Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Docker Might not be your friend
Trojanizing Docker like a Sir
Roberto	Muñoz	(robsky)	-	@skyeinthewildDaniel	García	(cr0hn)...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye)	-	@skyeinthewild
Docker	might	not	be	your	friend	-	Trojanizing...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Docker	might	not	be	your	friend	-	Trojanizing	Docker	like	a	Sir
Daniel	García	(cr0hn)	-	@ggdaniel	|	Roberto	Muñoz	(robskye...
Upcoming SlideShare
Loading in …5
×

RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

5,655 views

Published on

A explanation about docker, new C.I. / C.D. cycles with docker, how to dissect a Docker image and trojanize and how to abuse of Functionality of Docker Registry

Published in: Technology

RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images

  1. 1. Docker Might not be your friend Trojanizing Docker like a Sir Roberto Muñoz (robsky) - @skyeinthewildDaniel García (cr0hn) - @ggdaniel
  2. 2. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild <spam>About Us</spam> • Creator/co-creator many security tools • Security researcher / ethical hacking • Chapter Leader OWASP Madrid • Python developer https://www.linkedin.com/in/garciagarciadaniel https://www.linkedin.com/in/roberto-muñoz-fernández-8389a313/ • SecDevOPs • Security researcher • Former BOFH (Because even developers need heroes)
  3. 3. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild What’s this talk about? 1. What’s Docker 2. The Docker environment 3. What’s a C.I. / C.D. cycle? 4. Dissecting Docker images 5. Abusing Docker registry? 6. Conclusions
  4. 4. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild What’s this talk about? 1. What’s Docker 2. The Docker environment 3. What’s a C.I. / C.D. cycle? 4. Dissecting Docker images 5. Abusing Docker registry? 6. Conclusions
  5. 5. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild WHAT’S DOCKER? If you feel like the monkeys of 2001 odyssey, this is chapter is important to you
  6. 6. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - A brief definition
  7. 7. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - A brief definition
  8. 8. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM
  9. 9. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM
  10. 10. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM IS NOT VIRTUALIZATION
  11. 11. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM
  12. 12. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM
  13. 13. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Docker vs VM
  14. 14. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  15. 15. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  16. 16. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  17. 17. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  18. 18. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  19. 19. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  20. 20. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Dockerfile Image Container
  21. 21. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Dockerfile Image Container
  22. 22. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Dockerfile Image Container
  23. 23. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  24. 24. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  25. 25. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  26. 26. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts
  27. 27. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Different
  28. 28. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Different But similar
  29. 29. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s Docker - Parts Different But similar
  30. 30. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild THE DOCKER ENVIRONMENT Neighbourhood colleagues
  31. 31. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment
  32. 32. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment
  33. 33. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment
  34. 34. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment
  35. 35. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Registry
  36. 36. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Registry Docker Orchestrators
  37. 37. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Host Docker Registry Docker Orchestrators
  38. 38. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Host Docker Registry Docker Image builder Docker Orchestrators
  39. 39. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker environment Docker Host Docker Registry Docker Image builder Docker Orchestrators
  40. 40. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild WHAT’S A C.I. / C.D CYCLE? Ensure that your boss does not see this, he could realise that you are not really necessary…. fired! fired! fired!
  41. 41. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Summary - Definitions 1. Continuous Integration - C.I: “Is the practice of merging all developer working copies to a shared mainline several times a day.” 2.Continuous Deployment - C.D: “Is a software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time.” Source Wikipedia
  42. 42. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle
  43. 43. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle
  44. 44. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process
  45. 45. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process Restart the process is hard
  46. 46. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process Restart the process is hard
  47. 47. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I - Classic cycle Very manual process Restart the process is hard
  48. 48. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I. - New approach https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html
  49. 49. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I. - New approach https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html
  50. 50. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I. - New approach https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html
  51. 51. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir C.I. + C.D. - New approach with Docker
  52. 52. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  53. 53. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  54. 54. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  55. 55. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  56. 56. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  57. 57. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  58. 58. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  59. 59. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  60. 60. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  61. 61. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  62. 62. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Image builder C.I. + C.D. - New approach with Docker Docker Host Docker Registry Orchestrator
  63. 63. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild DISSECTING DOCKER IMAGES Shut up and tell me how I can break it down
  64. 64. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  65. 65. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  66. 66. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  67. 67. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  68. 68. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  69. 69. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  70. 70. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir What’s a docker image?
  71. 71. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Global Metadata Global metadata JSON file • Global info about image • Modification history • A SHA256 hash of each layer. Stored in order.
  72. 72. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Manifest Manifest file • A reference to global config file. • List of tags for the image. • List of layers. IN ORDER
  73. 73. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Repositories Repositories • Repository witch belong the image. • Repository tags available. • A reference to the last layer.
  74. 74. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layers Image layers • A docker image can contains any number of layers • Each layer has their own folder. • Each layer has 3 files: • json • layer.tar • VERSION
  75. 75. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content
  76. 76. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content
  77. 77. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content • Layer metadata • Reference to the parent layer
