SlideShare a Scribd company logo
Classification: Public 1
Classification: Public 3
Theme
SBA Research gGmbH, 2020
Classification: Public 6
apache2/
fpm mysql
reverse
proxy
Linux Kernel
Classification: Public 7
Nextcloud: Known Vulnerabilties
SBA Research gGmbH, 2020
Classification: Public 8SBA Research gGmbH, 2020
Container Image
Classification: Public 9
Container
(Linux Process)
Virtual Machine
(Node /Pod/…)
Registry
Container
Image
Classification: Public 10
Structure in this talk
• What can we do inside?
• Can we break out?
• What‘s protecting us?
• How can we restrict even
further?
SBA Research gGmbH, 2020
Linux Kernel
Apache
(nextcloud)
mysql
https://media.springernature.com/original/springer-static/image/chp%3A10.1007%2F978-3-662-53899-9_5/MediaObjects/418677_2_De_5_Fig4_HTML.jpg
Classification: Public 11
Remote Code Exection Attacks
SBA Research gGmbH, 2020
apache
<www-data>
/usr/bin/id
/bin/sh
apache
<root>
tcp/80
tcp/443
Classification: Public 12
Filesystem
SBA Research gGmbH, 2020
Classification: Public 13
Config in Files
SBA Research gGmbH, 2020
config/config.php
Classification: Public 14
Secrets in Env
SBA Research gGmbH, 2020
apache
<www-data>
/bin/sh
apache
<root>
inheritance
Classification: Public 15
A look on the inner workings
SBA Research gGmbH, 2020
Classification: Public 16
On the inside
SBA Research gGmbH, 2020
Classification: Public 17
Drop of privileges (resuid, drop privileges)
• The forked process
SBA Research gGmbH, 2020
apache
<www-data>
apache
<root>
tcp/80
tcp/443
https://iximiuz.com/en/posts/journey-from-containerization-
to-orchestration-and-beyond/#container-runtimes
Classification: Public 18
Capabilities
• CAP_CHOWN
• CAP_DAC_OVERRIDE
• CAP_NET_ADMIN
• CAP_NET_BIND_SERVICE
• CAP_NET_RAW
• CAP_SYS_ADMIN
• CAP_SYS_BOOT
• CAP_SYS_CHROOT
• …
expressed as bitmask in
/proc/$$/status
SBA Research gGmbH, 2018
https://www.andreasch.com/2018/01/13/capabilities/
# setcap cap_net_bind_service+ep
/usr/sbin/apache
Extended attribute
apache
<www-data>
apache
<www-data>
tcp/80
tcp/443
/usr/sbin/apache2
Classification: Public 22
Isolation Concepts
Can we break out?
SBA Research gGmbH, 2020
Classification: Public 23
SSHd
apache2 mysql
Classification: Public 24
Namespaces
SBA Research gGmbH, 2020
pid mnt net user …
Classification: Public 25
„Container“
Apache2
Pid 1 (pid)
https://www.ebay.com/itm/Kenley-Mini-Sandbox-for-Desk-Miniature-Beach-Zen-Garden-Sand-Toys-Play-Kit-/253472884998
Linux Kernel
File system
(mnt)
Network
Interface
(net) Apache worker
(pid 5)
data
Classification: Public 26
Unshare (1)
SBA Research gGmbH, 2020
Classification: Public 29
lsns
SBA Research gGmbH, 2020
Classification: Public 30
Mount Namespace
SBA Research gGmbH, 2020
mounted „root“
filesystem
The new
/proc
/sysfs
/dev
/run
Classification: Public 33
Example: root shell in a container (alpine)
SBA Research gGmbH, 2020
Classification: Public 34
Suid in Containers?
SBA Research gGmbH, 2020
Classification: Public 35
Attack Surface: DACL, CAP
SBA Research gGmbH, 2020
syscall, e.g. mount
/bin/sh
<root>
task (process) runs as
user id 1002 (www-data)
has not effective uid 0 (root)
=> permission denied
has not CAP_SYS_ADMIN
capabilitiy set
=> permission denied
syscall, e.g. read
Linux Kernel
task (process) runs as
user id 1002 (www-data)
has access to /dev/sda1
(brw-rw---- 1 root disk 8 /dev/sda1)
= file not found
syscall, e.g. mknod has not CAP_SYS_ADMIN
capabilitiy set
=> permission denied
Classification: Public 37
$ docker run --rm -it alpine
SBA Research gGmbH, 2020
$ sudo capsh --decode=00000000a80425fb
0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,
cap_fsetid,cap_kill,cap_setgid,cap_sesys_chroot,cap_mknod
,cap_audit_write,cap_setfcap
CAP_SYS_ADMIN
is missing
Classification: Public 39
Capabilities (from Docker running root shell)
SBA Research gGmbH, 2018
https://man7.org/linux/man-pages/man7/capabilities.7.html
# sudo capsh --decode=00000000a80425fb
cap_chown,cap_dac_override,cap_fowner,cap_fsetid,ca
p_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_
service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_a
udit_write,cap_setfcap
Classification: Public 40
