Upload File

rootedcon 2017 - docker might not be your friend. trojanizing docker images

  • Home
  • Technology
  • RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
150
Docker Might not be your friend Trojanizing Docker like a Sir Roberto Muñoz (robsky) - @skyeinthewild Daniel García (cr0hn) - @ggdaniel

Upload: daniel-garcia-aka-cr0hn

Post on 12-Apr-2017

2.599 views

Category:

Technology


3 download

Report

TRANSCRIPT

Page 1: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Docker Might not be your friendTrojanizing Docker like a Sir

RobertoMuñoz(robsky)-@skyeinthewildDanielGarcía(cr0hn)-@ggdaniel

Page 2: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

<spam>AboutUs</spam>

• Creator/co-creatormanysecuritytools

• Securityresearcher/ethicalhacking

• ChapterLeaderOWASPMadrid

• Pythondeveloper

https://www.linkedin.com/in/garciagarciadaniel

https://www.linkedin.com/in/roberto-muñoz-fernández-8389a313/

• SecDevOPs

• Securityresearcher

• Former BOFH (Because even developersneedheroes)

https://www.linkedin.com/in/garciagarciadaniel
https://www.linkedin.com/in/roberto-mu%C3%B1oz-fern%C3%A1ndez-8389a313/
Page 3: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

What’sthistalkabout?

1. What’sDocker2. TheDockerenvironment3. What’saC.I./C.D.cycle?4. DissectingDockerimages5. AbusingDockerregistry?6. Conclusions

Page 4: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

What’sthistalkabout?

1. What’sDocker2. TheDockerenvironment3. What’saC.I./C.D.cycle?4. DissectingDockerimages5. AbusingDockerregistry?6. Conclusions

Page 5: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

WHAT’SDOCKER?

Ifyoufeellikethemonkeysof2001odyssey,thisischapterisimportanttoyou

Page 6: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Abriefdefinition

Page 7: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Abriefdefinition

Page 8: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-DockervsVM

Page 9: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-DockervsVM

Page 10: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-DockervsVM

IS NOT

VIRTUALIZATION

Page 11: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-DockervsVM

Page 12: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-DockervsVM

Page 13: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-DockervsVM

Page 14: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Page 15: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Page 16: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Page 17: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Page 18: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Page 19: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Page 20: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Dockerfile Image Container

Page 21: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Dockerfile Image Container

Page 22: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Dockerfile Image Container

Page 23: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Page 24: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Page 25: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Page 26: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-Parts

Page 27: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-PartsDifferent

Page 28: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-PartsDifferent

But similar

Page 29: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sDocker-PartsDifferent

But similar

Page 30: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

THEDOCKERENVIRONMENTNeighbourhoodcolleagues

Page 31: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerenvironment

Page 32: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerenvironment

Page 33: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerenvironment

Page 34: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerenvironment

Page 35: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerenvironment

DockerRegistry

Page 36: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerenvironment

DockerRegistry DockerOrchestrators

Page 37: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerenvironment

DockerHost

DockerRegistry DockerOrchestrators

Page 38: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerenvironment

DockerHost

DockerRegistry

DockerImagebuilder

DockerOrchestrators

Page 39: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerenvironment

DockerHost

DockerRegistry

DockerImagebuilder

DockerOrchestrators

Page 40: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

WHAT’SAC.I./C.DCYCLE?

Ensurethatyourbossdoesnotseethis,hecouldrealisethatyouarenotreallynecessary….fired!fired!fired!

Page 41: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Summary-Definitions1. Continuous Integration - C.I:

“Is the practice of merging all developer working copies to a shared mainline several times a day.”

