Real World Security: Software Supply Chain

Transcript

1. David Lawrence Docker Daniel Shapira Twistlock Real World Security: Software

   Supply Chain

2. Agenda •What is: § a supply chain? § the threat

   model? § the real world problem? •Best Practices

3. What is a “Software Supply Chain”?

4. https://cooking.stackexchange.com

5. None
6. None
7. None
8. None

9. The Complete Supply Chain

10. Why do we care about Software Supply Chain Security?

11. Attacks on the Software Supply Chain 2011 2015 2016 2017

    WinNTi League of Legends infected with PlugX ShadowPad PetyaWrap Juniper Networks finds unauthorized code in their products Operation WilySupply Kingslayer Handbrake contains Proton RAT Transmission infected again with OSX/Keydnap Transmission infected with KeRanger CCleaner contains trojan 2009 ExpressLane

12. Software Supply Chain Threat Model

13. Entrypoints - Upstream code - Stackoverflow - ??? - Build-time

    dependencies - Base Images - API - API - Docker

14. Assets - Proprietary code/data - Service secrets - Images -

    User data - Secrets - Compute

15. Data Flow

16. Which component is the #1 concern today?

17. Attacks on the Software Supply Chain 2011 2015 2016 2017

    WinNTi League of Legends infected with PlugX ShadowPad PetyaWrap Juniper Networks finds unauthorized code in their products Operation WilySupply Kingslayer Handbrake contains Proton RAT Transmission infected again with OSX/Keydnap Transmission infected with KeRanger CCleaner contains trojan 2009 ExpressLane
18. None

19. Targets WinNTi League of Legends infected with PlugX ShadowPad PetyaWrap

    Juniper Networks finds unauthorized code in their products Operation WilySupply Kingslayer Handbrake contains Proton RAT Transmission infected again with OSX/Keydnap Transmission infected with KeRanger CCleaner contains trojan Developers Distribution Center

20. Data Flow

21. Real World Research Findings

22. Memories from the past - 18,000 instances hacked - 7

    years to patch MongoDB

23. Memories from the past - 3 years to patch -

    28,000 instances hacked AFTER patch released!!! Redis MongoDB

24. Memories from the past - 390,000 routers hacked - Time

    to patch: Mirai Botnet Redis MongoDB

25. Weak Defaults!

26. Research Motivation •Most people didn’t change default settings •Popularity and

    adoption rate is huge § Easily execute apps (e.g. docker run registry)

27. Research Motivation •Trojanizing docker images – Daniel Garcia & Roberto

    Munoz @RootedCon How can it be utilized? What else can be gained?

28. The Possibilities •Downloading all of your hosted docker images •Uploading

    malicious images •Modifying existing images •Uploading arbitrary files

29. OSS Registry Defaults? •No auth.

30. Research Methodology •Identify how docker services are responding Docker-Distribution-Api-Version:

31. Research Methodology •Identify how docker services are responding •Use Shodan.io

    •Utilize registry API to confirm auth status: •Profit Docker-Distribution-Api-Version: HTTP GET request to /v2/: if HTTP status == 200: print “R/W access”

32. Research Methodology •Identify how docker services are responding •Use Shodan.io

    •Utilize registry API to confirm auth status: •Profit More profit: scan with zmap for common registry ports, repeat the API procedures on the results Docker-Distribution-Api-Version: HTTP GET request to /v2/: if HTTP status == 200: print “R/W access”

33. Research Findings •Over 1000 exposed registries found § R/W access

    to 60% of the found registries § Read access to a further 30% § Only 10% securely configured § 45% of those found owned by big companies we didn’t even scan the whole internet!

34. HazAuth – a tool to aid HazAuth is a tool

    that was developed in order to find authentication problems in a containerized environments (and more) •Modular Pluggable design •Written in Python •Can be deployed as a container •Will come with 3 plugins: mongoDB, Redis, and Docker Registry
35. None

36. Changing the defaults •Official Registry Image: § HTTP Basic Auth

    by default •OSS Registry Code: § Auto-generate htpasswd file with strong random password

37. Further Best Practices

38. TLS

39. Docker Content Trust $> docker trust –help Usage: docker trust

    COMMAND Manage trust on Docker images (experimental) Options: --help Print usage Commands: revoke Remove trust for an image sign Sign an image view Display detailed information about keys and signatures Run 'docker trust COMMAND --help' for more information on a command.

40. Docker Security Scanning

41. Thank you! Questions?

42. New Docker Registry defaults https://github.com/docker/distribution/pull/2362 Automatically generate a password, create

    an htpasswd file, and echo to stdout

43. Demo: New Docker Registry defaults Default experience: docker run -d

    registry

44. Traditional Package Signing TUF Arbitrary Installation Endless Data Extraneous Dependencies

    Fast Forward Indefinite Freeze Malicious Mirror Mix-and-Match Rollback Slow Retrieval Key Compromise Wrong Installation