research-article

Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact

Authors:

Markus Dahlmanns,

Constantin Sander,

Klaus WehrleAuthors Info & Claims

ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

Pages 797 - 811

https://doi.org/10.1145/3579856.3590329

Published: 10 July 2023 Publication History

Abstract

Containerization allows bundling applications and their dependencies into a single image. The containerization framework Docker eases the use of this concept and enables sharing images publicly, gaining high momentum. However, it can lead to users creating and sharing images that include private keys or API secrets—either by mistake or out of negligence. This leakage impairs the creator’s security and that of everyone using the image. Yet, the extent of this practice and how to counteract it remains unclear.

In this paper, we analyze 337,171 images from Docker Hub and 8,076 other private registries unveiling that 8.5% of images indeed include secrets. Specifically, we find 52,107 private keys and 3,158 leaked API secrets, both opening a large attack surface, i.e., putting authentication and confidentiality of privacy-sensitive data at stake and even allow active attacks. We further document that those leaked keys are used in the wild: While we discovered 1,060 certificates relying on compromised keys being issued by public certificate authorities, based on further active Internet measurements, we find 275,269 TLS and SSH hosts using leaked private keys for authentication. To counteract this issue, we discuss how our methodology can be used to prevent secret leakage and reuse.

References

[1]

David Adrian, Karthikeyan Bhargavan, 2015. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. In ACM CCS.

[2]

Marco Balduzzi, Jonas Zaddach, 2012. A security analysis of Amazon’s Elastic Compute Cloud service. IEEE/IFIP DSN (2012).

[3]

Giovanni Barbieri, Mauro Conti, 2021. Assessing the Use of Insecure ICS Protocols via IXP Network Traffic Analysis. In IEEE ICCCN.

[4]

Kelly Brady, Seung Moon, 2020. Docker Container Security in Cloud Computing. In IEEE CCWC.

[5]

Stuart Burns. 2021. How to keep Docker secrets secret. https://www.techtarget.com/searchitoperations/tip/How-to-keep-Docker-secrets-secret. (Accessed on 06/13/2022).

[6]

Joao M. Ceron, Justyna J. Chromik, 2020. Online Discoverability and Vulnerabilities of ICS/SCADA Devices in the Netherlands. arXiv:2011.02019.

[7]

Taejoong Chung, Yabing Liu, 2016. Measuring and Applying Invalid SSL Certificates: The Silent Majority. In ACM IMC.

[8]

Theo Combe, Antony Martin, 2016. To Docker or Not to Docker: A Security Perspective. IEEE Cloud Comp. 3, 5 (2016).

[9]

COMSYS. 2023. Docker Secret Analysis Code. https://github.com/COMSYS/docker-secret-analysis.

[10]

Ang Cui and Salvatore J. Stolfo. 2010. A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan. In ACM ACSAC.

[11]

Markus Dahlmanns, Johannes Lohmöller, 2020. Easing the Conscience with OPC UA: An Internet-Wide Study on Insecure Deployments. In ACM IMC.

[12]

Markus Dahlmanns, Johannes Lohmöller, 2022. Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things. In ACM ASIACCS. New York, NY, USA.

[13]

Jean-Laurent de Morlhon. 2020. Scaling Docker’s Business to Serve Millions More Developers: Storage - Docker. https://www.docker.com/blog/scaling-dockers-business-to-serve-millions-more-developers-storage/. (Accessed on 08/17/2022).

[14]

deepfence. 2022. SecretScanner. https://github.com/deepfence/SecretScanner. (Accessed on 10/11/2022).

[15]

David Dittrich and Erin Kenneally. 2012. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Technical Report. U.S. Department of Homeland Security.

[16]

Docker Inc.2022. Docker Documentation: Best practices for writing Dockerfiles. https://docs.docker.com/develop/develop-images/dockerfile_best-practices/. (Accessed on 11/11/2022).

[17]

Docker Inc.2022. Docker Documentation: Deploy a registry server. https://docs.docker.com/registry/deploying/. (Accessed on 11/30/2022).

