Privilege Escalation Attack Scenarios on the DevOps Pipeline Within a Kubernetes Environment

Pecka, Nicholas; Ben Othmane, Lotfi; Valani, Altaz

Privilege Escalation Attack Scenarios on the DevOps Pipeline Within a Kubernetes Environment

File

2022-benOthame-PrivilegeEscalation.pdf (446.98 KB)

Date

2022

Authors

Pecka, Nicholas

Ben Othmane, Lotfi

Valani, Altaz

Publisher

ACM

Authors

Person

Ben Othmane, Lotfi

Assistant Teaching Professor

Organizational Units

Organizational Unit

Electrical and Computer Engineering

Department

Electrical and Computer Engineering

Abstract

Companies are misled into thinking they solve their security issues by using tooling that is advertised as aligning with DevSecOps principles. This paper aims to answer the question: Could the misuse of the DevOps pipeline subject applications to malicious behavior? To answer the question, we designed a typical DevOps pipeline utilizing ubernetes (K8s) as a case study environment and analyzed the applicable threats. Then, we developed four attack scenarios against the case study environment: maliciously abusing the user’s privilege of deploying containers within the K8s cluster, abusing the Jenkins instance to modify files during the continuous integration, delivery, and eployment systems (CI/CD) build phase, modifying the K8s DNS layer to expose an internal IP to external traffic, and elevating privileges from an account with create, read, update, and delete (CRUD) privileges to root privileges. The attacks answer the research questionpositively: companies should design and use a secure DevOps pipeline and not expect that utilizing software "advertised as aligning" with DevSecOps principles alone is sufficient to deliver secure software.

Comments

This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Pecka, Nicholas, Lotfi ben Othmane, and Altaz Valani, "Privilege Escalation Attack Scenarios on the DevOps Pipeline Within a Kubernetes Environment." Proceedings of the International Conference on Software and Systems Processes (ICSSP), May 19-20, 2022. Virtual. Copyright 2022 ACM. Posted with permission.