2. Continuous Deployment - C.D: “Is a software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time.”

Source Wikipedia

Page 42: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

C.I-Classiccycle

Page 43: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

C.I-Classiccycle

Page 44: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

C.I-ClassiccycleVery manual process

Page 45: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

C.I-ClassiccycleVery manual process

Restart the process is hard

Page 46: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

C.I-ClassiccycleVery manual process

Restart the process is hard

Page 47: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

C.I-ClassiccycleVery manual process

Restart the process is hard

Page 48: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

C.I.-Newapproach

https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html

https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html
Page 49: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

C.I.-Newapproach

https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html

https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html
Page 50: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

C.I.-Newapproach

https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html

https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html
Page 51: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

C.I.+C.D.-NewapproachwithDocker

Page 52: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DockerImagebuilder

C.I.+C.D.-NewapproachwithDocker

DockerHost DockerRegistry

Orchestrator

Page 53: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DockerImagebuilder

C.I.+C.D.-NewapproachwithDocker

DockerHost DockerRegistry

Orchestrator

Page 54: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DockerImagebuilder

C.I.+C.D.-NewapproachwithDocker

DockerHost DockerRegistry

Orchestrator

Page 55: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DockerImagebuilder

C.I.+C.D.-NewapproachwithDocker

DockerHost DockerRegistry

Orchestrator

Page 56: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DockerImagebuilder

C.I.+C.D.-NewapproachwithDocker

DockerHost DockerRegistry

Orchestrator

Page 57: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DockerImagebuilder

C.I.+C.D.-NewapproachwithDocker

DockerHost DockerRegistry

Orchestrator

Page 58: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DockerImagebuilder

C.I.+C.D.-NewapproachwithDocker

DockerHost DockerRegistry

Orchestrator

Page 59: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DockerImagebuilder

C.I.+C.D.-NewapproachwithDocker

DockerHost DockerRegistry

Orchestrator

Page 60: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DockerImagebuilder

C.I.+C.D.-NewapproachwithDocker

DockerHost DockerRegistry

Orchestrator

Page 61: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DockerImagebuilder

C.I.+C.D.-NewapproachwithDocker

DockerHost DockerRegistry

Orchestrator

Page 62: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DockerImagebuilder

C.I.+C.D.-NewapproachwithDocker

DockerHost DockerRegistry

Orchestrator

Page 63: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

DISSECTINGDOCKERIMAGES

ShutupandtellmehowIcanbreakitdown

Page 64: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sadockerimage?

Page 65: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sadockerimage?

Page 66: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sadockerimage?

Page 67: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sadockerimage?

Page 68: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sadockerimage?

Page 69: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sadockerimage?

Page 70: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

What’sadockerimage?

Page 71: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-GlobalMetadata

GlobalmetadataJSONfile

• Globalinfoaboutimage• Modificationhistory• ASHA256hashofeachlayer.Storedinorder.

Page 72: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Manifest

Manifestfile

• Areferencetoglobalconfigfile.

• Listoftagsfortheimage.• Listoflayers.INORDER

Page 73: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Repositories

Repositories

• Repositorywitchbelongtheimage.

• Repositorytagsavailable.• Areferencetothelastlayer.

Page 74: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Layers

Imagelayers

• Adockerimagecancontainsanynumberoflayers

• Eachlayerhastheirownfolder.

• Eachlayerhas3files:• json• layer.tar• VERSION

Page 75: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Layercontent

Page 76: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Layercontent

Page 77: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Layercontent

• Layermetadata• Referencetotheparentlayer

Page 78: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Layercontent

• Layermetadata• Referencetotheparentlayer

• Layerversion

Page 79: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Layercontent

• Layermetadata• Referencetotheparentlayer

• Layerversion

• Folders/files• Incrementalfilesystem

Page 80: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Extractingcontent

Page 81: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Extractingcontent

Page 82: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Extractingcontent

Page 83: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Extractingcontent

Page 84: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Extractingcontent

Page 85: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Extractingcontent

Page 86: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Extractingcontent

Page 87: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Extractingcontent

Page 88: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Extractingcontent

Page 89: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Dockerimageparts-Extractingcontent

Page 90: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Why?• Changeenvironmentvars

• ChangeEntryPoint

• Addnew/modifyfiles

• Analysetheimage

• Extractthecontent

Page 91: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Page 92: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Manifest/Metadataonlymeetthelayerhash

Page 93: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Manifest/Metadataonlymeetthelayerhash

Thelayerhashisreferencedinmanyplaces

Page 94: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Manifest/Metadataonlymeetthelayerhash

Thelayerhashisreferencedinmanyplaces

Atinychangeinalayercontentimpliesmanychangesinmany

files.