  78. 78. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content • Layer metadata • Reference to the parent layer • Layer version
  79. 79. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Layer content • Layer metadata • Reference to the parent layer • Layer version • Folders / files • Incremental file system
  80. 80. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  81. 81. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  82. 82. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  83. 83. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  84. 84. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  85. 85. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  86. 86. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  87. 87. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  88. 88. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  89. 89. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker image parts - Extracting content
  90. 90. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Why? • Change environment vars • Change Entry Point • Add new/modify files • Analyse the image • Extract the content
  91. 91. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems
  92. 92. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems Manifest / Metadata only meet the layer hash
  93. 93. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems Manifest / Metadata only meet the layer hash The layer hash is referenced in many places
  94. 94. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems Manifest / Metadata only meet the layer hash The layer hash is referenced in many places A tiny change in a layer content implies many changes in many files.
  95. 95. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems
  96. 96. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems
  97. 97. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems
  98. 98. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems
  99. 99. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems SHA256: f94a86523746be32e7981681172198717edd94333d263b1f64228a41e14dc6b5
  100. 100. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata
  101. 101. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata
  102. 102. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems
  103. 103. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems SHA256: f94a86523746be32e7981681172198717edd94333d263b1f64228a41e14dc6b5
  104. 104. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata
  105. 105. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata
  106. 106. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata
  107. 107. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Problems We need to update the references and metadata
  108. 108. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks
  109. 109. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks
  110. 110. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks
  111. 111. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks
  112. 112. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks
  113. 113. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks LD_PRELOAD
  114. 114. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks LD_PRELOAD
  115. 115. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks LD_PRELOAD
  116. 116. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Manipulating Docker images - Attacks LD_PRELOAD
  117. 117. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Scan
  118. 118. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir https://github.com/cr0hn/dockerscan Docker Scan
  119. 119. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir ¡ Demo time ! Trojanizing Docker Images with Docker Scan Manipulating Docker images - Attacks
  120. 120. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild ABUSING DOCKER REGISTRY? Yes, we love break things…
  121. 121. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Docker Registry (D.R) - Brief summary • Storage docker images. • Index the images hashes • Create a logical structure to locate docker images: repository/image:tag • Exposes a REST API to interact.
  122. 122. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage
  123. 123. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage
  124. 124. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage Storage server Indexing server
  125. 125. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - How registry storage the images?
  126. 126. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - How registry storage the images? … … Images
  127. 127. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - How registry storage the images? … … Images Tags
  128. 128. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir latest D.R. - How registry storage the images? 1.1.10 1.11.10-alpine 1.10.3-alpine … … … Images Tags
  129. 129. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry
  130. 130. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry I want upload the image: minion
  131. 131. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry I want upload the image: minion Oks. Here is your upload Path
  132. 132. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry I want upload the image: minion Oks. Here is your upload Path Uploading… SHA256: f94a86523746be32e7981681172198717edd94333d263b1f64228a41e 14dc6b5
  133. 133. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - As image storage : Upload process Client Docker Registry I want upload the image: minion Oks. Here is your upload Path Uploading… Add the tag: Latest minion :Latest
  134. 134. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Client Docker Registry I want upload the image: minion Oks. Here is your upload Path Uploading… Add the tag: Latest minion :Latest D.R. - Attacks : Upload non accessible files
  135. 135. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Client Docker Registry I want upload the image: minion Oks. Here is your upload Path Uploading… Add the tag: Latest minion :Latest D.R. - Attacks : Upload non accessible files
  136. 136. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir ¡ Demo time ! Uploading files that only you can download… D.R. - Attacks : Upload non accesible files
  137. 137. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - Attacks : Replace remote images latest 1.1.10 1.11.10-alpine 1.10.3-alpine … … … Images Tags
  138. 138. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - Attacks : Replace remote images latest 1.1.10 1.11.10-alpine 1.10.3-alpine … … … Images Tags latest
  139. 139. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - A short search in Shodan
  140. 140. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - A short search in Shodan
  141. 141. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir D.R. - A short search in Shodan
  142. 142. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild CONCLUSIONS The conclusion is simple: give me your money and avoid intermediaries
  143. 143. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild WE NEED TO INVOKE SECURITY!
  144. 144. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild BUILD BEST PRACTICES • Do not trust name or tags, use digests instead in FROM declarations. • Always check the integrity of anything downloaded in build time.
  145. 145. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild REGISTRY SECURIZATION • Implement some of the available authN/authZ options. • Limit the exposure, the best case scenario is where only the build servers are allowed to push images to registries • Implement signing (https://github.com/docker/ notary) and don't execute unsigned images.
  146. 146. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild RUNTIME PROTECTION • Don't execute images with excessive privileges (-- privileged flag, added capabilities, disabled namespaces, etc) • Use native docker supported custom security profiles for your containers (Seccomp,Selinux/ Apparmor) • Use dynamic analysis tools to create behavioural profiles of the containers and monitor any suspect change in the container activity.
  147. 147. Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Docker might not be your friend - Trojanizing Docker like a Sir Be careful…. …there is always someone watching
  148. 148. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Questions ?
  149. 149. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild
  150. 150. Docker might not be your friend - Trojanizing Docker like a Sir Daniel García (cr0hn) - @ggdaniel | Roberto Muñoz (robskye) - @skyeinthewild Thank you!

×