[18]

Docker Inc.2022. Docker Documentation: Dockerfile reference. https://docs.docker.com/engine/reference/builder/. (Accessed on 08/11/2022).

[19]

Docker Inc.2022. Docker Documentation: HTTP API. https://docs.docker.com/registry/spec/api/. (Accessed on 08/09/2022).

[20]

Docker Inc.2022. Docker Documentation: Image Manifest. https://docs.docker.com/registry/spec/manifest-v2-2/. (Accessed on 08/09/2022).

[21]

Docker Inc.2022. Docker Hub Container Image Library. https://hub.docker.com/. (Accessed on 06/07/2022).

[22]

Docker Inc.2022. Increase Rate Limits - Docker. https://www.docker.com/increase-rate-limits/. (Accessed on 08/17/2022).

[23]

Docker Inc.2022. Manage sensitive data with Docker secrets. https://docs.docker.com/engine/swarm/secrets/. (Accessed on 06/15/2022).

[24]

Docker Inc.2022. What is a Container? - Docker. https://www.docker.com/resources/what-container/. (Accessed on 08/09/2022).

[25]

Zakir Durumeric, David Adrian, 2015. A Search Engine Backed by Internet-Wide Scanning. In ACM CCS.

[26]

Zakir Durumeric, Eric Wustrow, 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX SEC.

[27]

Carlo Farinella, Ali Ahmed, 2021. Git Leaks: Boosting Detection Effectiveness Through Endpoint Visibility. In IEEE TrustCom.

[28]

Runhan Feng, Ziyang Yan, 2022. Automated Detection of Password Leakage from Public GitHub Repositories. In ACM ICSE. New York, NY, USA.

[29]

Oliver Gasser, Ralph Holz, 2014. A deeper understanding of SSH: Results from Internet-wide scans. In IEEE NOMS.

[30]

Béla Genge and Călin Enăchescu. 2016. ShoVAT: Shodan-Based Vulnerability Assessment Tool for Internet-Facing Services. Sec. and Commun. Netw. 9, 15 (2016).

[31]

GitGuardian. 2022. Git Security Scanning & Secrets Detection. https://www.gitguardian.com/. (Accessed on 06/17/2022).

[32]

Leonid Glanz, Patrick Müller, 2020. Hidden in Plain Sight: Obfuscated Strings Threatening Your Privacy. In ACM ASIACCS. New York, NY, USA.

[33]

Dan Goodin. 2013. PSA: Don’t upload your important passwords to GitHub. https://arstechnica.com/information-technology/2013/01/psa-dont-upload-your-important-passwords-to-github/. (Accessed on 06/13/2022).

[34]

Dan Goodin. 2018. Thousands of servers found leaking 750MB worth of passwords and keys. https://arstechnica.com/information-technology/2018/03/thousands-of-servers-found-leaking-750-mb-worth-of-passwords-and-keys/. (Accessed on 06/13/2022).

[35]

Adam Hansson, Mohammad Khodari, 2018. Analyzing Internet-connected industrial equipment. In IEEE ICSigSys.

[36]

Nadia Heninger, Zakir Durumeric, 2012. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. In USENIX SEC.

[37]

Michael Henriksen. 2022. Reconnaissance tool for GitHub organizations. https://github.com/michenriksen/gitrob. (Accessed on 06/17/2022).

[38]

Jens Hiller, Johanna Amann, 2020. The Boon and Bane of Cross-Signing: Shedding Light on a Common Practice in Public Key Infrastructures. In ACM CCS.

[39]

Ralph Holz, Johanna Amann, 2016. TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication. NDSS (2016).

[40]

Ralph Holz, Lothar Braun, 2011. The SSL Landscape: A Thorough Analysis of the x.509 PKI Using Active and Passive Measurements. In ACM IMC.

[41]

Ralph Holz, Jens Hiller, 2020. Tracking the Deployment of TLS 1.3 on the Web: A Story of Experimentation and Centralization. ACM SIGCOMM Comput. Commun. Rev. 50, 3 (2020).

