rootedcon 2017 - docker might not be your friend. trojanizing docker images
TRANSCRIPT
Docker Might not be your friendTrojanizing Docker like a Sir
RobertoMuñoz(robsky)-@skyeinthewildDanielGarcía(cr0hn)-@ggdaniel
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
<spam>AboutUs</spam>
• Creator/co-creatormanysecuritytools
• Securityresearcher/ethicalhacking
• ChapterLeaderOWASPMadrid
• Pythondeveloper
https://www.linkedin.com/in/garciagarciadaniel
https://www.linkedin.com/in/roberto-muñoz-fernández-8389a313/
• SecDevOPs
• Securityresearcher
• Former BOFH (Because even developersneedheroes)
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
What’sthistalkabout?
1. What’sDocker2. TheDockerenvironment3. What’saC.I./C.D.cycle?4. DissectingDockerimages5. AbusingDockerregistry?6. Conclusions
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
What’sthistalkabout?
1. What’sDocker2. TheDockerenvironment3. What’saC.I./C.D.cycle?4. DissectingDockerimages5. AbusingDockerregistry?6. Conclusions
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
WHAT’SDOCKER?
Ifyoufeellikethemonkeysof2001odyssey,thisischapterisimportanttoyou
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Abriefdefinition
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Abriefdefinition
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-DockervsVM
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-DockervsVM
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-DockervsVM
IS NOT
VIRTUALIZATION
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-DockervsVM
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-DockervsVM
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-DockervsVM
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
Dockerfile Image Container
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
Dockerfile Image Container
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
Dockerfile Image Container
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-Parts
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-PartsDifferent
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-PartsDifferent
But similar
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sDocker-PartsDifferent
But similar
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
THEDOCKERENVIRONMENTNeighbourhoodcolleagues
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerenvironment
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerenvironment
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerenvironment
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerenvironment
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerenvironment
DockerRegistry
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerenvironment
DockerRegistry DockerOrchestrators
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerenvironment
DockerHost
DockerRegistry DockerOrchestrators
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerenvironment
DockerHost
DockerRegistry
DockerImagebuilder
DockerOrchestrators
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerenvironment
DockerHost
DockerRegistry
DockerImagebuilder
DockerOrchestrators
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
WHAT’SAC.I./C.DCYCLE?
Ensurethatyourbossdoesnotseethis,hecouldrealisethatyouarenotreallynecessary….fired!fired!fired!
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Summary-Definitions1. Continuous Integration - C.I:
“Is the practice of merging all developer working copies to a shared mainline several times a day.”
2. Continuous Deployment - C.D: “Is a software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time.”
Source Wikipedia
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
C.I-Classiccycle
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
C.I-Classiccycle
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
C.I-ClassiccycleVery manual process
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
C.I-ClassiccycleVery manual process
Restart the process is hard
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
C.I-ClassiccycleVery manual process
Restart the process is hard
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
C.I-ClassiccycleVery manual process
Restart the process is hard
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
C.I.-Newapproach
https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
C.I.-Newapproach
https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
C.I.-Newapproach
https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
C.I.+C.D.-NewapproachwithDocker
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DockerImagebuilder
C.I.+C.D.-NewapproachwithDocker
DockerHost DockerRegistry
Orchestrator
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DockerImagebuilder
C.I.+C.D.-NewapproachwithDocker
DockerHost DockerRegistry
Orchestrator
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DockerImagebuilder
C.I.+C.D.-NewapproachwithDocker
DockerHost DockerRegistry
Orchestrator
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DockerImagebuilder
C.I.+C.D.-NewapproachwithDocker
DockerHost DockerRegistry
Orchestrator
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DockerImagebuilder
C.I.+C.D.-NewapproachwithDocker
DockerHost DockerRegistry
Orchestrator
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DockerImagebuilder
C.I.+C.D.-NewapproachwithDocker
DockerHost DockerRegistry
Orchestrator
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DockerImagebuilder
C.I.+C.D.-NewapproachwithDocker
DockerHost DockerRegistry
Orchestrator
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DockerImagebuilder
C.I.+C.D.-NewapproachwithDocker
DockerHost DockerRegistry
Orchestrator
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DockerImagebuilder
C.I.+C.D.-NewapproachwithDocker
DockerHost DockerRegistry
Orchestrator
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DockerImagebuilder
C.I.+C.D.-NewapproachwithDocker
DockerHost DockerRegistry
Orchestrator
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DockerImagebuilder
C.I.+C.D.-NewapproachwithDocker
DockerHost DockerRegistry
Orchestrator
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
DISSECTINGDOCKERIMAGES
ShutupandtellmehowIcanbreakitdown
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sadockerimage?
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sadockerimage?
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sadockerimage?
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sadockerimage?
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sadockerimage?
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sadockerimage?
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
What’sadockerimage?
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-GlobalMetadata
GlobalmetadataJSONfile
• Globalinfoaboutimage• Modificationhistory• ASHA256hashofeachlayer.Storedinorder.
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Manifest
Manifestfile
• Areferencetoglobalconfigfile.
• Listoftagsfortheimage.• Listoflayers.INORDER
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Repositories
Repositories
• Repositorywitchbelongtheimage.
• Repositorytagsavailable.• Areferencetothelastlayer.
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Layers
Imagelayers
• Adockerimagecancontainsanynumberoflayers
• Eachlayerhastheirownfolder.