$ docker run --cap-add=CAP_SYS_ADMIN -it alpine
SBA Research gGmbH, 2020
sudo capsh --decode=00000000a82425fb
0x00000000a82425fb=cap_chown,cap_dac_override,cap_fo
wner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_s
etpcap,cap_net_bind_service,cap_net_raw,cap_sys_chro
ot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfc
ap
Classification: Public 43
Privileged Containers
SBA Research gGmbH, 2020
Classification: Public 46
Local Privilege Escalation (Kernel Bug)
• Dirty Cow CVE-2016-5195
• map_write() CVE-2018-18955
• …
SBA Research gGmbH, 2020
Classification: Public 47
Restriction of Actions
Enforcing Mandatory Access
Control
SBA Research gGmbH, 2020
https://kirby-live-radio.fandom.com/wiki/Sandbox_page
Classification: Public 48
Mandatory Access Control
SBA Research gGmbH, 2020
AppArmor SELinux
process /etc/passwd
/bin/sh
1.1.1.1:80
Classification: Public 50
Quick Fix with AppArmor
• /etc/apparmor.d/usr.sbin.apache2
SBA Research gGmbH, 2018
profile docker-nextcloud
flags=(attach_disconnected,mediate_deleted) {
...
deny /bin/dash x,
...
}
read (r), write (w),
append (a)
link (l)
lock (k)
mmap (m)
execute (ix)
child profile (Cx)
profile (Px)
unconfined (Ux)
/** recursive
# apparmor_parser -r -W docker-nextcloud
# aa-complain docker-nextcloud
# docker run --rm -it --security-opt "apparmor=docker-nextcloud" nextcloud
# aa-enforce docker-nextcloud
Classification: Public 51
SecComp
Filter syscalls
SBA Research gGmbH, 2020
Classification: Public 52
Syscall Interface
SBA Research gGmbH, 2020
Kernel
syscall
apache2
files
memory
process
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2431, ...}) = 0
fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0
mmap(NULL, 139264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f60e0a40000
read(3, "root:x:0:0:root:/root:/bin/bashn"..., 131072) = 2431
write(1, "root:x:0:0:root:/root:/bin/bashn"..., 2431) = 2431
read(3, "", 131072) = 0
close(3) = 0
# /bin/cat /etc/passwd
Classification: Public 53SBA Research gGmbH, 2020
http://man7.org/linux/man-pages/man2/syscalls.2.html
Classification: Public 55
Seccomp BPF (filter syscalls)
• Create a BPF script via macros
• Load it via a syscall into the Kernel
SBA Research gGmbH, 2020
/* Allow system calls other than open() and openat() */
struct sock_filter filter[] = {
...
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 2, 0),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)
}
struct sock_fprog prog = { .filter=filter, .len=... };
syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog);
Classification: Public 58
Example: BPF to kill proceses using syscalls
SBA Research gGmbH, 2020
# docker run -it --security-opt
seccomp=profile.json ...
{
"defaultAction":"SCMP_ACT_ALLOW",
"syscalls":[
{
"names":[
"bind",
"connect",
"mkdir"
],
"action":"SCMP_ACT_KILL",
Docker
Classification: Public 61
apache2/
fpm mysql
reverse
proxy
Classification: Public 63
Final Remarks
SBA Research gGmbH, 2020
0) Don‘t break your own stuff
1) Container Image Hygene (permissions, users, capabilities)
2) Orchestrator Configuration (volumes, capabilities)
3) Platform security: LPE on Linux Kernel (VM, PaaS)
*) Don‘t aim too high!
https://github.com/netblue30/firejail
https://github.com/flatpak/flatpak
https://github.com/containers/bubblewrap
https://source.android.com/security/app-sandbox
Classification: Public 64
Whatever you do, you have to watch closely …
SBA Research gGmbH, 2020
https://www.domradio.de/themen/corona/2020-08-12/was-hat-corona-mit-kindern-und-kindergaerten-gemacht-kindergartenleiterin-ueber-den-lockdown-und
Classification: Public 65
Professional Services
Penetration Testing
Architecture Reviews
Security Audit
Security Trainings
Incident Response Readiness
ISMS & ISO 27001 Consulting
Forschung & Beratung unter einem Dach
Applied Research
Industrial Security | IIoT Security |
Mathematics for Security Research |
Machine Learning | Blockchain | Network
Security | Sustainable Software Systems |
Usable Security
SBA Research
Knowhow Transfer
SBA Live Academy | sec4dev | Trainings |
Events | Teaching | sbaPRIME
Kontaktieren Sie uns: anfragen@sba-research.org
Reinhard Kugler
rkugler@sba-research.org

