gh0stEdit: Exploiting Layer-Based Access Vulnerability Within Docker Container Images

TL;DR

This paper introduces gh0stEdit, an exploit that allows malicious editing of Docker images without detection, undermining trust and security in containerized deployment environments.

Contribution

We present the first detailed analysis of a layer-based access vulnerability in Docker images and demonstrate how it can be exploited without invalidating signatures.

Findings

gh0stEdit can modify images undetected by static and dynamic scans

The exploit works even on signed Docker images without invalidating signatures

Current Docker security measures are insufficient against this type of attack

Abstract

Containerisation is a popular deployment process for application-level virtualisation using a layer-based approach. Docker is a leading provider of containerisation, and through the Docker Hub, users can supply Docker images for sharing and re-purposing popular software application containers. Using a combination of in-built inspection commands, publicly displayed image layer content, and static image scanning, Docker images are designed to ensure end users can clearly assess the content of the image before running them. In this paper we present gh0stEdit, an exploit that fundamentally undermines the integrity of Docker images and subverts the assumed trust and transparency they utilise. The use of gh0stEdit allows an attacker to maliciously edit Docker images, in a way that is not shown within the image history, hierarchy or commands. This attack can also be carried out against signed images (Docker Content Trust) without invalidating the image signature. We present a detailed case study for this exploit, and showcase how gh0stEdit is able to poison an image in a way that is not picked up through static or dynamic scanning tools. We highlight the issues in the current approach to Docker image security and trust, and expose an attack method which could potentially be exploited in the wild without being detected. To the best of our knowledge we are the first to provide detailed discussion on the exploit of this vulnerability.