Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stripe Capture the Flag Meetup

Stripe Capture the Flag Meetup

The slides were part of a much more detailed talk and walkthrough that was given at the Stripe Capture the Flag Meetup on March 1st.



Andy Brody

March 19, 2012


  1. Andy Brody Greg Brockman Siddarth Chandrasekaran @alberge @thegdb @sidd __

    (__) ||______________________________ || | || | || | || | || | || | || | || | ||~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ || || || ||
  2. Stripe makes it easy to start accepting credit cards on

    the web today. Why a CTF?
  3. Educational Challenging

  4. Fun!

  5. Some Numbers

  6. Numbers: IPs at each level

  7. Numbers: cumulative IPs / level

  8. Numbers: cumulative IPs / level

  9. Numbers: concurrent logins

  10. CTF Security Oh, UNIX has multiuser in its bones —

    this will be easy.
  11. CTF Security Support for anonymous users isn't great.

  12. CTF Security Services vulnerable to execution of arbitrary code!

  13. Goal: per-user sandbox

  14. Goal: per-user sandbox - lightweight spin-up - locked down environment

    - blissful unawareness of other users
  15. Implementation: chroot jail

  16. Implementation: chroot jail User for each level Debootstrap full install

    inside chroot Separate filesystem for writable data No /proc, no setuid binaries in /bin Limited nodes in /dev
  17. Implementation: chroot enforcement chroot by user group with ssh chroot

    with suPHP
  18. Implementation: R/O FS Great for security — even root can't

    modify without remounting. Terrible for maintenance: can't make changes on the fly.
  19. Implementation: R/O FS Next time: Mount the filesystem R/W elsewhere.

    Bind mount it R/O inside the chroot.
  20. Reality: imperfect isolation

  21. Isolation: fork bombs perl -e 'fork while fork'

  22. Isolation: fork bombs Causes - script kiddies - people trying

    to brute force level06 - process exhaustion from lots of users
  23. Isolation: fork bombs Mitigation - cgroups - ulimits - killall

    -STOP …; killall -KILL … - by tty - by pgid or sid - by user + process name - send CONT to innocent bystanders
  24. Isolation: others - disk exhaustion - memory exhaustion - greedy

    I/O - level05 server Didn't want setuid for python Arbitrary code execution Cron job to kill & restart
  25. Next time make user accounts! let built-in user isolation do

    the work control level access with groups, setgid
  26. Cloud supported

  27. Cloud supported Completely isolated from the rest of our servers

    Outbound traffic open during spin-up, but firewalled off in production Spin up capacity to handle unexpected load
  28. Questions?