More Related Content

What's hot

Backups
BackupsBackups
1 m+ qps on mysql galera cluster
1 m+ qps on mysql galera cluster1 m+ qps on mysql galera cluster
1 m+ qps on mysql galera cluster
OlinData
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log Decoder
Susam Pal
 
[2019.03] 멀티 노드에서 Hyperledger Fabric 네트워크 구성하기
[2019.03] 멀티 노드에서 Hyperledger Fabric 네트워크 구성하기[2019.03] 멀티 노드에서 Hyperledger Fabric 네트워크 구성하기
[2019.03] 멀티 노드에서 Hyperledger Fabric 네트워크 구성하기
Hyperledger Korea User Group
 
Mem forensic
Mem forensicMem forensic
Mem forensic
Chong-Kuan Chen
 
Hadoop Installation and basic configuration
Hadoop Installation and basic configurationHadoop Installation and basic configuration
Hadoop Installation and basic configuration
Gerrit van Vuuren
 
20170602_OSSummit_an_intelligent_storage
20170602_OSSummit_an_intelligent_storage20170602_OSSummit_an_intelligent_storage
20170602_OSSummit_an_intelligent_storage
Kohei KaiGai
 
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるK8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
JUNICHI YOSHISE
 
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Igor Korkin
 
pgconfasia2016 plcuda en
pgconfasia2016 plcuda enpgconfasia2016 plcuda en
pgconfasia2016 plcuda en
Kohei KaiGai
 
Introducing OpenHPC Cross Platform Provisioning Assembly for Warewulf
Introducing OpenHPC Cross Platform Provisioning Assembly for WarewulfIntroducing OpenHPC Cross Platform Provisioning Assembly for Warewulf
Introducing OpenHPC Cross Platform Provisioning Assembly for Warewulf
Naohiro Tamura
 
