SlideShare a Scribd company logo
1 of 30
Download to read offline
codetainer
building  a  browser  
  code  `sandbox`
Jen  Andre  
E4E  Conference,  Sep  2015
about me
@fun_cuddles  /  jenpire.com  /  
organizer  @BostonGoLang  
EIR  Accomplice  VC  
co-­‐founder  @threatstack,    
formerly  researcher  
@Mandiant,  @Symantec    
what is a ‘codetainer’?
“try ‘X’ in your browser”
… for all X?
inspiration
use cases
tutorials  for  APIs  
learn  programming  language  X  
training  on  UNIX  tools,  debugging,  etc  
remote  management  for  containers
requirements
flexible  &  powerful  enough  to  support  mulXple  use-­‐
cases  (programmable,  API  driven)  
self-­‐hosted  (open  source!)  
reasonably  secure-­‐able  :)
containers to the rescue!
“Docker  allows  you  to  package  an  applicaXon  with  all  
of  its  dependencies  into  a  standardized  unit  for  
so`ware  development.”
host linux system
container process
process
virtual file system
system namespaces
docker daemon/API tools
container process
process
virtual file system
system namespaces
…
process  virtualiza/on
not your parent’s virtualization
• it’s  lightweight!    
• process  containers  measured  in  terms  of  kilobytes  or  megabytes  
instead  of  GB  
• startup  measured  in  seconds,  not  minutes  
• images  are  layered  and  reusable  
• (see  DockerHub)  
• there’s  powerful  introspecXon  /  management  APIs  
• Management  is  programmable
introspection
peer  “inside”  of  containers  and  perform  acXons
codetainer architecture
codetainer
API server
loaded via
iframe
docker
API
“codetainer”
process
“codetainer”
process
“codetainer”
process
http /
websockets
sqlite
/api/v1/codetainer/{id}/attach
/api/v1/codetainer/{id}/create
/api/v1/codetainer/{id}/stop
…
components
•   “codetainer”  
•   this  is  just  a  Docker  container    
• “codetainer  image”    
•   this  is  a  Docker  image  registered  for  codetainer  use  
• “codetainer  profile”    
•   this  is  a  profile  associated  with  a  codetainer  that  
defines  its  runXme  characterisXcs  (e.g.  security)
other tools
• Go  
• Docker  APIs  wrifen  in  this  
• It’s  just  a  nice,  clean  language  you  can  be  producXve  in  quickly  
• xterm.js  
• for  rendering  terminals  in  the  browser  
• sqlite  
• for  storing  metdata  about  ‘codetainers’  
using codetainer!
starting the server
$	
  ./bin/codetainer	
  server	
  
Codetainer	
  10:34:16	
  [~INFO]	
  Initializing	
  Codetainer	
  
(0.1.0)	
  
Codetainer	
  10:34:16	
  [~INFO]	
  URL:	
  http://127.0.0.1:3000	
  
$	
  ./bin/codetainer	
  —help	
  
usage:	
  Codetainer	
  [<flags>]	
  <command>	
  [<args>	
  ...]	
  
Flags:	
  
	
  	
  -­‐-­‐help	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  Show	
  help	
  (also	
  see	
  -­‐-­‐help-­‐long	
  
and	
  -­‐-­‐help-­‐man).	
  
	
  	
  -­‐v,	
  -­‐-­‐debug	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  Enable	
  debug	
  logging.	
  
	
  	
  -­‐-­‐dev	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  Enable	
  dev	
  mode.	
  
	
  	
  -­‐q,	
  -­‐-­‐quiet	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  Remove	
  all	
  output	
  logging.	
  
step 1: create an image
• Create  your  Docker  image    
• Register  a  Docker  image  for  use  in  a  codetainer  
• POST	
  /api/v1/image
$	
  curl	
  -­‐XPOST	
  http://127.0.0.1:3000/api/v1/image	
  -­‐-­‐data	
  "id=tcpdump-­‐
demo:latest&description=hi"	
  2>	
  /dev/null	
  |	
  jq	
  .	
  
