Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Chargement dans…3
×

Consultez-les par la suite

1 sur 150 Publicité

RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Télécharger pour lire hors ligne

A explanation about docker, new C.I. / C.D. cycles with docker, how to dissect a Docker image and trojanize and how to abuse of Functionality of Docker Registry

A explanation about docker, new C.I. / C.D. cycles with docker, how to dissect a Docker image and trojanize and how to abuse of Functionality of Docker Registry

Publicité
Publicité

Plus De Contenu Connexe

Diaporamas pour vous (20)

Similaire à RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images (20)

Publicité

Plus par Daniel Garcia (a.k.a cr0hn) (20)

Plus récents (20)

Publicité

RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

  1. 1. Docker Might not be your friend Trojanizing Docker like a Sir Roberto Muñoz (robsky) - @skyeinthewildDaniel García (cr0hn) - @ggdaniel
  2. 2. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild <spam>About Us</spam> • Creator/co-creator many security tools • Security researcher / ethical hacking • Chapter Leader OWASP Madrid • Python developer https://www.linkedin.com/in/garciagarciadaniel https://www.linkedin.com/in/roberto-muñoz-fernández-8389a313/ • SecDevOPs • Security researcher • Former BOFH (Because even developers need heroes)
  3. 3. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild What’s this talk about? 1. What’s Docker 2. The Docker environment 3. What’s a C.I. / C.D. cycle? 4. Dissecting Docker images 5. Abusing Docker registry? 6. Conclusions
  4. 4. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild What’s this talk about? 1. What’s Docker 2. The Docker environment 3. What’s a C.I. / C.D. cycle? 4. Dissecting Docker images 5. Abusing Docker registry? 6. Conclusions
  5. 5. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild WHAT’S DOCKER? If you feel like the monkeys of 2001 odyssey, this is chapter is important to you
  6. 6. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - A brief definition
  7. 7. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - A brief definition
  8. 8. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM
  9. 9. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM
  10. 10. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM IS NOT VIRTUALIZATION
  11. 11. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM
  12. 12. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM
  13. 13. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM
  14. 14. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  15. 15. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  16. 16. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  17. 17. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  18. 18. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  19. 19. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  20. 20. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Dockerfile Image Container
  21. 21. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Dockerfile Image Container
  22. 22. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Dockerfile Image Container
  23. 23. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  24. 24. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  25. 25. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  26. 26. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  27. 27. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Different
  28. 28. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Different But similar
  29. 29. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Different But similar
  30. 30. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild THE DOCKER ENVIRONMENT Neighbourhood colleagues
  31. 31. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment
  32. 32. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment
  33. 33. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment
  34. 34. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment
  35. 35. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Registry
  36. 36. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Registry Docker Orchestrators
  37. 37. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Host Docker Registry Docker Orchestrators
  38. 38. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Host Docker Registry Docker Image builder Docker Orchestrators
  39. 39. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Host Docker Registry Docker Image builder Docker Orchestrators
  40. 40. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild WHAT’S A C.I. / C.D CYCLE? Ensure that your boss does not see this, he could realise that you are not really necessary…. fired! fired! fired!
  41. 41. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Summary - Definitions 1. Continuous Integration - C.I: “Is the practice of merging all developer working copies to a shared mainline several times a day.” 2.Continuous Deployment - C.D: “Is a software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time.” Source Wikipedia
  42. 42. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle
  43. 43. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle
  44. 44. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process
  45. 45. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process Restart the process is hard
  46. 46. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process Restart the process is hard
  47. 47. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process Restart the process is hard
  48. 48. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I. - New approach https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html
  49. 49. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I. - New approach https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html
  50. 50. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I. - New approach https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html
  51. 51. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I. + C.D. - New approach with Docker
  52. 52. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  53. 53. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  54. 54. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  55. 55. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  56. 56. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  57. 57. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  58. 58. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  59. 59. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  60. 60. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  61. 61. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  62. 62. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  63. 63. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild DISSECTING DOCKER IMAGES Shut up and tell me how I can break it down
  64. 64. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  65. 65. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  66. 66. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  67. 67. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  68. 68. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  69. 69. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  70. 70. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  71. 71. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Global Metadata Global metadata JSON file • Global info about image • Modification history • A SHA256 hash of each layer. Stored in order.
  72. 72. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Manifest Manifest file • A reference to global config file. • List of tags for the image. • List of layers. IN ORDER
  73. 73. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Repositories Repositories • Repository witch belong the image. • Repository tags available. • A reference to the last layer.
  74. 74. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layers Image layers • A docker image can contains any number of layers • Each layer has their own folder. • Each layer has 3 files: • json • layer.tar • VERSION
  75. 75. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content
  76. 76. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content