Putting some "logic" in LVM.
Putting some "logic" in LVM.Putting some "logic" in LVM.
Putting some "logic" in LVM.
Workhorse Computing
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
PG-Strom - GPGPU meets PostgreSQL, PGcon2015
PG-Strom - GPGPU meets PostgreSQL, PGcon2015PG-Strom - GPGPU meets PostgreSQL, PGcon2015
PG-Strom - GPGPU meets PostgreSQL, PGcon2015
Kohei KaiGai
 
20141111 파이썬으로 Hadoop MR프로그래밍
20141111 파이썬으로 Hadoop MR프로그래밍20141111 파이썬으로 Hadoop MR프로그래밍
20141111 파이썬으로 Hadoop MR프로그래밍
Tae Young Lee
 
Hopsfs 10x HDFS performance
Hopsfs 10x HDFS performanceHopsfs 10x HDFS performance
Hopsfs 10x HDFS performance
Jim Dowling
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
Andrew Case
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
Sadique Puthen
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 

What's hot (20)

Backups
BackupsBackups
Backups
 
1 m+ qps on mysql galera cluster
1 m+ qps on mysql galera cluster1 m+ qps on mysql galera cluster
1 m+ qps on mysql galera cluster
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log Decoder
 
[2019.03] 멀티 노드에서 Hyperledger Fabric 네트워크 구성하기
[2019.03] 멀티 노드에서 Hyperledger Fabric 네트워크 구성하기[2019.03] 멀티 노드에서 Hyperledger Fabric 네트워크 구성하기
[2019.03] 멀티 노드에서 Hyperledger Fabric 네트워크 구성하기
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Hadoop Installation and basic configuration
Hadoop Installation and basic configurationHadoop Installation and basic configuration
Hadoop Installation and basic configuration
 
20170602_OSSummit_an_intelligent_storage
20170602_OSSummit_an_intelligent_storage20170602_OSSummit_an_intelligent_storage
20170602_OSSummit_an_intelligent_storage
 
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるK8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
 
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
 
pgconfasia2016 plcuda en
pgconfasia2016 plcuda enpgconfasia2016 plcuda en
pgconfasia2016 plcuda en
 
Introducing OpenHPC Cross Platform Provisioning Assembly for Warewulf
Introducing OpenHPC Cross Platform Provisioning Assembly for WarewulfIntroducing OpenHPC Cross Platform Provisioning Assembly for Warewulf
Introducing OpenHPC Cross Platform Provisioning Assembly for Warewulf
 
Putting some "logic" in LVM.
Putting some "logic" in LVM.Putting some "logic" in LVM.
Putting some "logic" in LVM.
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
PG-Strom - GPGPU meets PostgreSQL, PGcon2015
PG-Strom - GPGPU meets PostgreSQL, PGcon2015PG-Strom - GPGPU meets PostgreSQL, PGcon2015
PG-Strom - GPGPU meets PostgreSQL, PGcon2015
 
20141111 파이썬으로 Hadoop MR프로그래밍
20141111 파이썬으로 Hadoop MR프로그래밍20141111 파이썬으로 Hadoop MR프로그래밍
20141111 파이썬으로 Hadoop MR프로그래밍
 
Hopsfs 10x HDFS performance
Hopsfs 10x HDFS performanceHopsfs 10x HDFS performance
Hopsfs 10x HDFS performance
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
 

Similar to SBA Security Meetup: I want to break free - The attacker inside a Container

SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Research
 
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Mydbops
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easier
David Thomas
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
Patricia Aas
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker Captains
Docker, Inc.
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene Pirogov
Pivorak MeetUp
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87
Max Kleiner
 
Docker 활용법: dumpdocker
Docker 활용법: dumpdockerDocker 활용법: dumpdocker
Docker 활용법: dumpdocker
Jaehwa Park
 
Setup oracle golden gate 11g replication
Setup oracle golden gate 11g replicationSetup oracle golden gate 11g replication
Setup oracle golden gate 11g replication
Kanwar Batra
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
Linaro
 
LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness
Peter Griffin
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
Morteza Nourelahi Alamdari
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
raccoony
 
