Container Mirroring Security Overview __docker

The emergence of micro-service architecture, containerized deployment has become the most popular mode of production, more and more companies will be deployed in the container based architecture. Naturally, with the wide use of containers, the safety of containers has become the focus of the industry, container safety manufacturers have sprung up, such as: Coreosclair, Aquasecurity, Twistlock, Anchore and so on. The container is built on a mirror image, if the mirror itself is a malicious mirror or a mirror of the vulnerability, then the container based on it is inherently unsafe, so mirroring security directly determines the container safety.

Why container mirroring can create security issues.

In traditional deployments, applications depend on the environment in the operating system. After the environment is configured, the application can be run stably.

Figure 1 Traditional deployment architecture

But with the development of technology, the problems of traditional deployment are becoming more and more serious. Because of the different requirements of multiple applications for the operating environment, the application deployment has caused a lot of unexpected problems and has consumed a lot of effort on trivial environmental issues.

Figure 2 Problems with traditional deployments

Therefore, the containerized deployment was introduced to deal with this scenario. The container installs the environment that the runtime requires, and requires developers to package their applications and their required dependencies into container mirrors. Each developer can have its own dependent version, regardless of other developers and operating systems. Ultimately, both users and developers benefit from this deployment scenario, developers can easily test the operation of the application in different environments, and do not have to customize the upgrade tutorials for changes to the environment when releasing a new version; Users are also very handy when using container deployments, and there is no interaction between different software.

Figure 3 The container deployment structure

Ideally, container mirroring should contain only the application binaries and their dependencies. In practice, however, container mirrors are often quite large. Basic system mirroring, which is widely used like Ubuntu and CentOS, contains quite a few features. Although some of the features in the commissioning of the deployment of a certain convenience, but in the larger volume before the profit is very low.

Figure 4 The actual situation of the container deployment

The container is actually opaque and encapsulated into a tedious mirror.

Eventually, when more and more containers are created, no one is sure what the container is loaded with. What actually runs.

Figure 5 Container Deployment Status

It is for this reason that our daily use of mirrors faces serious security problems. With more and more CVE accumulated over the years, many applications have some problems, especially in the mirror with low update frequency.

Therefore, the author has done a test, pulled the Docker hub on the public hot mirror in the first 10 pages of the mirror, the use of Clair for CVE scan statistics. The results were unexpected. In more than 100 mirrors, only 24% of the vulnerabilities were included, accounting for 67% of the high-risk vulnerabilities. Many of the mirrors we use often are included in them, such as Httpd,nginx,mysql.

Figure 6 Scanning sample

Figure 7 Scan Results Statistics
How to improve the present situation.

Verify the security of the mirror before use, analyze the mirrors, and not let the vulnerabilities and malicious backdoor in the mirror pose a risk to us in the running container.

At present, there are many Docker security tools, from many aspects to maintain the security of containers, such as the operation of monitoring early warning, forensics, pre-production analysis, installation configuration verification, trust management. This article focuses on scanning and auditing prior to the use of mirroring, which is the tool for pre-production analysis classes. This kind of tool mainly from the CVE vulnerability and the malicious mirror two aspects to scan the mirror.

Next class introduces three Representative mirror security tools, respectively for CVE detection, malicious image generation, malicious mirror detection.

Clair

The goal of Clair is to be able to look at the security of a containerized infrastructure based on a more transparent dimension, Clair is a security scanning tool for container mirroring launched by CoreOS. Clair main modules are divided into detector, fetcher, notifier and Webhook,clair to extract the features of the image first, and then match these features to the CVE vulnerability database, if the vulnerability is found to be prompted, Its functionality focuses on scanning the CVE vulnerabilities of the OS and apps in the container.

Clair is the scan engine, and the API waits to be invoked after startup. Here the author uses clairctl (a third party invoke tool) to make call requests to Clair to complete the scan.

The following figure shows the basic commands for CLAIRCTL, the basic commands shown in the figure, the details of the use of a particular article after the command plus--help parameters.

