Downloads provided by UsageCountsReflections on Trusting Docker: Invisible Malware in Continuous Integration Systems
ANR| Defmal
Moriconi, Florent; Neergaard, Axel; Georget, Lucas; Aubertin, Samuel; Francillon, Aurélien;
Reflections on Trusting Docker: Invisible Malware in Continuous Integration Systems
Revisiting the famous compiler backdoor from Ken Thompson, we show that a container-based Continuous Integration system can be compromised without leaving any trace in the source code. Detecting such malware is challenging or even impossible with common practices such as peer review or static code analysis. We detail multiple ways to do the initial infection process such as malicious commit or dependencies confusion. Finally, we show that the malicious code is able to backdoor production images and to reinject itself on CI system updates to allow long-term compromise. To support reproducible research, we provide a full-featured Dockerized Continuous Integration system based on GitLab, GitLab runner, Docker-in-Docker, and Docker registry. We aim to demonstrate that after initial infection of the Docker image used by CI build containers, a malicious code is able to alter production Docker images (e.g., add authentication bypass mechanism). Furthermore, the malicious code is able to re-inject itself when the CI image is built in order to persist on updates and thus allow long-term compromise. Finally, the likelihood of being detected is reduced by hiding logs generated from malicious actions. Therefore, we show that a continuous integration system can be malicious even when the source code is free of malicious code.
France
continuous-integration, trusting-trust, ci-attacks, malware, gitlab, docker, [INFO] Computer Science [cs], [INFO.INFO-CR] Computer Science [cs]/Cryptography and Security [cs.CR]
continuous-integration, trusting-trust, ci-attacks, malware, gitlab, docker, [INFO] Computer Science [cs], [INFO.INFO-CR] Computer Science [cs]/Cryptography and Security [cs.CR]
selected citations These citations are derived from selected sources.This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).1 popularity This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.Average influence This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).Average impulse This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.Average views 30 downloads 4 - 30views4downloads
selected citations
Citations provided by BIP!
These citations are derived from selected sources.
This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).
Citations provided by BIP!popularityPopularity provided by BIP!
This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.
Popularity provided by BIP!influenceInfluence provided by BIP!
This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).
Influence provided by BIP!impulseImpulse provided by BIP!
This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.
Impulse provided by BIP!viewsViews provided by UsageCounts
Views provided by UsageCountsdownloadsDownloads provided by UsageCounts
Downloads provided by UsageCounts 1
Average
Average
Average
30
4
Green
Fields of Science (3) View all
Funded by