Digital Library

[42]

Delu Huang, Handong Cui, 2019. Security Analysis and Threats Detection Techniques on Docker Container. In IEEE ICCC.

[43]

Henri Hubert. 2021. Secrets exposed in Docker images: Hunting for secrets in Docker Hub. https://blog.gitguardian.com/hunting-for-secrets-in-docker-hub/. (Accessed on 06/13/2022).

[44]

Vipin Jain, Baldev Singh, 2021. Static Vulnerability Analysis of Docker Images. IOP: Mat. Sc. and Eng. 1131, 1 (apr 2021).

[45]

Sabrina Kall and Slim Trabelsi. 2021. An Asynchronous Federated Learning Approach for a Security Source Code Scanner. In ICISSP, Paolo Mori, Gabriele Lenzini, and Steven Furnell (Eds.).

[46]

Timo Kiravuo, Seppo Tiilikainen, 2015. Peeking Under the Skirts of a Nation: Finding ICS Vulnerabilities in the Critical Digital Infrastructure. In ECCWS.

[47]

Alexander Krause, Jan H. Klemmer, 2022. Poster: Committed by Accident —- Prevention and Remediation Strategies Against Secret Leakage. https://www.ieee-security.org/TC/SP2022/program-posters.html.

[48]

Deepak Kumar, Zhengping Wang, 2018. Tracking Certificate Misissuance in the Wild. In IEEE SP.

[49]

Mohit Kumar. 2013. Hundreds of SSH Private Keys exposed via GitHub Search. https://thehackernews.com/2013/01/hundreds-of-ssh-private-keys-exposed.html. (Accessed on 06/13/2022).

[50]

Detectify Labs. 2016. Slack bot token leakage exposing business critical information. https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/. (Accessed on 06/15/2022).

[51]

Hyunwoo Lee, Doowon Kim, 2021. TLS 1.3 in Practice: How TLS 1.3 Contributes to the Internet. In ACM WWW. New York, NY, USA.

[52]

Joonhee Lee, Hyunwoo Lee, 2021. Analyzing Spatial Differences in the TLS Security of Delegated Web Services. In ACM ASIACCS. New York, NY, USA.

[53]

Éireann P. Leverett. 2011. Quantitatively Assessing and Visualising Industrial System Attack Surfaces. Master’s thesis. University of Cambridge.

[54]

Guannan Liu, Xing Gao, 2022. Exploring the Unchartered Space of Container Registry Typosquatting. In USENIX SEC.

[55]

Peiyu Liu, Shouling Ji, 2020. Understanding the Security Risks of Docker Hub. In ESORICS, Liqun Chen, Ninghui Li, Kaitai Liang, and Steve Schneider (Eds.). Cham.

[56]

S. Lounici, M. Rosa, 2021. Optimizing Leak Detection in Open-Source Platforms with Machine Learning Techniques. In ICISSP.

[57]

Federico Maggi, Rainer Vosseler, 2018. The Fragility of Industrial IoT’s Data Backbone: Security and Privacy Issues in MQTT and CoAP Protocols. Technical Report. Trend Micro Inc.

[58]

Michael Meli, Matthew R. McNiece, 2019. How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories. NDSS (2019).

[59]

Ariana Mirian, Zane Ma, 2016. An Internet-wide view of ICS devices. In IEEE PST.

[60]

Marcin Nawrocki, Thomas C. Schmidt, 2020. Uncovering Vulnerable Industrial Control Systems from the Internet Core. In IEEE/IFIP NOMS.

[61]

Claus Pahl. 2015. Containerization and the PaaS Cloud. IEEE Cloud Comp. 2, 3 (2015).

[62]

Akond Rahman, Chris Parnin, 2019. The Seven Sins: Security Smells in Infrastructure as Code Scripts. In ICSE.

[63]

Akond Rahman, Md Rayhanur Rahman, 2021. Security Smells in Ansible and Chef Scripts: A Replication Study. ACM Trans. Softw. Eng. Methodol. 30, 1 (jan 2021).

