Attacking and Auditing Containers - Nishith Khadadiya

Information about Attacking and Auditing Containers - Nishith Khadadiya

Published on January 30, 2020




1. Attacking and Auditing Containers Nishith K

2. #whoami ● TALLEST member in NS Family ● Twitter: @busk3r

3. Credits This talk is based on research of these awesome people: ● Madhu Akula (@madhuakula) ● Jessica Frazzele (@jessfraz)

4. Outline 1. Docker Quick start 2. Attacking Docker Containers 3. Auditing Docker Containers

5. Docker QuickStart

6. Why docker?

7. Basic Terminology Docker Image Read Only OS with packages predefined Container Running state of image

8. Basic Terminology (Cont.) Registry Repository of Images Public Hub Pubic Docker Registry Contains large number of images

9. Architecture

10. Basics (Cont.) docker inspect <container name> Gives complete information about container’s running state ● Start time ● Mount points ● Ports exposed ● IP

11. Docker volumes and networks ● Multiple services on different containers ● Communication between them

12. Attacking Docker Containers

13. ● Attacking container capabilities ● Attacking insecure volume mounts in containers Attacking Docker containers/Docker escapes

14. Attacking container capabilities

15. Capabilities ● Capabilities define privileges ● Linux Capabilities are used for fine grained ACL ● “Need to know” concept , Whitelist approach ● By default the Docker drops all capabilities except those needed

16. Check container capabilities

17. Misconfiguration - ‘privileged=true’

18. Scenario

19. Capability - cap_sys_ptrace To trace the process in host systems we require this privilege

20. Sharing Host System Processes ● Sometimes for debugging purpose people share host system processes inside container

21. What can go wrong?

22. Exploit Linux process injection Find process running as host and inject payload

23. Attacking insecure volume mounts in containers

24. Socket as volume mount ● CI/CD guys run entire code in a docker which is already running inside a docker ● To access host docker environment, pass the socket ● Attaching socket as volume mount (Portainer)

25. Scenario

26. Portainer - UI management for Docker ● Runs inside container ● Needs socket or API to access host system ● Socket as volume mount

27. Exploit ● Use docker client to access the socket mounted as volume # docker -H unix:///var/run/docker.sock <command>

28. Auditing Containers

29. Auditing Containers Goal: Identifying security misconfigurations while deploying and running docker containers. Auditing requires inspecting following components: ● Docker Images ● Docker Containers ● Docker networks ● Docker registries ● Docker volumes

30. Docker Images & Containers Look at images configuration and options to find any issues or misconfigurations. # docker images --digests ubuntu

31. Check for content trust to get signatures ● Checking the image issuers with docker trust # docker trust inspect mediawiki --pretty ● This shows who signed the repository

32. Looking for known vulnerabilities ● We can use docker hub registry scanning to check for vulnerable packages in images ○ Clair (Vulnerability Static Analysis for Containers) - Opensource

33. Looking for known vulnerabilities ● checks for known issues from them.

34. Docker benchmarking - Automation

35. Questions

36. References ● Docker Bench Security Audit ● Defcon 26 Docker Security Workshop ● Container Hacks and Fun Images

37. Thank You!!

#whoami presentations

Zer 0 no zer(0 day)   dragon jar
25. 09. 2020

Zer 0 no zer(0 day) dragon jar

Related presentations

Other presentations created by NSCONCLAVE