Page 95: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Page 96: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Page 97: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Page 98: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Page 99: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

SHA256:f94a86523746be32e7981681172198717edd94333d263b1f64228a41e14dc6b5

Page 100: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Weneedtoupdatethereferencesandmetadata

Page 101: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Weneedtoupdatethereferencesandmetadata

Page 102: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Page 103: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

SHA256:f94a86523746be32e7981681172198717edd94333d263b1f64228a41e14dc6b5

Page 104: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Weneedtoupdatethereferencesandmetadata

Page 105: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Weneedtoupdatethereferencesandmetadata

Page 106: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Weneedtoupdatethereferencesandmetadata

Page 107: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Problems

Weneedtoupdatethereferencesandmetadata

Page 108: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Attacks

Page 109: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Attacks

Page 110: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Attacks

Page 111: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Attacks

Page 112: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Attacks

Page 113: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Attacks

LD_PRELOAD

Page 114: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Attacks

LD_PRELOAD

Page 115: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Attacks

LD_PRELOAD

Page 116: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ManipulatingDockerimages-Attacks

LD_PRELOAD

Page 117: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Docker Scan

Page 118: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

https://github.com/cr0hn/dockerscan

Docker Scan

https://github.com/cr0hn/dockerscan
Page 119: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

¡Demotime!

TrojanizingDockerImageswithDockerScan

ManipulatingDockerimages-Attacks

Page 120: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

ABUSINGDOCKERREGISTRY?Yes,welovebreakthings…

Page 121: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DockerRegistry(D.R)-Briefsummary

• Storagedockerimages.• Indextheimageshashes• Create a logical structure to locatedockerimages:repository/image:tag

• ExposesaRESTAPItointeract.

Page 122: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Asimagestorage

Page 123: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Asimagestorage

Page 124: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Asimagestorage

Storageserver Indexingserver

Page 125: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Howregistrystoragetheimages?

Page 126: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Howregistrystoragetheimages?

……

Images

Page 127: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Howregistrystoragetheimages?

……

Images Tags

Page 128: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

latest

D.R.-Howregistrystoragetheimages?

1.1.10

1.11.10-alpine

1.10.3-alpine

……

Images Tags

Page 129: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Asimagestorage:Uploadprocess

Client DockerRegistry

Page 130: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Asimagestorage:Uploadprocess

Client DockerRegistry

Iwantuploadtheimage:minion

Page 131: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Asimagestorage:Uploadprocess

Client DockerRegistry

Iwantuploadtheimage:minion

Oks.HereisyouruploadPath

Page 132: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Asimagestorage:Uploadprocess

Client DockerRegistry

Iwantuploadtheimage:minion

Oks.HereisyouruploadPath

Uploading…

SHA256:f94a86523746be32e7981681172198717edd94333d263b1f64228a41e

14dc6b5

Page 133: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Asimagestorage:Uploadprocess

Client DockerRegistry

Iwantuploadtheimage:minion

Oks.HereisyouruploadPath

Uploading…

Addthetag:Latest

minion :Latest

Page 134: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Client DockerRegistry

Iwantuploadtheimage:minion

Oks.HereisyouruploadPath

Uploading…

Addthetag:Latest

minion :Latest

D.R.-Attacks:Uploadnonaccessiblefiles

Page 135: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Client DockerRegistry

Iwantuploadtheimage:minion

Oks.HereisyouruploadPath

Uploading…

Addthetag:Latest

minion :Latest

D.R.-Attacks:Uploadnonaccessiblefiles

Page 136: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

¡Demotime!

Uploadingfilesthatonlyyoucandownload…

D.R.-Attacks:Uploadnonaccesiblefiles

Page 137: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Attacks:Replaceremoteimages

latest

1.1.10

1.11.10-alpine

1.10.3-alpine

……

Images Tags

Page 138: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-Attacks:Replaceremoteimages

latest

1.1.10

1.11.10-alpine

1.10.3-alpine

……

Images Tags

latest

Page 139: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-AshortsearchinShodan

Page 140: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-AshortsearchinShodan

Page 141: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

D.R.-AshortsearchinShodan

Page 142: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

CONCLUSIONS

Theconclusionissimple:givemeyourmoneyandavoidintermediaries

Page 143: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

WENEEDTOINVOKESECURITY!