{	
  
	
  	
  "image":	
  {	
  
	
  	
  	
  	
  "id":	
  
"e5d42500e0419df4a29d1ed443de2da5c2c8d2e683cb045883b79b2e826910b0",	
  
	
  	
  	
  	
  "command":	
  "",	
  
	
  	
  	
  	
  "description":	
  "hi",	
  
	
  	
  	
  	
  "Tags":	
  [	
  
	
  	
  	
  	
  	
  	
  "tcpdump-­‐demo:latest"	
  
	
  	
  	
  	
  ],	
  
	
  	
  	
  	
  "CreatedAt":	
  "0001-­‐01-­‐01T00:00:00Z",	
  
	
  	
  	
  	
  "UpdatedAt":	
  "0001-­‐01-­‐01T00:00:00Z",	
  
	
  	
  	
  	
  "Enabled":	
  true	
  
	
  	
  }	
  
step 2: launch a codetainer
• POST	
  /api/v1/codetainer
$	
  curl	
  -­‐XPOST	
  http://127.0.0.1:3000/api/v1/codetainer/	
  -­‐-­‐data	
  
"name=tcpdump&image-­‐id=tcpdump-­‐demo:latest"	
  2>	
  /dev/null	
  |	
  jq	
  .	
  
{	
  
	
  	
  "codetainer":	
  {	
  
	
  	
  	
  	
  "id":	
  
"07fd1305dc22714ff5c005f8edb5db8bb462ff931bb94c51feab879a10cbcaa6",	
  
	
  	
  	
  	
  "name":	
  "tcpdump",	
  
	
  	
  	
  	
  "image-­‐id":	
  
"e5d42500e0419df4a29d1ed443de2da5c2c8d2e683cb045883b79b2e826910b0",	
  
	
  	
  	
  	
  "Defunct":	
  false,	
  
	
  	
  	
  	
  "Running":	
  false,	
  
	
  	
  	
  	
  "Profile":	
  "",	
  
	
  	
  	
  	
  "CreatedAt":	
  "0001-­‐01-­‐01T00:00:00Z",	
  
	
  	
  	
  	
  "UpdatedAt":	
  "0001-­‐01-­‐01T00:00:00Z"	
  
	
  	
  }	
  
step 3: interact with it!
• /api/v1/codetainer/{id}/attach	
  (attach	
  via	
  websockets)	
  
• /api/v1/codetainer/{id}/view	
  (render	
  terminal	
  view)	
  
• /api/v1/codetainer/{id}/send	
  (send	
  keystrokes)
more!
• List/Upload/Download  files  in  a  codetainer  
• GET	
  /api/v1/codetainer/{id}/files	
  
• GET	
  /api/v1/codetainer/{id}/files/
download	
  
• PUT	
  /api/v1/codetainer/{id}/files/upload
command-line too
$	
  ./bin/codetainer	
  list	
  
Found	
  2	
  codetainers.	
  
-­‐-­‐	
  [4505c3c844a46f4966280cd6762d3512ba8c04ebd5cb550ba90732c11a5514ee]	
  
lRf9QWOrhAYbNf4_PUdZ58DtKpfmTihu	
  (Running)	
  
-­‐-­‐	
  [c2fce38a8ba86caf0e3f1462177809f14d905c26e3cd04ac907d7d18ad9a63f0]	
  
R0bZK2O-­‐1SWsoTp7a2gas1-­‐cHjnFIlf_	
  (Running)	
  
$	
  ./bin/codetainer	
  image	
  register	
  ubuntu:14.04	
  
Codetainer	
  08:01:31	
  [~INFO]	
  Registering	
  New	
  Image:	
  
