4

Some services such as Github allows the execution of user supplied code using docker containers via Github Actions. Another example of a service provider that executes user provided code are continuous integration services such as Travis or AppVeyor.

This question does not consider the user's code breaking out of its VM or container, but rather code that can use up resources or launch attack on other systems via the internet.

Some examples of malicious behavior I'd like to define for this question are:

  • Using your resources to mine cryptocurrency (for example using multiple travis jobs in a build matrix to mine cryptocurrency).
  • Sending spam.
  • Launch DDOS attacks on some host.
  • Testing username/password combinations or credit card numbers against a service.

Since the code is user-define, it is pretty much impossible to do any sort of whitelisting or blacklisting. Blocking access to certain hosts on the internet would also be ineffective as the malicious user can host the malicious binaries anywhere and download them into the container or VM during execution.

How do services such as Github (via Github Action) and Travis prevent malicious behavior on their systems when executing user provided code?

F21
  • 501
  • 1
  • 4
  • 10
  • Note that if the service is a build job, and one for a specific language, it may be possible to whitelist allowed internet endpoints (eg, to the main NuGet or Maven repository hosts for C# and Java, respectively), which would stop all of those attacks cold. – Clockwork-Muse Jul 01 '19 at 16:59

1 Answers1

1

I will give you some examples of how to detect by the platform your examples of malicious behaviour:

  • For cryptocurrency, probably by limiting the time of the execution you can block this types of attack, as far as I know for example bitbucket limits the time of the builds and deploy, so if you want more time you need to pay. Basically if you want more CPU you need to pay.

  • Sending spam, If your software makes too may connections to the Internet and your software is uploading traffic you can limit this. Also NIDS can detect this.

  • For the DDos attach is a similar approach as the previous one. Also the docker could be executed on a non secure environment with NDIS, firewalls and other security systems basically and will detect the attack.

  • And the other case is easily detected by the other two techniques mention or by the destination service that probably will contact with the platform and informing about the issue.

Be aware, that in general github, bitbucket and so on have security systems in place and if you are using free accounts you are on a different schema than a company that use that services. On the other hand, if the platform have the suspicious or the evidence that you are making some bad activity im sure they will block the access to the account and send you a lovely email :)

camp0
  • 2,172
  • 1
  • 10
  • 10