🤖 AI Summary
This work uncovers a deep trust vulnerability in Docker’s image layering mechanism: attackers can stealthily modify the filesystem contents of cryptographically signed images without altering the image history, layer structure, or Docker Content Trust (DCT) signatures—nor triggering static or dynamic security scanners. The flaw stems from the decoupling between image metadata and underlying filesystem access permissions, enabling “invisible edits.” The authors are the first to systematically identify, characterize, and exploit this vulnerability. They develop a proof-of-concept (PoC) toolchain leveraging layered storage reverse engineering, manual tar archive reconstruction, and DCT signature validation bypass techniques. Experiments demonstrate successful, undetectable malicious injection into production-signed images across real-world scenarios, evading detection by mainstream container security scanners. These findings fundamentally challenge the integrity guarantees and trust assumptions underpinning current container image distribution models, motivating the design of novel defense mechanisms resilient to metadata–filesystem privilege separation.
📝 Abstract
Containerisation is a popular deployment process for application-level virtualisation using a layer-based approach. Docker is a leading provider of containerisation, and through the Docker Hub, users can supply Docker images for sharing and re-purposing popular software application containers. Using a combination of in-built inspection commands, publicly displayed image layer content, and static image scanning, Docker images are designed to ensure end users can clearly assess the content of the image before running them. In this paper we present extbf{ extit{gh0stEdit}}, a vulnerability that fundamentally undermines the integrity of Docker images and subverts the assumed trust and transparency they utilise. The use of gh0stEdit allows an attacker to maliciously edit Docker images, in a way that is not shown within the image history, hierarchy or commands. This attack can also be carried out against signed images (Docker Content Trust) without invalidating the image signature. We present two use case studies for this vulnerability, and showcase how gh0stEdit is able to poison an image in a way that is not picked up through static or dynamic scanning tools. Our attack case studies highlight the issues in the current approach to Docker image security and trust, and expose an attack method which could potentially be exploited in the wild without being detected. To the best of our knowledge we are the first to provide detailed discussion on the exploit of this vulnerability.