&{91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e	
  
	
  267c	
  	
  	
  [ubuntu:14.04]	
  0001-­‐01-­‐01	
  00:00:00	
  +0000	
  UTC	
  0001-­‐01-­‐01	
  
00:00:00	
  +0000	
  UTC	
  true}	
  
odetainer	
  08:01:31	
  [~INFO]	
  Registration	
  succeeded.
challenges
Dealing  with  missing  introspecXon  APIs  (e.g.  file  lisXng)  
minimize  risk  of  abuse  by  ‘sandboxing’  what  a  
container  can  do
Docker Security Knobs
{	
  
	
  	
  "Config":	
  {	
  
	
  	
  	
  	
  "NetworkDisabled":	
  true	
  
	
  	
  },	
  
	
  	
  "HostConfig":	
  {	
  
	
  	
  	
  	
  "Privileged":	
  false,	
  
	
  	
  	
  	
  "ReadonlyRootfs":	
  true,	
  
	
  	
  	
  	
  "Memory":	
  1000000000,	
  
	
  	
  	
  	
  "Ulimits":	
  [{	
  "Name":	
  "nofile",	
  "Soft":	
  
1024,	
  "Hard":	
  2048	
  }]	
  
	
  	
  }	
  
limiting a codetainer’s permissions using
profiles
$	
  ./bin/codetainer	
  profile	
  register	
  ./
secure.json	
  secure	
  
2015/09/18	
  10:52:54	
  Created	
  profile	
  with	
  
id=767653c7-­‐8fb6-­‐4f78-­‐bfcf-­‐3853bbe6df64:	
  
2015/09/18	
  10:52:54	
  -­‐-­‐	
  
2015/09/18	
  10:52:54	
  {	
  
	
  	
  "Config":	
  {	
  
	
  	
  	
  "NetworkDisabled":	
  true	
  
	
  	
  },	
  
	
  	
  "HostConfig":	
  {	
  
• pass	
  codetainer-­‐profile-­‐id	
  to	
  POST	
  /api/v1/
codetainer	
  when	
  creating	
  a	
  codetainer
secure.json
Missing APIs
• Docker  has  an  API  to  ‘exec’  processes  in  the  context  
of  a  container.  
• SoluXon:  mount  all  codetainers  with  a  shared  “/
codetainer/uXls”  volume  with  custom  tools.  
• Example:  /api/v1/codetainer/{id}/files    
• Executes  /codetainer/uXls/files    —path  <path>    
• returns  JSON  path  lisXng
demo time!
• creaXng  a  codetainer  
• lsof  tutorial
status
• “Alpha”  -­‐  works  but  needs  a  lifle  more  ‘umph’  to  
make  it  producXon  ready    
• Auth  for  API  
• DocumentaXon,  documentaXon,  documentaiton  
• TesXng
contribute!
github.com/codetainerapp/codetainer
jandre@gmail.com  or  @fun_cuddles  on  twifer
or just say hi…

More Related Content

What's hot

What's hot (20)

Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 
Why rust?
Why rust?Why rust?
Why rust?
 
Is unit 5_message authentication and hash functions
Is unit 5_message authentication and hash functionsIs unit 5_message authentication and hash functions
Is unit 5_message authentication and hash functions
 
Bash shell scripting
Bash shell scriptingBash shell scripting
Bash shell scripting
 
Character Drivers
Character DriversCharacter Drivers
Character Drivers
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
 
Unix signals
Unix signalsUnix signals
Unix signals
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
 
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use Cases
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
Golang execution modes
Golang execution modesGolang execution modes
Golang execution modes
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture short
 
Ipc in linux
Ipc in linuxIpc in linux
Ipc in linux
 
Using GTP on Linux with libgtpnl
Using GTP on Linux with libgtpnlUsing GTP on Linux with libgtpnl
Using GTP on Linux with libgtpnl
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
 
MySQL GTID 시작하기
MySQL GTID 시작하기MySQL GTID 시작하기
MySQL GTID 시작하기
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
 
Mitigacion de ataques DDoS
Mitigacion de ataques DDoSMitigacion de ataques DDoS
Mitigacion de ataques DDoS
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOs
 

Similar to Codetainer: a Docker-based browser code 'sandbox'

TIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by stepTIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by stepThe Incredible Automation Day
 
Guray Yildirim "Tooling and Managing Docker Containers With Python: Why and How"
Guray Yildirim "Tooling and Managing Docker Containers With Python: Why and How"Guray Yildirim "Tooling and Managing Docker Containers With Python: Why and How"
Guray Yildirim "Tooling and Managing Docker Containers With Python: Why and How"Fwdays
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...Jérôme Petazzoni
 
How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environmentSumedt Jitpukdebodin
 
DevOPS training - Day 2/2
DevOPS training - Day 2/2DevOPS training - Day 2/2
DevOPS training - Day 2/2Vincent Mercier
 
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQDocker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQErica Windisch
 
Web Applications with Eclipse RT and Docker in the Cloud
Web Applications with Eclipse RT and Docker in the CloudWeb Applications with Eclipse RT and Docker in the Cloud
Web Applications with Eclipse RT and Docker in the CloudMarkus Knauer
 
Amazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionAmazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionPaolo latella
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Developing and Deploying PHP with Docker
Developing and Deploying PHP with DockerDeveloping and Deploying PHP with Docker
Developing and Deploying PHP with DockerPatrick Mizer
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersBen Hall
 
The Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud NativeThe Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud NativeBen Hall
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
 
Get you Java application ready for Kubernetes !
Get you Java application ready for Kubernetes !Get you Java application ready for Kubernetes !
Get you Java application ready for Kubernetes !Anthony Dahanne
 
Working in the multi-cloud with libcloud
Working in the multi-cloud with libcloudWorking in the multi-cloud with libcloud
Working in the multi-cloud with libcloudGrig Gheorghiu
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline  DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline Docker, Inc.
 
I Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other ThingsI Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other ThingsMichael Lange
 

Similar to Codetainer: a Docker-based browser code 'sandbox' (20)

TIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by stepTIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by step
 
Guray Yildirim "Tooling and Managing Docker Containers With Python: Why and How"
Guray Yildirim "Tooling and Managing Docker Containers With Python: Why and How"Guray Yildirim "Tooling and Managing Docker Containers With Python: Why and How"
Guray Yildirim "Tooling and Managing Docker Containers With Python: Why and How"
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...
 
How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
 
DevOPS training - Day 2/2
DevOPS training - Day 2/2DevOPS training - Day 2/2
DevOPS training - Day 2/2
 
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQDocker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
Docker for Developers: Dev, Test, Deploy @ BucksCo Devops at MeetMe HQ
 
Mini-Training: Docker
Mini-Training: DockerMini-Training: Docker
Mini-Training: Docker
 
Web Applications with Eclipse RT and Docker in the Cloud
Web Applications with Eclipse RT and Docker in the CloudWeb Applications with Eclipse RT and Docker in the Cloud
Web Applications with Eclipse RT and Docker in the Cloud
 
Amazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionAmazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to production
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Developing and Deploying PHP with Docker
Developing and Deploying PHP with DockerDeveloping and Deploying PHP with Docker
Developing and Deploying PHP with Docker
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containers
 
The Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud NativeThe Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud Native
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Get you Java application ready for Kubernetes !
Get you Java application ready for Kubernetes !Get you Java application ready for Kubernetes !
Get you Java application ready for Kubernetes !
 
Working in the multi-cloud with libcloud
Working in the multi-cloud with libcloudWorking in the multi-cloud with libcloud
Working in the multi-cloud with libcloud
 
Excelian hyperledger walkthrough-feb17
Excelian hyperledger walkthrough-feb17Excelian hyperledger walkthrough-feb17
Excelian hyperledger walkthrough-feb17
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline  DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
 
I Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other ThingsI Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other Things
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 

Recently uploaded

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 

Recently uploaded (20)

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 

Codetainer: a Docker-based browser code 'sandbox'

