • Folders / files • Incremental file system

80. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content

90. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Why? • Change environment vars • Change Entry Point • Add new/modify files • Analyse the image • Extract the content

91. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems

92. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems Manifest / Metadata only meet the layer hash

93. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems Manifest / Metadata only meet the layer hash The layer hash is referenced in many places

94. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems Manifest / Metadata only meet the layer hash The layer hash is referenced in many places A tiny change in a layer content implies many changes in many files.

99. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems SHA256: f94a86523746be32e7981681172198717edd94333d263b1f64228a41e14dc6b5

100. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata

103. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems SHA256: f94a86523746be32e7981681172198717edd94333d263b1f64228a41e14dc6b5

108. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks

113. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks LD_PRELOAD

117. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Scan

118. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir https://github.com/cr0hn/dockerscan Docker Scan

119. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir ¡ Demo time ! Trojanizing Docker Images with Docker Scan Manipulating Docker images - Attacks

120. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild ABUSING DOCKER REGISTRY? Yes, we love break things…

121. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Registry (D.R) - Brief summary • Storage docker images. • Index the images hashes • Create a logical structure to locate docker images: repository/image:tag • Exposes a REST API to interact.

122. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage

123. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage

124. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage Storage server Indexing server

125. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - How registry storage the images?

126. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - How registry storage the images? … … Images

127. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - How registry storage the images? … … Images Tags

128. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir latest D.R. - How registry storage the images? 1.1.10 1.11.10-alpine 1.10.3-alpine … … … Images Tags

129. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry

130. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry I want upload the image: minion

131. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry I want upload the image: minion Oks. Here is your upload Path

132. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry I want upload the image: minion Oks. Here is your upload Path Uploading… SHA256: f94a86523746be32e7981681172198717edd94333d263b1f64228a41e 14dc6b5

133. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry I want upload the image: minion Oks. Here is your upload Path Uploading… Add the tag: Latest minion :Latest

134. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Client Docker Registry I want upload the image: minion Oks. Here is your upload Path Uploading… Add the tag: Latest minion :Latest D.R. - Attacks : Upload non accessible files

135. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Client Docker Registry I want upload the image: minion Oks. Here is your upload Path Uploading… Add the tag: Latest minion :Latest D.R. - Attacks : Upload non accessible files

136. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir ¡ Demo time ! Uploading files that only you can download… D.R. - Attacks : Upload non accesible files

137. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - Attacks : Replace remote images latest 1.1.10 1.11.10-alpine 1.10.3-alpine … … … Images Tags

138. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - Attacks : Replace remote images latest 1.1.10 1.11.10-alpine 1.10.3-alpine … … … Images Tags latest

139. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - A short search in Shodan

142. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild CONCLUSIONS The conclusion is simple: give me your money and avoid intermediaries

143. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild WE NEED TO INVOKE SECURITY!

144. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild BUILD BEST PRACTICES • Do not trust name or tags, use digests instead in FROM declarations. • Always check the integrity of anything downloaded in build time.

145. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild REGISTRY SECURIZATION • Implement some of the available authN/authZ options. • Limit the exposure, the best case scenario is where only the build servers are allowed to push images to registries • Implement signing (https://github.com/docker/ notary) and don't execute unsigned images.

146. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild RUNTIME PROTECTION • Don't execute images with excessive privileges (-- privileged flag, added capabilities, disabled namespaces, etc) • Use native docker supported custom security profiles for your containers (Seccomp,Selinux/ Apparmor) • Use dynamic analysis tools to create behavioural profiles of the containers and monitor any suspect change in the container activity.

147. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Be careful…. …there is always someone watching

148. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Questions ?

149. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild

150. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Thank you!

RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Similaire à RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images (20)

Plus de Daniel Garcia (a.k.a cr0hn)

Plus de Daniel Garcia (a.k.a cr0hn) (20)

Dernier

Dernier (20)

RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images