DEGREE PROJECT FOR MASTER OF SCIENCE IN ENGINEERING COMPUTER SECURITY Vulnerability Analysis of Vagrant Boxes Andreas Holmqvist | Fredrik Lycke Blekinge Institute of Technology, Karlskrona, Sweden, 2017 Supervisor: Emiliano Casalicchio, Department of Computer Science, BTH Abstract Virtual machines are often considered more secure than regular machines due to the abstraction from the hardware layer. Abstraction does provide some extra security benefits, but many vulnerabilities that exist on a regular machine still exist on virtual machines. Moreover, the sheer amount of virtual machines that are running on many systems makes it difficult to analyse potential vulnerabilities. Vagrant is a management tool for virtual machines packaged in what is called boxes. There are currently no way to automatically scan these Vagrant boxes for vulnerabilities or insecure configurations to determine whether or not they are secure. Therefore we want to establish a method to detect the vulnerabilities of these boxes automatically without launching the box or executing code. There are two main parts in the method used to investigate the boxes. First there is the base box scanning. A base box is an image of which the final box is built upon. This base box is launched, a list of packages is extracted, and the information is then sent to a vulnerability scanner. There is also the analysis of the Vagrantfile. The Vagrantfile is the file that is used to ready the base box with needed software and configurations. The configuration file is written in Ruby and in order to extract information from this file a static code analysis is performed. The result for each box scanned is a list of all the vulnerabilities present on the base box as well as security configurations like SSH settings and shared folders that is retrieved from the Vagrantfile. The results are not completely accurate because the base box is used for the scan, rather than the box itself. Some of the configurations in the Vagrantfiles could not be retrieved because it required code execution or support for configurations done in by other means, like bash. The method does however provide a good indication of how many vulnerabilities a given box possesses. Keywords: Vagrant, Static code analysis, Vulnerability i Sammanfattning Virtuella maskiner anses ofta säkrare än vanliga maskiner på grund av abstraktionen från hårdvarulagret. Abstraktion ger vissa extra säkerhetsfördelar, men många sårbarheter som finns på en vanlig maskin finns fortfarande på virtuella maskiner. Dessutom gör det stora antalet virtuella maskiner som körs på många system det svårt att analysera potentiella sårbarheter. Vagrant är en hanterare för virtuella maskiner förpackade i vad som kallas boxar. Det finns för närvarande ingen möjlighet att automatiskt skanna dessa Vagrant boxar för sårbarheter eller osäkra konfigurationer för att avgöra om de är säkra eller inte. Därför vill vi skapa en metod för att upptäcka sårbarheter för dessa lådor automatiskt och utan att köra boxen eller exekvera kod. Det finns två huvuddelar i metoden som används för att undersöka boxarna. Först finns det basbox-skanningen. En basbox är en avbild som den slutliga boxen är byggd på. Den här basboxen startas, en lista över paket utvinns och informationen skickas sedan till en sårbarhetsscanner. Det utförs också en analys av Vagrantfilen. Vagrantfilen är den fil som används för att konfigurera basboxen med nödvändig programvara och konfigurationer. Konfigurationsfilen är skriven i Ruby, och för att extrahera information från denna fil utförs en statisk kodanalys. Resultatet från varje skannad box är en lista över alla sårbarheter som finns i basboxen samt säkerhetskonfigurationer som SSH-inställningar och delade mappar som hämtas från Vagrantfilen. Resultaten är inte helt korrekta eftersom basboxen används för skanningen, snarare än själva boxen. Vissa av konfigurationerna i Vagrantfilen kunde inte hämtas eftersom det krävdes kodkörning eller stöd för konfigurationer gjorda på annat sätt, som bash. Metoden ger dock en bra indikation på hur många sårbarheter en given box har. Nyckelord: Vagrant, Statisk kodanalys, Sårbarhet iii Preface This thesis marks the end of the five years study in the Master of Science in Engineering: Computer Security programme at Blekinge Institute of Technology, Karlskrona. Acknowledgements: We would like to thank John Stock, Martin Jartelius, and Davide Girardi at Outpost24 for providing the opportunity to do this thesis, and assistance and guidance to complete it. We would also thank our supervisor Emiliano Casalicchio for continuously providing valuable feedback and suggestions during the the thesis work and report writing. v Nomenclature Acronyms AST Abstract Syntax Tree. CVE Common Vulnerability and Exposures. JSON JavaScript Object Notation. vii Table of Contents Abstract i Sammanfattning (Swedish) iii Preface v Nomenclature vii Acronyms ........................................ vii Table of Contents ix List of Figures x List of Tables xi 1 Introduction 1 1.1 Introduction .................................... 1 1.2 Background .................................... 1 1.3 Objectives ..................................... 1 1.4 Delimitations .................................... 2 1.5 Thesis question and technical problem ...................... 2 2 Theoretical Framework 3 2.1 Related work .................................... 3 2.2 Technologies .................................... 3 3 Method 9 3.1 Base box scanning ................................ 9 3.2 Vagrantfile analysis ................................ 10 3.3 Architecture .................................... 11 3.4 Reporting ..................................... 12 4 Results 13 4.1 Vulnerability scanning ............................... 13 4.2 Static code analysis ................................ 13 4.3 Full scan ...................................... 15 5 Discussion 17 5.1 Vulnerability scanning ............................... 17 5.2 Static code analysis ................................ 17 5.3 Full scan ...................................... 18 6 Conclusions 19 7 Recommendations and Future Work 21 References 23 ix List of Figures 2.1 Layered architecture of Vagrant using providers [10]. 5 3.1 Abstract Syntax Tree . 11 3.2 Architecture . 11 4.1 Visualisation of the Vagrantfile JSON. Rendered by [21]. 14 4.2 Visualization of the full scan JSON. Rendered by [21]. 16 x List of Tables 4.1 Vulnerabilities for the first five most downloaded base boxes. 13 xi 1 INTRODUCTION 1.1 Introduction Virtualization has grown in use the last several years. Virtualization enables more efficient use of hardware, with multiple isolated platorms running on a single machine. Currently there are two main types of virtualization, containerisation, and hypervizor-based virtualization. Hypervizor-based virtualization establishes complete virtual machines on top of the host machine in the machine layer, along an entire guest operating system. Containerisation runs at operating system level and uses the host’s kernel to run virtual environments. This means that containers do not need its own individual operating system to run. Vagrant is a platform that is used to manage virtual machines and containers. It can be used to make sure that the same software with the same configuration is used in an environment for multiple users no matter if Linux, Mac OS, or Windows is used as host [1]. Vagrant does not actually provide any kind of virtualization by itself, but rather the management of machines. Instead Vagrant relies on virtualization software, like VMWare and Virtualbox, to run and configure the virtual machines. This allows support for new virtualization techniques to be added more easily. The advantage of using Vagrant as a manager is that it can be used to more easily reproduce and launch virtual environments. Vagrant supports Virtualbox, Hyper-V, and Docker machines by default. Vagrant has some similarities with Docker [2] but Vagrant is a higher level of abstraction. While Docker is a container platform, Vagrant is a manager with multiple providers. As Vagrant is a higher level of abstraction it can even use Docker as a provider. Docker support was available for Vagrant as a plugin for version 1.4 or later but built in support was added in version 1.6 [3]. This thesis looks at different ways to make a vulnerability analysis of a Vagrant box without having to boot it or execute anything on a running machine. A method is chosen and a system is developed to scan boxes. 1.2 Background A user can have multiple Vagrant boxes installed and running silently in the background. These boxes can be hard to keep track of and manage. They can also contain security vulnerabilities such as outdated libraries or insecure configurations. The vulnerabilities can be anything a regular machine can have. This can for example include remote code execution, misconfiguration, and insecure services running. Currently there are no publicly available tools to scan boxes for security vulnerabilities. Because of the lack of tools capable of scanning Vagrant boxes Outpost24 has requested to find a way to create automatic vulnerability analysis of boxes. This project is developed in collaboration with Outpost24 and because of an agreement with them the source code will not be included in this thesis. 1.3 Objectives The objective of the project is to create a system that automatically assembles a list of Vagrant boxes and their information on a computer. The boxes are then scanned for known vulnerabilities. The information gathered is put into a report. Such a report