Privilege Escalation Attack Scenarios on the DevOps Pipeline Within a Kubernetes Environment

Date
2022
Authors
Pecka, Nicholas
Ben Othmane, Lotfi
Valani, Altaz
Major Professor
Advisor
Committee Member
Journal Title
Journal ISSN
Volume Title
Publisher
ACM
Altmetrics
Authors
Research Projects
Organizational Units
Journal Issue
Series
Department
Electrical and Computer Engineering
Abstract
Companies are misled into thinking they solve their security issues by using tooling that is advertised as aligning with DevSecOps principles. This paper aims to answer the question: Could the misuse of the DevOps pipeline subject applications to malicious behavior? To answer the question, we designed a typical DevOps pipeline utilizing ubernetes (K8s) as a case study environment and analyzed the applicable threats. Then, we developed four attack scenarios against the case study environment: maliciously abusing the user’s privilege of deploying containers within the K8s cluster, abusing the Jenkins instance to modify files during the continuous integration, delivery, and eployment systems (CI/CD) build phase, modifying the K8s DNS layer to expose an internal IP to external traffic, and elevating privileges from an account with create, read, update, and delete (CRUD) privileges to root privileges. The attacks answer the research questionpositively: companies should design and use a secure DevOps pipeline and not expect that utilizing software "advertised as aligning" with DevSecOps principles alone is sufficient to deliver secure software.
Comments
This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Pecka, Nicholas, Lotfi ben Othmane, and Altaz Valani, "Privilege Escalation Attack Scenarios on the DevOps Pipeline Within a Kubernetes Environment." Proceedings of the International Conference on Software and Systems Processes (ICSSP), May 19-20, 2022. Virtual. Copyright 2022 ACM. Posted with permission.
Description
Keywords
Citation
DOI
Source
Collections