• Eachlayerhas3files:• json• layer.tar• VERSION
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Layercontent
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Layercontent
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Layercontent
• Layermetadata• Referencetotheparentlayer
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Layercontent
• Layermetadata• Referencetotheparentlayer
• Layerversion
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Layercontent
• Layermetadata• Referencetotheparentlayer
• Layerversion
• Folders/files• Incrementalfilesystem
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Extractingcontent
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Extractingcontent
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Extractingcontent
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Extractingcontent
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Extractingcontent
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Extractingcontent
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Extractingcontent
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Extractingcontent
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Extractingcontent
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Dockerimageparts-Extractingcontent
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Why?• Changeenvironmentvars
• ChangeEntryPoint
• Addnew/modifyfiles
• Analysetheimage
• Extractthecontent
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Manifest/Metadataonlymeetthelayerhash
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Manifest/Metadataonlymeetthelayerhash
Thelayerhashisreferencedinmanyplaces
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Manifest/Metadataonlymeetthelayerhash
Thelayerhashisreferencedinmanyplaces
Atinychangeinalayercontentimpliesmanychangesinmany
files.
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
SHA256:f94a86523746be32e7981681172198717edd94333d263b1f64228a41e14dc6b5
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Weneedtoupdatethereferencesandmetadata
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Weneedtoupdatethereferencesandmetadata
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
SHA256:f94a86523746be32e7981681172198717edd94333d263b1f64228a41e14dc6b5
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Weneedtoupdatethereferencesandmetadata
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Weneedtoupdatethereferencesandmetadata
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Weneedtoupdatethereferencesandmetadata
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Problems
Weneedtoupdatethereferencesandmetadata
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Attacks
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Attacks
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Attacks
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Attacks
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Attacks
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Attacks
LD_PRELOAD
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Attacks
LD_PRELOAD
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Attacks
LD_PRELOAD
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ManipulatingDockerimages-Attacks
LD_PRELOAD
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Docker Scan
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
https://github.com/cr0hn/dockerscan
Docker Scan
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
¡Demotime!
TrojanizingDockerImageswithDockerScan
ManipulatingDockerimages-Attacks
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
ABUSINGDOCKERREGISTRY?Yes,welovebreakthings…
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DockerRegistry(D.R)-Briefsummary
• Storagedockerimages.• Indextheimageshashes• Create a logical structure to locatedockerimages:repository/image:tag
• ExposesaRESTAPItointeract.
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Asimagestorage
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Asimagestorage
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Asimagestorage
Storageserver Indexingserver
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Howregistrystoragetheimages?
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Howregistrystoragetheimages?
……
Images
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Howregistrystoragetheimages?
……
Images Tags
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
latest
D.R.-Howregistrystoragetheimages?
1.1.10
1.11.10-alpine
1.10.3-alpine
…
……
Images Tags
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Asimagestorage:Uploadprocess
Client DockerRegistry
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Asimagestorage:Uploadprocess
Client DockerRegistry
Iwantuploadtheimage:minion
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Asimagestorage:Uploadprocess
Client DockerRegistry
Iwantuploadtheimage:minion
Oks.HereisyouruploadPath
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Asimagestorage:Uploadprocess
Client DockerRegistry
Iwantuploadtheimage:minion
Oks.HereisyouruploadPath
Uploading…
SHA256:f94a86523746be32e7981681172198717edd94333d263b1f64228a41e
14dc6b5
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Asimagestorage:Uploadprocess
Client DockerRegistry
Iwantuploadtheimage:minion
Oks.HereisyouruploadPath
Uploading…
Addthetag:Latest
minion :Latest
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Client DockerRegistry
Iwantuploadtheimage:minion
Oks.HereisyouruploadPath
Uploading…
Addthetag:Latest
minion :Latest
D.R.-Attacks:Uploadnonaccessiblefiles
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Client DockerRegistry
Iwantuploadtheimage:minion
Oks.HereisyouruploadPath
Uploading…
Addthetag:Latest
minion :Latest
D.R.-Attacks:Uploadnonaccessiblefiles
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
¡Demotime!
Uploadingfilesthatonlyyoucandownload…
D.R.-Attacks:Uploadnonaccesiblefiles
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Attacks:Replaceremoteimages
latest
1.1.10
1.11.10-alpine
1.10.3-alpine
…
……
Images Tags
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-Attacks:Replaceremoteimages
latest
1.1.10
1.11.10-alpine
1.10.3-alpine
…
……
Images Tags
latest
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-AshortsearchinShodan
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-AshortsearchinShodan
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
D.R.-AshortsearchinShodan
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
CONCLUSIONS
Theconclusionissimple:givemeyourmoneyandavoidintermediaries
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
WENEEDTOINVOKESECURITY!
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
BUILDBESTPRACTICES
• Donottrustnameortags,usedigestsinsteadinFROMdeclarations.
• Alwayschecktheintegrityofanythingdownloadedinbuildtime.
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
REGISTRYSECURIZATION• ImplementsomeoftheavailableauthN/authZoptions.
• Limittheexposure,thebestcasescenarioiswhereonlythebuildserversareallowedtopushimagestoregistries
• Implementsigning(https://github.com/docker/notary)anddon'texecuteunsignedimages.
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
RUNTIMEPROTECTION• Don'texecuteimageswithexcessiveprivileges(--privilegedflag,addedcapabilities,disablednamespaces,etc)
• Usenativedockersupportedcustomsecurityprofilesforyourcontainers(Seccomp,Selinux/Apparmor)
• Usedynamicanalysistoolstocreatebehaviouralprofilesofthecontainersandmonitoranysuspectchangeinthecontaineractivity.
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
Becareful….
…thereisalwayssomeonewatching
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Questions
?
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir
DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild
Thankyou!