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with Uciprov
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with UciprovLukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with Uciprov
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with Uciprov
Zabbix
 
Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Docker - container and lightweight virtualization
Docker - container and lightweight virtualization
Sim Janghoon
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
Gábor Nyers
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17
Michele Orselli
 
Sandboxing WebKitGTK (GUADEC 2019)
Sandboxing WebKitGTK (GUADEC 2019)Sandboxing WebKitGTK (GUADEC 2019)
Sandboxing WebKitGTK (GUADEC 2019)
Igalia
 

Similar to SBA Security Meetup: I want to break free - The attacker inside a Container (20)

SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
 
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easier
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker Captains
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene Pirogov
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87
 
Docker 활용법: dumpdocker
Docker 활용법: dumpdockerDocker 활용법: dumpdocker
Docker 활용법: dumpdocker
 
Setup oracle golden gate 11g replication
Setup oracle golden gate 11g replicationSetup oracle golden gate 11g replication
Setup oracle golden gate 11g replication
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
 
LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
 
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with Uciprov
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with UciprovLukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with Uciprov
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with Uciprov
 
Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Docker - container and lightweight virtualization
Docker - container and lightweight virtualization
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17
 
Sandboxing WebKitGTK (GUADEC 2019)
Sandboxing WebKitGTK (GUADEC 2019)Sandboxing WebKitGTK (GUADEC 2019)
Sandboxing WebKitGTK (GUADEC 2019)
 

More from SBA Research

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
SBA Research
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Research
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Research
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
SBA Research
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
SBA Research
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Research
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Research
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computing
SBA Research
 
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla   sba live a...Tools &amp; techniques, building a dev secops culture at mozilla   sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
SBA Research
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Research
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Research
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Research
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Research
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Research
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Research
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Research
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Research
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Research
 

More from SBA Research (20)

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computing
 
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla   sba live a...Tools &amp; techniques, building a dev secops culture at mozilla   sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
 

Recently uploaded

leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
How to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdfHow to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdf
ChristopherTHyatt
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
Ivanti
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
kumarjarun2010
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
digitalxplive
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
rajancomputerfbd
 

Recently uploaded (20)

leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
How to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdfHow to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdf
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
 

