Docker Image Insecurity
Recently while downloading an “official” container image with Docker I saw this line:
ubuntu:14.04: The image you are pulling has been verified
I assumed this referenced Docker’s heavily promoted image signing system and didn’t investigate further at the time. Later, while researching the cryptographic digest system that Docker tries to secure images with, I had the opportunity to explore further. What I found was a total systemic failure of all logic related to image security.
Docker’s report that a downloaded image is “verified” is based solely on the presence of a signed manifest, and Docker never verifies the image checksum from the manifest. An attacker could provide any image alongside a signed manifest. This opens the door to a number of serious vulnerabilities.
Images are downloaded from an HTTPS server and go through an insecure streaming processing pipeline in the Docker daemon:
[decompress] -> [tarsum] -> [unpack]
This pipeline is performant but completely insecure. Untrusted input should not be processed before verifying its signature. Unfortunately Docker processes images three times before checksum verification is supposed to occur.
However, despite Docker’s claims, image checksums are never actually checked. This is the only section0 of Docker’s code related to verifying image checksums, and I was unable to trigger the warning even when presenting images with mismatched checksums.
if img.Checksum != "" && img.Checksum != checksum {
log.Warnf("image layer checksum mismatch: computed %q,
expected %q", checksum, img.Checksum)
}
Insecure processing pipeline
Decompress
Docker supports three compression algorithms: gzip, bzip2, and xz. The first two use the Go standard library implementations, which are memory-safe, so the exploit types I’d expect to see here are denial of service attacks like crashes and excessive CPU and memory usage.
The third compression algorithm, xz, is more interesting. Since there is no
native Go implementation, Docker
execs
the xz
binary to do the decompression.
The xz
binary comes from the XZ Utils project, and
is built from approximately1 twenty thousand lines of C code. C is not
a memory-safe language. This means malicious input to a C program, in this case
the Docker image XZ Utils is unpacking, could potentially execute arbitrary
code.
Docker exacerbates this situation by running xz
as root. This means that if
there is a single vulnerability in xz
, a call to docker pull
could result in
the complete compromise of your entire system.
Tarsum
The use of tarsum is well-meaning but completely flawed. In order to get a deterministic checksum of the contents of an arbitrarily encoded tar file, Docker decodes the tar and then hashes specific portions, while excluding others, in a deterministic order.
Since this processing is done in order to generate the checksum, it is decoding untrusted data which could be designed to exploit the tarsum code2. Potential exploits here are denial of service as well as logic flaws that could cause files to be injected, skipped, processed differently, modified, appended to, etc. without the checksum changing.
Unpacking
Unpacking consists of decoding the tar and placing files on the disk. This is extraordinarily dangerous as there have been three other vulnerabilities reported3 in the unpack stage at the time of writing.
There is no situation where data that has not been verified should be unpacked onto disk.
libtrust
libtrust is a Docker package that claims to provide “authorization and access control through a distributed trust graph.” Unfortunately no specification appears to exist, however it looks like it implements some parts of the Javascript Object Signing and Encryption specifications along with other unspecified algorithms.
Downloading an image with a manifest signed and verified using libtrust is what triggers this inaccurate message (only the manifest is checked, not the actual image contents):
ubuntu:14.04: The image you are pulling has been verified
Currently only “official” image manifests published by Docker, Inc are signed using this system, but from discussions I participated in at the last Docker Governance Advisory Board meeting4, my understanding is that Docker, Inc is planning on deploying this more widely in the future. The intended goal is centralization with Docker, Inc controlling a Certificate Authority that then signs images and/or client certificates.
I looked for the signing key in Docker’s code but was unable to find it. As it turns out the key is not embedded in the binary as one would expect. Instead the Docker daemon fetches it over HTTPS from a CDN before each image download. This is a terrible approach as a variety of attacks could lead to trusted keys being replaced with malicious ones. These attacks include but are not limited to: compromise of the CDN vendor, compromise of the CDN origin serving the key, and man in the middle attacks on clients downloading the keys.
Remediation
I reported some of the issues I found with the tarsum system before I finished this research, but so far nothing I have reported has been fixed.
Some steps I believe should be taken to improve the security of the Docker image download system:
Drop tarsum and actually verify image digests
Tarsum should not be used for security. Instead, images must be fully downloaded and their cryptographic signatures verified before any processing takes place.
Add privilege isolation
Image processing steps that involve decompression or unpacking should be run in
isolated processes (containers?) that have only the bare minimum required
privileges to operate. There is no scenario where a decompression tool like xz
should be run as root.
Replace libtrust
Libtrust should be replaced with The Update Framework which is explicitly designed to solve the real problems around signing software binaries. The threat model is very comprehensive and addresses many things that have not been considered in libtrust. There is a complete specification as well as a reference implementation written in Python, and I have begun work on a Go implementation and welcome contributions.
As part of adding TUF to Docker, a local keystore should be added that maps root keys to registry URLs so that users can have their own signing keys that are not managed by Docker, Inc.
I would like to note that using non-Docker, Inc hosted registries is a very poor user experience in general. Docker, Inc seems content with relegating third party registries to second class status when there is no technical reason to do so. This is a problem both for the ecosystem in general and the security of end users. A comprehensive, decentralized security model for third party registries is both necessary and desirable. I encourage Docker, Inc to take this into consideration when redesigning their security model and image verification system.
Conclusion
Docker users should be aware that the code responsible for downloading images is shockingly insecure. Users should only download images whose provenance is without question. At present, this does not include “trusted” images hosted by Docker, Inc including the official Ubuntu and other base images.
The best option is to block index.docker.io
locally, and download and verify
images manually before importing them into Docker using docker load
. Red Hat’s
security blog has a good post about
this.
Thanks to Lewis Marshall for pointing out the tarsums are never verified.
-
cloc says 18,141 non-blank, non-comment lines of C and 5,900 lines of headers in v5.2.0. ↩
-
Very similar bugs been found in Android, which allowed arbitrary files to be injected into signed packages, and the Windows Authenticode signature system, which allowed binary modification. ↩
-
Specifically: CVE-2014-6407, CVE-2014-9356, and CVE-2014-9357. There were two Docker security releases in response. ↩
-
See page 8 of the notes from the 2014-10-28 DGAB meeting. ↩