  77. 77. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content • Layer metadata • Reference to the parent layer
  78. 78. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content • Layer metadata • Reference to the parent layer • Layer version
  79. 79. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content • Layer metadata • Reference to the parent layer • Layer version • Folders / files • Incremental file system
  80. 80. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  81. 81. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  82. 82. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  83. 83. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  84. 84. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  85. 85. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  86. 86. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  87. 87. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  88. 88. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  89. 89. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  90. 90. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Why? • Change environment vars • Change Entry Point • Add new/modify files • Analyse the image • Extract the content
  91. 91. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems
  92. 92. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems Manifest / Metadata only meet the layer hash
  93. 93. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems Manifest / Metadata only meet the layer hash The layer hash is referenced in many places
  94. 94. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems Manifest / Metadata only meet the layer hash The layer hash is referenced in many places A tiny change in a layer content implies many changes in many files.
  95. 95. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems
  96. 96. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems
  97. 97. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems
  98. 98. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems
  99. 99. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems SHA256: f94a86523746be32e7981681172198717edd94333d263b1f64228a41e14dc6b5
  100. 100. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata
  101. 101. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata
  102. 102. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems
  103. 103. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems SHA256: f94a86523746be32e7981681172198717edd94333d263b1f64228a41e14dc6b5
  104. 104. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata
  105. 105. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata
  106. 106. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata
  107. 107. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata
  108. 108. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks
  109. 109. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks
  110. 110. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks
  111. 111. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks
  112. 112. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks
  113. 113. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks LD_PRELOAD
  114. 114. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks LD_PRELOAD
  115. 115. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks LD_PRELOAD
  116. 116. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks LD_PRELOAD
  117. 117. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Scan
  118. 118. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir https://github.com/cr0hn/dockerscan Docker Scan
  119. 119. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir ¡ Demo time ! Trojanizing Docker Images with Docker Scan Manipulating Docker images - Attacks
  120. 120. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild ABUSING DOCKER REGISTRY? Yes, we love break things…
  121. 121. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Registry (D.R) - Brief summary • Storage docker images. • Index the images hashes • Create a logical structure to locate docker images: repository/image:tag • Exposes a REST API to interact.
  122. 122. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage
  123. 123. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage
  124. 124. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage Storage server Indexing server
  125. 125. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - How registry storage the images?
  126. 126. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - How registry storage the images? … … Images
  127. 127. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - How registry storage the images? … … Images Tags
  128. 128. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir latest D.R. - How registry storage the images? 1.1.10 1.11.10-alpine 1.10.3-alpine … … … Images Tags
  129. 129. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry
  130. 130. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry I want upload the image: minion
  131. 131. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry I want upload the image: minion Oks. Here is your upload Path
  132. 132. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry I want upload the image: minion Oks. Here is your upload Path Uploading… SHA256: f94a86523746be32e7981681172198717edd94333d263b1f64228a41e 14dc6b5
  133. 133. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry I want upload the image: minion Oks. Here is your upload Path Uploading… Add the tag: Latest minion :Latest
  134. 134. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Client Docker Registry I want upload the image: minion Oks. Here is your upload Path Uploading… Add the tag: Latest minion :Latest D.R. - Attacks : Upload non accessible files
  135. 135. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Client Docker Registry I want upload the image: minion Oks. Here is your upload Path Uploading… Add the tag: Latest minion :Latest D.R. - Attacks : Upload non accessible files
  136. 136. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir ¡ Demo time ! Uploading files that only you can download… D.R. - Attacks : Upload non accesible files
  137. 137. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - Attacks : Replace remote images latest 1.1.10 1.11.10-alpine 1.10.3-alpine … … … Images Tags
  138. 138. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - Attacks : Replace remote images latest 1.1.10 1.11.10-alpine 1.10.3-alpine … … … Images Tags latest
  139. 139. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - A short search in Shodan
  140. 140. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - A short search in Shodan
  141. 141. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - A short search in Shodan
  142. 142. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild CONCLUSIONS The conclusion is simple: give me your money and avoid intermediaries
  143. 143. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild WE NEED TO INVOKE SECURITY!
  144. 144. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild BUILD BEST PRACTICES • Do not trust name or tags, use digests instead in FROM declarations. • Always check the integrity of anything downloaded in build time.
  145. 145. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild REGISTRY SECURIZATION • Implement some of the available authN/authZ options. • Limit the exposure, the best case scenario is where only the build servers are allowed to push images to registries • Implement signing (https://github.com/docker/ notary) and don't execute unsigned images.
  146. 146. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild RUNTIME PROTECTION • Don't execute images with excessive privileges (-- privileged flag, added capabilities, disabled namespaces, etc) • Use native docker supported custom security profiles for your containers (Seccomp,Selinux/ Apparmor) • Use dynamic analysis tools to create behavioural profiles of the containers and monitor any suspect change in the container activity.
  147. 147. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Be careful…. …there is always someone watching
  148. 148. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Questions ?
  149. 149. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild
  150. 150. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Thank you!

×