Pro Yearly is on sale from $80 to $50! »

Stripe Capture the Flag Meetup

Stripe Capture the Flag Meetup

The slides were part of a much more detailed talk and walkthrough that was given at the Stripe Capture the Flag Meetup on March 1st.

https://stripe.com/blog/stripe-ctf-meetup

479e4126bf26a82546f46f8e690b461c?s=128

Andy Brody

March 19, 2012
Tweet

Transcript

  1. Andy Brody Greg Brockman Siddarth Chandrasekaran @alberge @thegdb @sidd __

    (__) ||______________________________ || | || | || | || | || | || | || | || | ||~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ || || || ||
  2. Stripe makes it easy to start accepting credit cards on

    the web today. Why a CTF?
  3. Educational Challenging

  4. Fun!

  5. Some Numbers

  6. Numbers: IPs at each level

  7. Numbers: cumulative IPs / level

  8. Numbers: cumulative IPs / level

  9. Numbers: concurrent logins

  10. CTF Security Oh, UNIX has multiuser in its bones —

    this will be easy.
  11. CTF Security Support for anonymous users isn't great.

  12. CTF Security Services vulnerable to execution of arbitrary code!

  13. Goal: per-user sandbox

  14. Goal: per-user sandbox - lightweight spin-up - locked down environment

    - blissful unawareness of other users
  15. Implementation: chroot jail

  16. Implementation: chroot jail User for each level Debootstrap full install

    inside chroot Separate filesystem for writable data No /proc, no setuid binaries in /bin Limited nodes in /dev
  17. Implementation: chroot enforcement chroot by user group with ssh chroot

    with suPHP
  18. Implementation: R/O FS Great for security — even root can't

    modify without remounting. Terrible for maintenance: can't make changes on the fly.
  19. Implementation: R/O FS Next time: Mount the filesystem R/W elsewhere.

    Bind mount it R/O inside the chroot.
  20. Reality: imperfect isolation

  21. Isolation: fork bombs perl -e 'fork while fork'

  22. Isolation: fork bombs Causes - script kiddies - people trying

    to brute force level06 - process exhaustion from lots of users
  23. Isolation: fork bombs Mitigation - cgroups - ulimits - killall

    -STOP …; killall -KILL … - by tty - by pgid or sid - by user + process name - send CONT to innocent bystanders
  24. Isolation: others - disk exhaustion - memory exhaustion - greedy

    I/O - level05 server Didn't want setuid for python Arbitrary code execution Cron job to kill & restart
  25. Next time make user accounts! let built-in user isolation do

    the work control level access with groups, setgid
  26. Cloud supported

  27. Cloud supported Completely isolated from the rest of our servers

    Outbound traffic open during spin-up, but firewalled off in production Spin up capacity to handle unexpected load
  28. Questions?