Reflections on Trusting Docker: Invisible Malware in Continuous Integration Systems
Creators
- 1. EURECOM
Description
Revisiting the famous compiler backdoor from Ken Thompson, we show that a container-based Continuous Integration system can be compromised without leaving any trace in the source code. Detecting such malware is challenging or even impossible with common practices such as peer review or static code analysis. We detail multiple ways to do the initial infection process such as malicious commit or dependencies confusion. Finally, we show that the malicious code is able to backdoor production images and to reinject itself on CI system updates to allow long-term compromise.
To support reproducible research, we provide a full-featured Dockerized Continuous Integration system based on GitLab, GitLab runner, Docker-in-Docker, and Docker registry. We aim to demonstrate that after initial infection of the Docker image used by CI build containers, a malicious code is able to alter production Docker images (e.g., add authentication bypass mechanism). Furthermore, the malicious code is able to re-inject itself when the CI image is built in order to persist on updates and thus allow long-term compromise. Finally, the likelihood of being detected is reduced by hiding logs generated from malicious actions. Therefore, we show that a continuous integration system can be malicious even when the source code is free of malicious code.
Files
Files
(196.4 MB)
Name | Size | Download all |
---|---|---|
md5:6e63a392260652cfb2767c88fdabdc40
|
196.4 MB | Download |