  • 1. codetainer building  a  browser    code  `sandbox` Jen  Andre   E4E  Conference,  Sep  2015
  • 2. about me @fun_cuddles  /  jenpire.com  /   organizer  @BostonGoLang   EIR  Accomplice  VC   co-­‐founder  @threatstack,     formerly  researcher   @Mandiant,  @Symantec    
  • 3. what is a ‘codetainer’?
  • 4. “try ‘X’ in your browser”
  • 7. use cases tutorials  for  APIs   learn  programming  language  X   training  on  UNIX  tools,  debugging,  etc   remote  management  for  containers
  • 8. requirements flexible  &  powerful  enough  to  support  mulXple  use-­‐ cases  (programmable,  API  driven)   self-­‐hosted  (open  source!)   reasonably  secure-­‐able  :)
  • 10. “Docker  allows  you  to  package  an  applicaXon  with  all   of  its  dependencies  into  a  standardized  unit  for   so`ware  development.” host linux system container process process virtual file system system namespaces docker daemon/API tools container process process virtual file system system namespaces … process  virtualiza/on
  • 11. not your parent’s virtualization • it’s  lightweight!     • process  containers  measured  in  terms  of  kilobytes  or  megabytes   instead  of  GB   • startup  measured  in  seconds,  not  minutes   • images  are  layered  and  reusable   • (see  DockerHub)   • there’s  powerful  introspecXon  /  management  APIs   • Management  is  programmable
  • 12. introspection peer  “inside”  of  containers  and  perform  acXons
  • 13. codetainer architecture codetainer API server loaded via iframe docker API “codetainer” process “codetainer” process “codetainer” process http / websockets sqlite /api/v1/codetainer/{id}/attach /api/v1/codetainer/{id}/create /api/v1/codetainer/{id}/stop …
  • 14. components •  “codetainer”   •  this  is  just  a  Docker  container     • “codetainer  image”     •  this  is  a  Docker  image  registered  for  codetainer  use   • “codetainer  profile”     •  this  is  a  profile  associated  with  a  codetainer  that   defines  its  runXme  characterisXcs  (e.g.  security)
  • 15. other tools • Go   • Docker  APIs  wrifen  in  this   • It’s  just  a  nice,  clean  language  you  can  be  producXve  in  quickly   • xterm.js   • for  rendering  terminals  in  the  browser   • sqlite   • for  storing  metdata  about  ‘codetainers’  
  • 17. starting the server $  ./bin/codetainer  server   Codetainer  10:34:16  [~INFO]  Initializing  Codetainer   (0.1.0)   Codetainer  10:34:16  [~INFO]  URL:  http://127.0.0.1:3000   $  ./bin/codetainer  —help   usage:  Codetainer  [<flags>]  <command>  [<args>  ...]   Flags:      -­‐-­‐help                              Show  help  (also  see  -­‐-­‐help-­‐long   and  -­‐-­‐help-­‐man).      -­‐v,  -­‐-­‐debug                    Enable  debug  logging.      -­‐-­‐dev                                Enable  dev  mode.      -­‐q,  -­‐-­‐quiet                    Remove  all  output  logging.  
  • 18. step 1: create an image • Create  your  Docker  image     • Register  a  Docker  image  for  use  in  a  codetainer   • POST  /api/v1/image $  curl  -­‐XPOST  http://127.0.0.1:3000/api/v1/image  -­‐-­‐data  "id=tcpdump-­‐ demo:latest&description=hi"  2>  /dev/null  |  jq  .   {      "image":  {          "id":   "e5d42500e0419df4a29d1ed443de2da5c2c8d2e683cb045883b79b2e826910b0",          "command":  "",          "description":  "hi",          "Tags":  [              "tcpdump-­‐demo:latest"          ],          "CreatedAt":  "0001-­‐01-­‐01T00:00:00Z",          "UpdatedAt":  "0001-­‐01-­‐01T00:00:00Z",          "Enabled":  true      }  