Page 144: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

BUILDBESTPRACTICES

• Donottrustnameortags,usedigestsinsteadinFROMdeclarations.

• Alwayschecktheintegrityofanythingdownloadedinbuildtime.

Page 145: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

REGISTRYSECURIZATION• ImplementsomeoftheavailableauthN/authZoptions.

• Limittheexposure,thebestcasescenarioiswhereonlythebuildserversareallowedtopushimagestoregistries

• Implementsigning(https://github.com/docker/notary)anddon'texecuteunsignedimages.

https://github.com/docker/notary
https://github.com/docker/notary
Page 146: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

RUNTIMEPROTECTION• Don'texecuteimageswithexcessiveprivileges(--privilegedflag,addedcapabilities,disablednamespaces,etc)

• Usenativedockersupportedcustomsecurityprofilesforyourcontainers(Seccomp,Selinux/Apparmor)

• Usedynamicanalysistoolstocreatebehaviouralprofilesofthecontainersandmonitoranysuspectchangeinthecontaineractivity.

Page 147: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

Becareful….

…thereisalwayssomeonewatching

Page 148: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Questions

?

Page 149: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Page 150: RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

Dockermightnotbeyourfriend-TrojanizingDockerlikeaSir

DanielGarcía(cr0hn)-@ggdaniel|RobertoMuñoz(robskye)-@skyeinthewild

Thankyou!


Vins Villaplana - Seguridad en capa de enlace [RootedCON 2011]

Physical Penetration Testing (RootedCON 2015)

Javier Moreno & Eloi Sanfélix - Seguridad y explotación nativa en Android [RootedCON 2010]

Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Tools [RootedCON 2010]

Hernan Ochoa - WCE Internals [RootedCON 2011]

Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]

Whatsapp: mentiras y cintas de video RootedCON 2014

events.static.linuxfound.org · 2017-12-14 · OpenStack Cartridge Instance n create/destroy instances Cartridge Instance 2 os hardware Pocker Docker Docker Docker Docker Docker Docker

openQA - SUSE€¦ · Jenkins Gerrit Travis Selenium Docker Docker Docker Docker Docker Docker Docker Docker ... openQA runs tests on each Maintenance Update before being released

Docker Machine & Docker Swarm

José Ramón Palanco - NoSQL Security [RootedCON 2011]

DOCKER 101 - DeveloperMarch€¦ · -Docker Machine -Docker Compose -Docker Stack -Docker Swarm -Docker Hub. INSTALLATION. INSTALLATION. WORKFLOW. client Dockerfile Image Registry

Alfonso Muñoz - Generating Spanish Stegotext for fun and profit [RootedCON 2010]

Docker on Docker

docker run docker service is the new · Getting Started with Docker Clustering Mike Goelzer / [email protected] / @mgoelzer Docker Inc. docker service is the new docker run docker

Docker und IBM Digital Experience in Docker Container€¦ · Docker und IBM Digital Experience in Docker Container 1. Watson Customer Engagement v What is docker ... • Docker swarm

Docker 101 - techccu.csie.iotechccu.csie.io/2015/slides/frank.pdf · Docker Basics - CLI Docker client docker version docker info docker search [keyword] docker push/pull/commit docker

Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

Docker Docker Docker Chef

Containerisation with Docker ...Docker Swarm: Produces a single, virtual Docker host by clustering multiple Docker Swarm Docker hosts together. It presents the same Docker API; allowing

Docker Docker - Docker Security - Docker

Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2011]

Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON 2011]

Gianluca D'Antonio - ¿Estamos preparados? [RootedCON 2010]

RootedCON 2014: Playing and Hacking with Digital Latches

RootedCon 2017 - Workshop: IoT Insecurity of Things?

David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]

Installation, container management, Docker - iol.unibo.it · • Docker containers are built from Docker images. By default, Docker pulls these images from Docker Hub, a Docker registry

David Reguera - New w32 hooking skills [RootedCON 2010]

Alberto Corsín - Geeks and economics [RootedCON 2010]

Physical Penetration Testing - RootedCON 2015

Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]

2014-03 - RootedCon 2014 - Secure Communication System

José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]

Scada Trojans Ruben Rootedcon