Digital Library

[64]

Akond Rahman and Laurie Williams. 2021. Different Kind of Smells: Security Smells in Infrastructure as Code Scripts. IEEE S&P 19, 3 (2021).

[65]

Md Rayhanur Rahman, Akond Rahman, 2019. Share, But be Aware: Security Smells in Python Gists. In IEEE ICSME.

[66]

RedHunt Labs. 2021. Scanning Millions Of Publicly Exposed Docker Containers — Thousands Of Secrets Leaked (Wave 5). https://redhuntlabs.com/blog/scanning-millions-of-publicly-exposed-docker-containers-thousands-of-secrets-leaked.html. (Accessed on 06/13/2022).

[67]

Aakanksha Saha, Tamara Denning, 2020. Secrets in Source Code: Reducing False Positives using Machine Learning. In IEEE COMSNETS.

[68]

Luca Schumann, Trinh Viet Doan, 2022. Impact of Evolving Protocols and COVID-19 on Internet Traffic Shares. https://arxiv.org/abs/2201.00142.

[69]

SecurityFail. 2022. kompromat. https://github.com/SecurityFail/kompromat. (Accessed on 11/09/2022).

[70]

Matías Sequeira. 2020. Low-hanging Secrets in Docker Hub and a Tool to Catch Them All. https://ioactive.com/guest-blog-docker-hub-scanner-matias-sequeira/. (Accessed on 06/13/2022).

[71]

Shodan. 2013. Shodan. https://www.shodan.io.

[72]

Vibha Sinha, Diptikalyan Saha, 2015. Detecting and Mitigating Secret-Key Leaks in Source Code Repositories. In IEEE/ACM MSR.

[73]

Drew Springall, Zakir Durumeric, 2016. Measuring the Security Harm of TLS Crypto Shortcuts. In ACM IMC.

[74]

Stack Overflow. 2022. Developer Survey 2021. https://insights.stackoverflow.com/survey/2021. (Accessed on 07/11/2022).

[75]

The Linux Foundation. 2022. Kubernetes - Production-Grade Container Orchestration. https://kubernetes.io/. (Accessed on 11/12/2022).

[76]

TruffleSecurity. 2022. TruffleHog. https://github.com/trufflesecurity/trufflehog. (Accessed on 06/17/2022).

[77]

Itamar Turner-Trauring. 21. Don’t leak your Docker image’s build secrets. https://pythonspeed.com/articles/docker-build-secrets/. (Accessed on 06/13/2022).

[78]

Takahiro Ueda, Takayuki Sasaki, 2022. An Internet-Wide View of Connected Cars: Discovery of Exposed Automotive Devices. In ACM ARES. New York, NY, USA.

[79]

Abhishek Verma, Luis Pedrosa, 2015. Large-Scale Cluster Management at Google with Borg. In ACM EuroSys. New York, NY, USA.

[80]

Jinpeng Wei, Xiaolan Zhang, 2009. Managing Security of Virtual Machine Images in a Cloud Environment. In ACM CCSW.

[81]

Jonathan Codi West and Tyler Moore. 2022. Longitudinal Study of Internet-Facing OpenSSH Update Patterns. In PAM, Oliver Hohlfeld, Giovane Moura, and Cristel Pelsser (Eds.). Cham.

[82]

Jordan Writght. 2014. Why Deleting Sensitive Information from Github Doesn’t Save You. https://jordan-wright.com/blog/2014/12/30/why-deleting-sensitive-information-from-github-doesnt-save-you/. (Accessed on 06/13/2022).

[83]

Wei Xu, Yaodong Tao, 2018. The Landscape of Industrial Control Systems (ICS) Devices on the Internet. In IEEE Cyber SA.

[84]

Ahmed Zerouali, Tom Mens, 2019. On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs. In IEEE SANER.

[85]

Ahmed Zerouali, Tom Mens, 2021. On the usage of JavaScript, Python and Ruby packages in Docker Hub images. Sc. of Comp. Prog. 207 (2021).

[86]

Nannan Zhao, Vasily Tarasov, 2019. Large-Scale Analysis of the Docker Hub Dataset. In IEEE CLUSTER.

