Docker makes running containers a breeze. But how do you know if a container pulled from Docker Hub contains backdoors or malware? Docker’s Verified Publisher initiative addresses that concern.
Popularity makes you a target
Cyber criminals like nothing more than easy routes to victims̵
Docker is a world leader in containerization. For many people, it is the first name that comes to mind when containers are mentioned. Containers allow developers to package an application and its dependencies into a self-contained package called an image. This makes distributing the package easier because everything needed to run the application is in the image. There are never unmet dependencies, no matter what machine the container is running on.
Containers can be thought of as minimalist virtual machines. If they deliver an application, they don’t need an operating system in the container. They just need the application dependencies. This reduces the size of the images and gives performance improvements when the container is run. The contents of the container run on the host computer’s operating system, isolated from other processes.
Because there are fewer things in a container that require resources and computing power compared to a virtual machine, they can run on more modest hardware. That means you can run more of them on a single piece of hardware, with good performance, than on traditional virtual machines. Even containers built to provide various Linux distributions are just snapshots of the distribution’s file system. They run using the host computer’s kernel.
Much of the technology and applications in containers are open source. This means that they can be freely distributed and used by anyone. With Docker containers, you can take the maxim that servers should be treated like livestock, not pets. The benefits of containers have not only led to the widespread adoption of continuous integration and continuous deployment (CI/CD), they have made it possible.
Mirantis bought Docker in November 2019. At the time, Docker Enterprise was used by 30% of the Fortune 100 and 20% of the Global 500. Today, the Docker Hub serves a staggering 13 billion image pulls (container downloads) per month from nearly 8 million repositories.
Those numbers are far too impressive for cybercriminals to ignore. What could be easier than creating compromised and malicious images, uploading them to Docker Hub and waiting for unsuspecting users to download and use them?
RELATED: What Does Docker Do and When Should You Use It?
The problem with insecure images
There is an inherent problem with retrieving images from a repository and using them. You don’t know if they were created with security in mind, or if the software components in the container are current versions and still within their supported lifecycle. Have they applied all available bug fixes and security patches to them? Or worse, do they contain malicious code intentionally placed by threat actors?
Docker faces a similar problem to Apple and Google. Apple and Google should try to monitor the App Store and Google Play for malicious apps. Docker does things a little differently. Docker removes container images that prove to be malicious. It also provides an authentication scheme for container publishers.
In the past, Docker deleted a collection of images uploaded by the Docker account docker123321. There were about 17 containers from this one account that contained malicious code. The images were presented as harmless containers that supported apps such as Apache Tomcat and MySQL, but in addition, the containers contained code that provided reverse SSH shells to the attackers, allowing them to access the containers at their convenience.
Python reverse shells and Bash reverse shells were found, and one container even contained the threat actor’s SSH key. This gave them remote access without the need for a password. Other containers were found to host crypto mining software. This meant that the containers were cryptjacked beforehand. The unsuspecting user would pay for the electricity and lose processing power to fund cybercriminal Monero’s crypto mining.
These attacks are a combination of Trojans and supply chain attacks.
RELATED: How the Linux Foundation’s Software Signature Fights Supply Chain Attacks
The Verified Publisher Program
Docker already offers a collection of container images known as the official images. These images are a curated set of containers reviewed by a dedicated Docker team.
The team works with the upstream administrators and suppliers of the software in the containers. The official images are examples of best practices for Docker containers, including clear documentation and applying security patches. Docker Official Images have recently become available to a wider audience through more repositories.
The Verified Publisher Initiative provides access to Docker content that differentiates itself by coming from well-known, verified, and trusted providers. There are more than 200 software vendors that have signed up and ratified the scheme, and the number is growing rapidly. Images from verified publishers can be used with great confidence in mission-critical applications and infrastructure.
The Verified Publisher and Official Images programs are complementary schemes. Many of the container images provided by verified publishers are also official images. With a few checkboxes on the Docker Hub Explore page, you can specify that search results are limited to official images, images provided by verified publishers, or both.
A welcome initiative
The attacks by SolarWinds and CodeCov have shown how effective supply chain attacks can be. Attacking a central point that then endangers the downstream consumers of products and services is an efficient method of distribution. Compromised containers are a perfect way to spread these types of attacks. It responds to the belief that certain information sources and software are inherently safe and can be trusted. And in general that is the case. But as we’ve seen, it’s a big assumption.
It is vital that organizations are clear about the origin and integrity of containers they retrieve from repositories. Official images and verified publishers can be seen as a form of certification that makes it easier to know what to trust right out of the box.
If you are creating Docker images that are publicly available, and you believe it will be beneficial for you to become a Verified Publisher, you can start the application process to participate in the scheme on the Verified Publisher webpage.
RELATED: Codecov hacked! What to do now when using Codecov