  • 19. step 2: launch a codetainer • POST  /api/v1/codetainer $  curl  -­‐XPOST  http://127.0.0.1:3000/api/v1/codetainer/  -­‐-­‐data   "name=tcpdump&image-­‐id=tcpdump-­‐demo:latest"  2>  /dev/null  |  jq  .   {      "codetainer":  {          "id":   "07fd1305dc22714ff5c005f8edb5db8bb462ff931bb94c51feab879a10cbcaa6",          "name":  "tcpdump",          "image-­‐id":   "e5d42500e0419df4a29d1ed443de2da5c2c8d2e683cb045883b79b2e826910b0",          "Defunct":  false,          "Running":  false,          "Profile":  "",          "CreatedAt":  "0001-­‐01-­‐01T00:00:00Z",          "UpdatedAt":  "0001-­‐01-­‐01T00:00:00Z"      }  
  • 20. step 3: interact with it! • /api/v1/codetainer/{id}/attach  (attach  via  websockets)   • /api/v1/codetainer/{id}/view  (render  terminal  view)   • /api/v1/codetainer/{id}/send  (send  keystrokes)
  • 21. more! • List/Upload/Download  files  in  a  codetainer   • GET  /api/v1/codetainer/{id}/files   • GET  /api/v1/codetainer/{id}/files/ download   • PUT  /api/v1/codetainer/{id}/files/upload
  • 22. command-line too $  ./bin/codetainer  list   Found  2  codetainers.   -­‐-­‐  [4505c3c844a46f4966280cd6762d3512ba8c04ebd5cb550ba90732c11a5514ee]   lRf9QWOrhAYbNf4_PUdZ58DtKpfmTihu  (Running)   -­‐-­‐  [c2fce38a8ba86caf0e3f1462177809f14d905c26e3cd04ac907d7d18ad9a63f0]   R0bZK2O-­‐1SWsoTp7a2gas1-­‐cHjnFIlf_  (Running)   $  ./bin/codetainer  image  register  ubuntu:14.04   Codetainer  08:01:31  [~INFO]  Registering  New  Image:   &{91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e    267c      [ubuntu:14.04]  0001-­‐01-­‐01  00:00:00  +0000  UTC  0001-­‐01-­‐01   00:00:00  +0000  UTC  true}   odetainer  08:01:31  [~INFO]  Registration  succeeded.
  • 23. challenges Dealing  with  missing  introspecXon  APIs  (e.g.  file  lisXng)   minimize  risk  of  abuse  by  ‘sandboxing’  what  a   container  can  do
  • 25. {      "Config":  {          "NetworkDisabled":  true      },      "HostConfig":  {          "Privileged":  false,          "ReadonlyRootfs":  true,          "Memory":  1000000000,          "Ulimits":  [{  "Name":  "nofile",  "Soft":   1024,  "Hard":  2048  }]      }   limiting a codetainer’s permissions using profiles $  ./bin/codetainer  profile  register  ./ secure.json  secure   2015/09/18  10:52:54  Created  profile  with   id=767653c7-­‐8fb6-­‐4f78-­‐bfcf-­‐3853bbe6df64:   2015/09/18  10:52:54  -­‐-­‐   2015/09/18  10:52:54  {      "Config":  {        "NetworkDisabled":  true      },      "HostConfig":  {   • pass  codetainer-­‐profile-­‐id  to  POST  /api/v1/ codetainer  when  creating  a  codetainer secure.json
  • 26. Missing APIs • Docker  has  an  API  to  ‘exec’  processes  in  the  context   of  a  container.   • SoluXon:  mount  all  codetainers  with  a  shared  “/ codetainer/uXls”  volume  with  custom  tools.   • Example:  /api/v1/codetainer/{id}/files     • Executes  /codetainer/uXls/files    —path  <path>     • returns  JSON  path  lisXng
  • 27.
  • 28. demo time! • creaXng  a  codetainer   • lsof  tutorial
  • 29. status • “Alpha”  -­‐  works  but  needs  a  lifle  more  ‘umph’  to   make  it  producXon  ready     • Auth  for  API   • DocumentaXon,  documentaXon,  documentaiton   • TesXng