Security Analysis of Docker Containers

Docker Security Challenges and Best practices.

Mayank Patel
Apr 8 · 6 min read

Docker is widely accepted, more than 25% of companies have already adopted Docker. The market size of Docker is projected to grow 993 million USD by 2024. Still, there are many known security threats that Docker faces, this article will expose some well-known, common, and avoidable security threats and their possible solutions.

Before moving forward, you should be familiar with Containerization Technology, Docker Containers, its framework, and the existing Security Mechanisms in Docker.

Prerequisites are covered in the above article 😄, I highly recommend reading it first for proper understanding.

Even though the Docker containers provide great efficiencies and higher scalability over other virtualization technologies, it’s still an immature technology that is finding its ways to cope up with its flaws.

1. Vulnerable Docker Images

Docker has 3 modules that work independently of each other but in collaboration, exposures in these modules directly affect the security of the Docker containers or even the host. The major source of these exposures is the Images uploaded to the Docker hub repositories. Most of the Docker Images come with pre-installed applications, these applications might not be configured properly leaving loose ends in the system which can be leveraged to initiate an attack on the docker container or the host itself leading to a major data leak hijacking the host itself.

2. Malicious Docker Images

Docker Image developer may deliberately upload a malicious Image to Docker Hub with a cryptocurrency miner or with virus programs like Trojan, backdoor, web shell, ransomware, etc. Running these containers will automatically trigger these programs and you won’t even notice their presence. A cryptocurrency miner might keep working in the background of your container, eating up all the system resources like CPU cycles and bandwidth, the attacker will end up making a lot of money thanks to YOU 😢.

3. Container Escape Attack

The docker containers use kernel sharing to reduce the performance cost of virtualization. Leveraging some exposures present in the Image, the processes running in a container can escape to the host computer system, achieving privilege escalation. This is known as an ‘escape attack’, running the container with root user privileges will encourage these kind of attacks. Once the process escapes to the host with root access it can have control over the complete filesystem taking down the host or leaking all valuable info.

4. Sensitive Information Leakage

Sensitive information leakage is a very severe problem for Docker containers, If authentication API or database passwords are leaked somehow from the container then it will affect the complete system. There are cases where unnecessary credentials are left in the images, these creds are not needed for the working of the container but were used for building the Image.

5. Network Mode Security

Docker has 4 types of Network Modes — none, host, container, and bridge.

None: In none mode, a Docker container has its own independent network namespace and none of the network settings has been specified.

Host: In host mode, containers and the host share the network namespace, using the same IP and ports. Containers are privileged to modify network stack information of the host computer, so the NAT is not needed for communication. But, unknowingly we may end up allowing an untrusted container to maliciously modify the network stack information.

Container Mode: In container mode, containers can be assigned to a specific network namespace of other containers. But still, as namespaces are being shared modification of network stack by an untrusted container still exists.

Bridge Mode: In bridge mode, Docker containers use the host computer’s port to communicate, this is the commonly used practice. A virtual network is set up on the host computer to complete the package forwarding between different network interfaces. In the default setting, the virtual bridge won’t check or filter the forwarding packages, and thus ARP cheating or MAC flooding attack can easily succeed.

If the image deployed is malicious then it may open a port for the attacker to initiate an attack over the container, or may eat up bandwidth and also leak sensitive information, It’s important to restrict untrusted or maliciously known domains and IP addresses communicating with our containers.

Solutions and Good Practices 😺 !!

As being an immature technology it contains some problems which are needed to overcome to enjoy the full potential of docker technology. So to deal with it there are best practices to be followed and some external apps and services to improve the security of the containers.

  • Always try to go for the OFFICIAL DOCKER IMAGES, official images are verified images published by the technology maintainer or developer itself.
  • Docker even has a “Trusted Content” feature which lets you download signed images only. This won’t guarantee 100% security but is good to have this additional layer of security.
  • Never deploy containers on the system having root privileges, always assign the container with the minimum privileges required for its functioning. You can create a non-root user having minimal privileges to perform the assigned task by running container. This will reduce the chances of container escape attacks [3].
  • Avoid leaking Sensitive Information [4] into Docker Image itself, SSH keys are sometimes needed to pull code or initiate some intermediate process needed to create the Image itself, these credentials are not necessary for the final developed image itself. But it may happen that these credentials are still lurking somewhere in the image and might be exploited. Instead of adding them directly in Dockerfile, Multi-Stage Builds must be used. By leveraging Docker support for multi-stage builds these credentials can be managed at an intermediate Image layer and later disposed of leaving no traces. Also declare all the sensitive files in .dockerignore to ignore them.
  • Secrets must be managed properly in docker containers to avoid sensitive data leaks.

Refer to this official document for best practices of handling secrets.

  • Use of a Vulnerable Docker Image [1] posing severe threat on the system can be avoided by understanding the underlying exposures in the docker images CVE ( Common Vulnerabilities and Exposure) database can be used. This is a very famous, regularly updated database containing widely known exposures with a unique ID and detailed description.

Refer to this official document for vulnerability scanning your image.

  • Check for Malicious Docker Images [2] before deploying by scanning the image for malicious files or programs, ClamAV malicious library it is one of the most popular malicious databases which is timely updated with more than 6 million kinds of malicious files can be used for scanning your Images.
  • Monitor your Network Activity for calls from maliciously IP addresses or domains to prevent Network related Attacks [5]. If the domain names or IP addresses, the container will be communicating with are already known then you can set up firewall service which will block all other domain to the container.

Refer to this official document for implementing IP tables.

  • Monitor the resource usage of each deployed container and if any container is exploiting the resources provided then that container must be taken down or it will lead to a DoS (denial of service) attack. DoS attacks can be effectively controlled with cgroups.

Refer to this official document for implementing resource constraints.

What is DoS ?

A Denial-of-Service (DoS) attack is meant to shut down a machine or network, making it inaccessible to its intended users. There are multiple ways where the bandwidth is flooded with multiple systems by which the genuine users suffer, or by consuming lots of system resources making the system suffocate and shut itself down.

Conclusion

These are the most common threats to the docker containers and also there are many ways available using which you can detect threats. Similarly, the detected threats can be solved in multiple ways too.

Leave a Clap 👏, Follow for More 🔥 and KEEP LEARNING 🤓

References :

Geek Culture

Proud to geek out. Follow to join our +500K monthly readers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store