RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
•
18 gostaram•11,574 visualizações
The document discusses a talk titled "Docker might not be your friend - Trojanizing Docker like a Sir" given by Daniel García and Roberto Muñoz. The talk covers what Docker is, the Docker environment including components like Docker hosts, registries, and orchestrators. It also discusses continuous integration/continuous deployment cycles and how Docker fits into those processes. The slides provide definitions and diagrams to explain these concepts.
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
Semelhante a RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images (20)
Mais de Daniel Garcia (a.k.a cr0hn)
Mais de Daniel Garcia (a.k.a cr0hn) (20)
Último
Último (20)
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
- 1. Docker Might not be your friend Trojanizing Docker like a Sir Roberto Muñoz (robsky) - @skyeinthewildDaniel García (cr0hn) - @ggdaniel
- 2. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild <spam>About Us</spam> • Creator/co-creator many security tools • Security researcher / ethical hacking • Chapter Leader OWASP Madrid • Python developer https://www.linkedin.com/in/garciagarciadaniel https://www.linkedin.com/in/roberto-muñoz-fernández-8389a313/ • SecDevOPs • Security researcher • Former BOFH (Because even developers need heroes)
- 3. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild What’s this talk about? 1. What’s Docker 2. The Docker environment 3. What’s a C.I. / C.D. cycle? 4. Dissecting Docker images 5. Abusing Docker registry? 6. Conclusions
- 4. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild What’s this talk about? 1. What’s Docker 2. The Docker environment 3. What’s a C.I. / C.D. cycle? 4. Dissecting Docker images 5. Abusing Docker registry? 6. Conclusions
- 41. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Summary - Definitions 1. Continuous Integration - C.I: “Is the practice of merging all developer working copies to a shared mainline several times a day.” 2.Continuous Deployment - C.D: “Is a software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time.” Source Wikipedia
- 45. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process Restart the process is hard
- 46. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process Restart the process is hard
- 47. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process Restart the process is hard
- 71. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Global Metadata Global metadata JSON file • Global info about image • Modification history • A SHA256 hash of each layer. Stored in order.
- 72. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Manifest Manifest file • A reference to global config file. • List of tags for the image. • List of layers. IN ORDER
- 73. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Repositories Repositories • Repository witch belong the image. • Repository tags available. • A reference to the last layer.
- 74. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layers Image layers • A docker image can contains any number of layers • Each layer has their own folder. • Each layer has 3 files: • json • layer.tar • VERSION
- 79. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content • Layer metadata • Reference to the parent layer • Layer version • Folders / files • Incremental file system
- 90. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Why? • Change environment vars • Change Entry Point • Add new/modify files • Analyse the image • Extract the content
- 121. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Registry (D.R) - Brief summary • Storage docker images. • Index the images hashes • Create a logical structure to locate docker images: repository/image:tag • Exposes a REST API to interact.
- 145. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild REGISTRY SECURIZATION • Implement some of the available authN/authZ options. • Limit the exposure, the best case scenario is where only the build servers are allowed to push images to registries • Implement signing (https://github.com/docker/ notary) and don't execute unsigned images.
- 146. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild RUNTIME PROTECTION • Don't execute images with excessive privileges (-- privileged flag, added capabilities, disabled namespaces, etc) • Use native docker supported custom security profiles for your containers (Seccomp,Selinux/ Apparmor) • Use dynamic analysis tools to create behavioural profiles of the containers and monitor any suspect change in the container activity.