is a cofounder of Flynn and an architect of the Tent Protocol.

Docker Image Insecurity

December 23, 2014

Recently while downloading an “official” container image with Docker I saw this line:

ubuntu:14.04: The image you are pulling has been verified

I assumed this referenced Docker’s heavily promoted image signing system and didn’t investigate further at the time. Later, while researching the cryptographic digest system that Docker tries to secure images with, I had the opportunity to explore further. What I found was a total systemic failure of all logic related to image security.

Docker’s report that a downloaded image is “verified” is based solely on the presence of a signed manifest, and Docker never verifies the image checksum from the manifest. An attacker could provide any image alongside a signed manifest. This opens the door to a number of serious vulnerabilities.

Images are downloaded from an HTTPS server and go through an insecure streaming processing pipeline in the Docker daemon:

[decompress] -> [tarsum] -> [unpack]

This pipeline is performant but completely insecure. Untrusted input should not be processed before verifying its signature. Unfortunately Docker processes images three times before checksum verification is supposed to occur.

However, despite Docker’s claims, image checksums are never actually checked. This is the only section0 of Docker’s code related to verifying image checksums, and I was unable to trigger the warning even when presenting images with mismatched checksums.

if img.Checksum != "" && img.Checksum != checksum {
  log.Warnf("image layer checksum mismatch: computed %q,
             expected %q", checksum, img.Checksum)

Insecure processing pipeline


Docker supports three compression algorithms: gzip, bzip2, and xz. The first two use the Go standard library implementations, which are memory-safe, so the exploit types I’d expect to see here are denial of service attacks like crashes and excessive CPU and memory usage.

The third compression algorithm, xz, is more interesting. Since there is no native Go implementation, Docker execs the xz binary to do the decompression.

The xz binary comes from the XZ Utils project, and is built from approximately1 twenty thousand lines of C code. C is not a memory-safe language. This means malicious input to a C program, in this case the Docker image XZ Utils is unpacking, could potentially execute arbitrary code.

Docker exacerbates this situation by running xz as root. This means that if there is a single vulnerability in xz, a call to docker pull could result in the complete compromise of your entire system.


The use of tarsum is well-meaning but completely flawed. In order to get a deterministic checksum of the contents of an arbitrarily encoded tar file, Docker decodes the tar and then hashes specific portions, while excluding others, in a deterministic order.

Since this processing is done in order to generate the checksum, it is decoding untrusted data which could be designed to exploit the tarsum code2. Potential exploits here are denial of service as well as logic flaws that could cause files to be injected, skipped, processed differently, modified, appended to, etc. without the checksum changing.


Unpacking consists of decoding the tar and placing files on the disk. This is extraordinarily dangerous as there have been three other vulnerabilities reported3 in the unpack stage at the time of writing.

There is no situation where data that has not been verified should be unpacked onto disk.


libtrust is a Docker package that claims to provide “authorization and access control through a distributed trust graph.” Unfortunately no specification appears to exist, however it looks like it implements some parts of the Javascript Object Signing and Encryption specifications along with other unspecified algorithms.

Downloading an image with a manifest signed and verified using libtrust is what triggers this inaccurate message (only the manifest is checked, not the actual image contents):

ubuntu:14.04: The image you are pulling has been verified

Currently only “official” image manifests published by Docker, Inc are signed using this system, but from discussions I participated in at the last Docker Governance Advisory Board meeting4, my understanding is that Docker, Inc is planning on deploying this more widely in the future. The intended goal is centralization with Docker, Inc controlling a Certificate Authority that then signs images and/or client certificates.

I looked for the signing key in Docker’s code but was unable to find it. As it turns out the key is not embedded in the binary as one would expect. Instead the Docker daemon fetches it over HTTPS from a CDN before each image download. This is a terrible approach as a variety of attacks could lead to trusted keys being replaced with malicious ones. These attacks include but are not limited to: compromise of the CDN vendor, compromise of the CDN origin serving the key, and man in the middle attacks on clients downloading the keys.


I reported some of the issues I found with the tarsum system before I finished this research, but so far nothing I have reported has been fixed.

Some steps I believe should be taken to improve the security of the Docker image download system:

Drop tarsum and actually verify image digests

Tarsum should not be used for security. Instead, images must be fully downloaded and their cryptographic signatures verified before any processing takes place.

Add privilege isolation

Image processing steps that involve decompression or unpacking should be run in isolated processes (containers?) that have only the bare minimum required privileges to operate. There is no scenario where a decompression tool like xz should be run as root.

Replace libtrust

Libtrust should be replaced with The Update Framework which is explicitly designed to solve the real problems around signing software binaries. The threat model is very comprehensive and addresses many things that have not been considered in libtrust. There is a complete specification as well as a reference implementation written in Python, and I have begun work on a Go implementation and welcome contributions.

As part of adding TUF to Docker, a local keystore should be added that maps root keys to registry URLs so that users can have their own signing keys that are not managed by Docker, Inc.

I would like to note that using non-Docker, Inc hosted registries is a very poor user experience in general. Docker, Inc seems content with relegating third party registries to second class status when there is no technical reason to do so. This is a problem both for the ecosystem in general and the security of end users. A comprehensive, decentralized security model for third party registries is both necessary and desirable. I encourage Docker, Inc to take this into consideration when redesigning their security model and image verification system.


Docker users should be aware that the code responsible for downloading images is shockingly insecure. Users should only download images whose provenance is without question. At present, this does not include “trusted” images hosted by Docker, Inc including the official Ubuntu and other base images.

The best option is to block locally, and download and verify images manually before importing them into Docker using docker load. Red Hat’s security blog has a good post about this.

Thanks to Lewis Marshall for pointing out the tarsums are never verified.

  1. Checksum code context.

  2. cloc says 18,141 non-blank, non-comment lines of C and 5,900 lines of headers in v5.2.0.

  3. Very similar bugs been found in Android, which allowed arbitrary files to be injected into signed packages, and the Windows Authenticode signature system, which allowed binary modification.

  4. Specifically: CVE-2014-6407, CVE-2014-9356, and CVE-2014-9357. There were two Docker security releases in response.

  5. See page 8 of the notes from the 2014-10-28 DGAB meeting.