[87]

Nannan Zhao, Vasily Tarasov, 2019. Slimmer: Weight Loss Secrets for Docker Registries. In IEEE CLOUD.

[88]

Zeljka Zorz. 2014. 10,000 GitHub users inadvertently reveal their AWS secret access keys. https://www.helpnetsecurity.com/2014/03/24/10000-github-users-inadvertently-reveal-their-aws-secret-access-keys/. (Accessed on 06/13/2022).

Cited By

Lopez LMillan Mayorga DMartinez Poveda LAmaya ARojas Reales W(2024)Hybrid Architectures Used in the Protection of Large Healthcare Records Based on Cloud and Blockchain Integration: A ReviewComputers10.3390/computers1306015213:6(152)Online publication date: 12-Jun-2024
https://doi.org/10.3390/computers13060152
Dahlmanns MWehrle K(2024)Protocol Security in the Industrial Internet of ThingsNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575096(1-4)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575096
Campo FWang HCoffman J(2023)Exploring Solutions for Container Image Security2023 IEEE 14th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON)10.1109/UEMCON59035.2023.10316032(82-88)Online publication date: 12-Oct-2023
https://doi.org/10.1109/UEMCON59035.2023.10316032
Show More Cited By

Index Terms

Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact
1. Security and privacy
  1. Cryptography
    1. Key management
  2. Network security

Recommendations

Securing Container-based Clouds with Syscall-aware Scheduling
ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

Container-based clouds—in which containers are the basic unit of isolation—face security concerns because, unlike Virtual Machines, containers directly interface with the underlying highly privileged kernel through the wide and vulnerable system call ...
Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things
ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

The ongoing trend to move industrial appliances from previously isolated networks to the Internet requires fundamental changes in security to uphold secure and safe operation. Consequently, to ensure end-to-end secure communication and authentication, (...
A Measurement Study on Linux Container Security: Attacks and Countermeasures
ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Linux container mechanism has attracted a lot of attention and is increasingly utilized to deploy industry applications. Though it is a consensus that the container mechanism is not secure due to the kernel-sharing property, it lacks a concrete and ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

July 2023

1066 pages

ISBN:9798400700989

DOI:10.1145/3579856

Editors:
Joseph Liu
Monash University, Australia
,
Yang Xiang
Swinburne University of Technology, Australia
,
Surya Nepal
Data61, Australia
,
Gene Tsudik
University of California Irvine, USA

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 July 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Bundesministerium für Wirtschaft und Klimaschutz
Deutsche Forschungsgemeinschaft

Conference

ASIA CCS '23

Sponsor:

SIGSAC

ASIA CCS '23: ACM Asia Conference on Computer and Communications Security

July 10 - 14, 2023

VIC, Melbourne, Australia

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
240
Total Downloads

Downloads (Last 12 months)71
Downloads (Last 6 weeks)5

Reflects downloads up to 19 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lopez LMillan Mayorga DMartinez Poveda LAmaya ARojas Reales W(2024)Hybrid Architectures Used in the Protection of Large Healthcare Records Based on Cloud and Blockchain Integration: A ReviewComputers10.3390/computers1306015213:6(152)Online publication date: 12-Jun-2024
https://doi.org/10.3390/computers13060152
Dahlmanns MWehrle K(2024)Protocol Security in the Industrial Internet of ThingsNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575096(1-4)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575096
Campo FWang HCoffman J(2023)Exploring Solutions for Container Image Security2023 IEEE 14th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON)10.1109/UEMCON59035.2023.10316032(82-88)Online publication date: 12-Oct-2023
https://doi.org/10.1109/UEMCON59035.2023.10316032
Dahlmanns MMatzutt RDax CWehrle K(2023)Collectively Enhancing IoT Security: A Privacy-Aware Crowd-Sourcing ApproachFoundations and Practice of Security10.1007/978-3-031-57540-2_2(15-27)Online publication date: 11-Dec-2023
https://dl.acm.org/doi/10.1007/978-3-031-57540-2_2

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents