Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Attacking and Auditing Containers - Nishith Khadadiya

129 views

Published on

Speaker will discuss common attack techniques against a containerized environment. It will help attendees to learn the approach to follow and the process for testing and auditing containers.

https://nsconclave.net-square.com/attacking-and-auditing-containers.html

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Attacking and Auditing Containers - Nishith Khadadiya

  1. 1. Attacking and Auditing Containers Nishith K
  2. 2. #whoami ● TALLEST member in NS Family ● Twitter: @busk3r
  3. 3. Credits This talk is based on research of these awesome people: ● Madhu Akula (@madhuakula) ● Jessica Frazzele (@jessfraz)
  4. 4. Outline 1. Docker Quick start 2. Attacking Docker Containers 3. Auditing Docker Containers
  5. 5. Docker QuickStart
  6. 6. Why docker?
  7. 7. Basic Terminology Docker Image Read Only OS with packages predefined Container Running state of image
  8. 8. Basic Terminology (Cont.) Registry Repository of Images Public Hub Pubic Docker Registry Contains large number of images
  9. 9. Architecture
  10. 10. Basics (Cont.) docker inspect <container name> Gives complete information about container’s running state ● Start time ● Mount points ● Ports exposed ● IP
  11. 11. Docker volumes and networks ● Multiple services on different containers ● Communication between them
  12. 12. Attacking Docker Containers
  13. 13. ● Attacking container capabilities ● Attacking insecure volume mounts in containers Attacking Docker containers/Docker escapes
  14. 14. Attacking container capabilities
  15. 15. Capabilities ● Capabilities define privileges ● Linux Capabilities are used for fine grained ACL ● “Need to know” concept , Whitelist approach ● By default the Docker drops all capabilities except those needed
  16. 16. Check container capabilities
  17. 17. Misconfiguration - ‘privileged=true’
  18. 18. Scenario
  19. 19. Capability - cap_sys_ptrace To trace the process in host systems we require this privilege
  20. 20. Sharing Host System Processes ● Sometimes for debugging purpose people share host system processes inside container
  21. 21. What can go wrong?
  22. 22. Exploit Linux process injection Find process running as host and inject payload
  23. 23. Attacking insecure volume mounts in containers
  24. 24. Socket as volume mount ● CI/CD guys run entire code in a docker which is already running inside a docker ● To access host docker environment, pass the socket ● Attaching socket as volume mount (Portainer)
  25. 25. Scenario
  26. 26. Portainer - UI management for Docker ● Runs inside container ● Needs socket or API to access host system ● Socket as volume mount
  27. 27. Exploit ● Use docker client to access the socket mounted as volume # docker -H unix:///var/run/docker.sock <command>
  28. 28. Auditing Containers
  29. 29. Auditing Containers Goal: Identifying security misconfigurations while deploying and running docker containers. Auditing requires inspecting following components: ● Docker Images ● Docker Containers ● Docker networks ● Docker registries ● Docker volumes
  30. 30. Docker Images & Containers Look at images configuration and options to find any issues or misconfigurations. # docker images --digests ubuntu
  31. 31. Check for content trust to get signatures ● Checking the image issuers with docker trust # docker trust inspect mediawiki --pretty ● This shows who signed the repository
  32. 32. Looking for known vulnerabilities ● We can use docker hub registry scanning to check for vulnerable packages in images ○ Clair (Vulnerability Static Analysis for Containers) - Opensource
  33. 33. Looking for known vulnerabilities ● vulners.com/audit: checks for known issues from them.
  34. 34. Docker benchmarking - Automation
  35. 35. Questions
  36. 36. References ● Docker Bench Security Audit ● Defcon 26 Docker Security Workshop ● Container Hacks and Fun Images
  37. 37. Thank You!!

×