Stripe Capture the Flag Meetup

Slide 1

Slide 1 text

Andy Brody Greg Brockman Siddarth Chandrasekaran @alberge @thegdb @sidd __ (__) ||______________________________ || | || | || | || | || | || | || | || | ||~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ || || || ||

Slide 2

Slide 2 text

Stripe makes it easy to start accepting credit cards on the web today. Why a CTF?

Slide 3

Slide 3 text

Educational Challenging

Slide 4

Slide 4 text

Fun!

Slide 5

Slide 5 text

Some Numbers

Slide 6

Slide 6 text

Numbers: IPs at each level

Slide 7

Slide 7 text

Numbers: cumulative IPs / level

Slide 8

Slide 8 text

Numbers: cumulative IPs / level

Slide 9

Slide 9 text

Numbers: concurrent logins

Slide 10

Slide 10 text

CTF Security Oh, UNIX has multiuser in its bones — this will be easy.

Slide 11

Slide 11 text

CTF Security Support for anonymous users isn't great.

Slide 12

Slide 12 text

CTF Security Services vulnerable to execution of arbitrary code!

Slide 13

Slide 13 text

Goal: per-user sandbox

Slide 14

Slide 14 text

Goal: per-user sandbox - lightweight spin-up - locked down environment - blissful unawareness of other users

Slide 15

Slide 15 text

Implementation: chroot jail

Slide 16

Slide 16 text

Implementation: chroot jail User for each level Debootstrap full install inside chroot Separate filesystem for writable data No /proc, no setuid binaries in /bin Limited nodes in /dev

Slide 17

Slide 17 text

Implementation: chroot enforcement chroot by user group with ssh chroot with suPHP

Slide 18

Slide 18 text

Implementation: R/O FS Great for security — even root can't modify without remounting. Terrible for maintenance: can't make changes on the fly.

Slide 19

Slide 19 text

Implementation: R/O FS Next time: Mount the filesystem R/W elsewhere. Bind mount it R/O inside the chroot.

Slide 20

Slide 20 text

Reality: imperfect isolation

Slide 21

Slide 21 text

Isolation: fork bombs perl -e 'fork while fork'

Slide 22

Slide 22 text

Isolation: fork bombs Causes - script kiddies - people trying to brute force level06 - process exhaustion from lots of users

Slide 23

Slide 23 text

Isolation: fork bombs Mitigation - cgroups - ulimits - killall -STOP …; killall -KILL … - by tty - by pgid or sid - by user + process name - send CONT to innocent bystanders

Slide 24

Slide 24 text

Isolation: others - disk exhaustion - memory exhaustion - greedy I/O - level05 server Didn't want setuid for python Arbitrary code execution Cron job to kill & restart

Slide 25

Slide 25 text

Next time make user accounts! let built-in user isolation do the work control level access with groups, setgid

Slide 26

Slide 26 text

Cloud supported

Slide 27

Slide 27 text

Cloud supported Completely isolated from the rest of our servers Outbound traffic open during spin-up, but firewalled off in production Spin up capacity to handle unexpected load

Slide 28

Slide 28 text

Questions?