Figure 8 Clair Example

The above illustration uses Clair to scan the local (-l-parameter) mirror CentOS with no vulnerabilities, then generate a report, save it in/reports/html/analysis-centos-latest.heml, and open it in a browser to see the details.

Dockerscan

Dockerscan is an analysis and attack tool. It can find the host of the mirrored warehouse in the network, can insert the Trojan in the mirror, can view the sensitive information in the mirror and so on.

The following figure is the basic command for Dockerscan, and a probe container warehouse scan for 223.****.210/28 this small network segment. Detect the discovery of two NetEase container warehouse.

Figure 9 Dockerscan Scan Sample

The following figure provides the basic information for Mysql_origin mirroring, which can be seen implanted into a rebound shell with a port of 2222 on the receiving shell and an address of 10.****.8.

Figure Dockerscan View mirror Information

The following figure shows the use of the Dockerscan attack victim's process, the Trojan is implanted in the normal mirror nginx, when the user runs the mirror, the attacker will receive the shell of the rebound, so as to control the server's purpose.

Figure one Dockescan attack chain

The following figure is used as an example, the white window is a dockerscan container, the black window is the host of the container, and the host/tmp directory is mounted in the container ~/images directory. First save the mirror as a file (Docker save-o filename imagename) in the host/tmp directory, and then you can see the mirrored file in the container, and then use Dockerscan to modify the mirror to embed the trojan in the mirror and accept the address set to 10.*** *.8 (my host), Port 2222, save as Evil.tar (embedded trojan image file), then on the local listening to the 2222 port (nc-v-k-l 2222), and then host to import the image of the Trojan (Docker load-i Evil.tar), then runs the mirror, and the listening port receives the shell that bounces out and executes the command test.

Figure Dockerscan Use Example

Anchore

Clair can scan out all the CVE vulnerabilities in a mirror, but now there is a situation in which hackers use the latest version of the OS mirror and then install backdoor trojans or execute malicious commands so that Clair cannot detect their security.
At this time to introduce an analytical tool anchorele, and Clair different, Anchore focus on the image of the audit, it has a strong ability to parse the mirror. After analysis, you can perform a variety of operations on mirroring, with many scripts built in and widely used.

The following image is Anchore using a command screenshot, first used to synchronize the vulnerability library using feeds list and feeds sync. Then there is the use of the example command, here is not much to do introduction. When you have a command that you want to understand, add the--help parameter to see the detailed description.

Anchore using commands

Here are a few commonly used commands, the query command is to invoke an existing module to do the corresponding operation of the mirror, calling different scripts requires different parameters. Next, call a module to do the demo.

Figure Anchore Query function

Here, we want to call the Show-file-diffs module to compare the differences between the two mirrors, before we need to first analyze two mirrors Mysql:evil and Origin:origin, which is the last link to use dockerscan generated malicious mirrors and original mirrors. The next call to the module, you can see that the difference is in the/usr/share/lib directory more than a rebound shell file.

Figure Anchore Example

The following figure is the details of the Toolbox command, which has some gadgets to use, and then we try a few commands. Show-familytree, Show-taghistory, Show-layers, show-dockerfile to view mirror-Registry mirroring relationships, version history, mirrored layers, and mirrored build files.

Figure Anchore Features sample

Summary of Anchore feature examples

Mirroring security determines the container security, and the current Docker hub on the mirror 76% are vulnerable, so we use the mirror to run the container, we must scan the mirror image, so as to improve security.

https://mp.weixin.qq.com/s?__biz=MzIyODYzNTU2OA==&mid=2247484334&idx=1&sn= d700d4aa893ad69b677295d615c68362&chksm= e84fa571df382c672c95f345c5dcf1cb6f4109b86b6dec8e3a442a13e71be4eddfd6dd6f0d3c&mpshare=1&scene=1& srcid=03306rwxhvzpd8xdbu0lptuh&pass_ticket=bdfr9wadmkbuer6t8tcmurpcgxmgwbpo8%2b9tcxzu2o4scqj2% 2bpebjwrblz9ntpmj#rd