Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading…
Transcript

Implementation of attacks and security measures on Docker containers

INSE 6130: Operating Systems Security

Lakshay Choudhary

Vijeshwarya Radhakrishnan

Jagmandeep Singh

Nilay Kothari

Money Saxena

Ashish Singh

Barry Deng

Jiawei Yao

Introduction

What is Docker?

  • Open source containerization platform

  • Easy deployment of packaged applications and dependencies

  • Lightweight, portable and efficient way to deploy

Security concerns

Impact of security in docker

Sysdig Threat Research's report:

  • Containers can contain vulnerabilities

  • Container isolation is not foolproof

  • Docker images can be tampered with

  • Unintentional access to sensitive resources

Threats in the wild:

  • "New Docker Container Escape Bug Affects Microsoft Azure Functions" report by hackernews.com

  • "Poorly Secured Docker Image Comes Under Rapid Attack" report by Akamai researcher

  • "Rezilion Research Discovers Hidden Vulnerabilities in Hundreds of Docker Container Images" article by darkreading.com

  • "TeamTNT Hits Docker Containers via 150K Malicious Cloud Image Pulls" report by darkreading.com

Attack vectors

Methodology

  • Runc host file vulnerability (CVE 2019-5736) [Jia Wei, Barry]

  • Abusing process ID ownership between docker and the running client (CVE 2022-37708) [Nilay, Lakshay]

  • Privilege escalation using docker group [Ashish, Barry]

  • Misconfiguration of --privileged parameter [Jia Wei, Jagman]

  • Using linux cgroup notification feature to escape container [Vijeshwarya, Money]

  • Gaining root access via docker.sock misconfiguration [Ashish, Vijeshwarya]

Security Measure

Implementing security measure

[Nilay, Lakshay, Money]

  • Initial approach: attempt to implement Intrustion Detection System (IDS) using snort and barnyard : issue of comptability with community rules

  • Pivot: apparmor and seccomp

  • Final implementation: custom script to audit docker images and host environment for docker using docker-bench-security, chef inspec and trivy

Attack: runc host file vulnerabilty

(CVE-2019-5736)

Attack

Demonstration

  • RunC : lightweight, universal, container runtime that uses native features of Linux to create and run containers

  • released by docker platform in 2015

  • major exploit discovered in 2019 : Docker before 18.09.2 allows attackers to overwrite the host runc binary (and consequently obtain host root access). This occurs because of file-descriptor mishandling, related to /proc/self/exe

  • Method: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec

Demo

Abusing process ID ownership between docker and the running client (CVE 2022-37708)

Attack

Demonstration

  • Docker directly maps the IDs from the shares within the Client to a private (and protected) directory on the "host system" (such as /var/lib/docker/volumes).

  • If at any point in time a file is opened up inside the "client system", that file descriptor becomes available on the host system (outside of the Client)

  • A fully legitimate user(having same UID on host) can therefore PID dial (like war dialing), looking for open file descriptors for files

Demo

Implementing Security Application

Security App Implementation

  • First approach: creating a network based IDS using snort and barnyard : comptability issues

  • Second approach: using apparmor to create custom profiles

(example: blocking netcat to prevent reverse shell in one of the implemented attacks)

  • Final approach: a custom script for docker security auditing and image vulnerability assessment

  • Auditing tools: docker-bench security and Chef Inspec to compare against best practices

  • CIS Docker Community Benchmark: secure configuration guidelines

  • Trivy: scans code projects and build artifacts for security issues such as vulnerabilities, IaC misconfigurations,

secrets, and more.

Demo

Challenges encountered

Conclusions

  • Most practical vulnerabilites get patched as time passes. This makes it difficult to implement PoCs because of incompatibility of older libraries and operating systems.

  • Complexity of several vulnerabilities was beyond the scope of our comprehension due to sophisticated and very specific requirements for the attack to work

  • Difficulty with implementing community rules in snort IDS and integrating it in Dockerfile: libdnet, daq, and other dependencies

  • Learning and creating apparmor and seccomp profiles

Lessons Learned

Lessons Learned

  • Internal workings of containerization technologies: runtime libraries and their dependencies on host OS

  • Researching vulnerabilities and proof of concepts through knowledge systems like CVE and NVD

  • Existing attack vectors in docker, their wide scope and mitigations

  • How misconfigurations and oversights can lead to severe compromising attacks

  • Defense in depth using security measures in docker
Learn more about creating dynamic, engaging presentations with Prezi