SBA Security Meetup: I want to break free - The attacker inside a Container

  • 2. Classification: Public 3 Theme SBA Research gGmbH, 2020
  • 3. Classification: Public 6 apache2/ fpm mysql reverse proxy Linux Kernel
  • 4. Classification: Public 7 Nextcloud: Known Vulnerabilties SBA Research gGmbH, 2020
  • 5. Classification: Public 8SBA Research gGmbH, 2020 Container Image
  • 6. Classification: Public 9 Container (Linux Process) Virtual Machine (Node /Pod/…) Registry Container Image
  • 7. Classification: Public 10 Structure in this talk • What can we do inside? • Can we break out? • What‘s protecting us? • How can we restrict even further? SBA Research gGmbH, 2020 Linux Kernel Apache (nextcloud) mysql https://media.springernature.com/original/springer-static/image/chp%3A10.1007%2F978-3-662-53899-9_5/MediaObjects/418677_2_De_5_Fig4_HTML.jpg
  • 8. Classification: Public 11 Remote Code Exection Attacks SBA Research gGmbH, 2020 apache <www-data> /usr/bin/id /bin/sh apache <root> tcp/80 tcp/443
  • 10. Classification: Public 13 Config in Files SBA Research gGmbH, 2020 config/config.php
  • 11. Classification: Public 14 Secrets in Env SBA Research gGmbH, 2020 apache <www-data> /bin/sh apache <root> inheritance
  • 12. Classification: Public 15 A look on the inner workings SBA Research gGmbH, 2020
  • 13. Classification: Public 16 On the inside SBA Research gGmbH, 2020
  • 14. Classification: Public 17 Drop of privileges (resuid, drop privileges) • The forked process SBA Research gGmbH, 2020 apache <www-data> apache <root> tcp/80 tcp/443 https://iximiuz.com/en/posts/journey-from-containerization- to-orchestration-and-beyond/#container-runtimes
  • 15. Classification: Public 18 Capabilities • CAP_CHOWN • CAP_DAC_OVERRIDE • CAP_NET_ADMIN • CAP_NET_BIND_SERVICE • CAP_NET_RAW • CAP_SYS_ADMIN • CAP_SYS_BOOT • CAP_SYS_CHROOT • … expressed as bitmask in /proc/$$/status SBA Research gGmbH, 2018 https://www.andreasch.com/2018/01/13/capabilities/ # setcap cap_net_bind_service+ep /usr/sbin/apache Extended attribute apache <www-data> apache <www-data> tcp/80 tcp/443 /usr/sbin/apache2
  • 16. Classification: Public 22 Isolation Concepts Can we break out? SBA Research gGmbH, 2020
  • 18. Classification: Public 24 Namespaces SBA Research gGmbH, 2020 pid mnt net user …
  • 19. Classification: Public 25 „Container“ Apache2 Pid 1 (pid) https://www.ebay.com/itm/Kenley-Mini-Sandbox-for-Desk-Miniature-Beach-Zen-Garden-Sand-Toys-Play-Kit-/253472884998 Linux Kernel File system (mnt) Network Interface (net) Apache worker (pid 5) data
  • 20. Classification: Public 26 Unshare (1) SBA Research gGmbH, 2020
  • 21. Classification: Public 29 lsns SBA Research gGmbH, 2020
  • 22. Classification: Public 30 Mount Namespace SBA Research gGmbH, 2020 mounted „root“ filesystem The new /proc /sysfs /dev /run
  • 23. Classification: Public 33 Example: root shell in a container (alpine) SBA Research gGmbH, 2020
  • 24. Classification: Public 34 Suid in Containers? SBA Research gGmbH, 2020
  • 25. Classification: Public 35 Attack Surface: DACL, CAP SBA Research gGmbH, 2020 syscall, e.g. mount /bin/sh <root> task (process) runs as user id 1002 (www-data) has not effective uid 0 (root) => permission denied has not CAP_SYS_ADMIN capabilitiy set => permission denied syscall, e.g. read Linux Kernel task (process) runs as user id 1002 (www-data) has access to /dev/sda1 (brw-rw---- 1 root disk 8 /dev/sda1) = file not found syscall, e.g. mknod has not CAP_SYS_ADMIN capabilitiy set => permission denied
  • 26. Classification: Public 37 $ docker run --rm -it alpine SBA Research gGmbH, 2020 $ sudo capsh --decode=00000000a80425fb 0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner, cap_fsetid,cap_kill,cap_setgid,cap_sesys_chroot,cap_mknod ,cap_audit_write,cap_setfcap CAP_SYS_ADMIN is missing
  • 27. Classification: Public 39 Capabilities (from Docker running root shell) SBA Research gGmbH, 2018 https://man7.org/linux/man-pages/man7/capabilities.7.html # sudo capsh --decode=00000000a80425fb cap_chown,cap_dac_override,cap_fowner,cap_fsetid,ca p_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_ service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_a udit_write,cap_setfcap
  • 28. Classification: Public 40 $ docker run --cap-add=CAP_SYS_ADMIN -it alpine SBA Research gGmbH, 2020 sudo capsh --decode=00000000a82425fb 0x00000000a82425fb=cap_chown,cap_dac_override,cap_fo wner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_s etpcap,cap_net_bind_service,cap_net_raw,cap_sys_chro ot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfc ap
  • 29. Classification: Public 43 Privileged Containers SBA Research gGmbH, 2020
  • 30. Classification: Public 46 Local Privilege Escalation (Kernel Bug) • Dirty Cow CVE-2016-5195 • map_write() CVE-2018-18955 • … SBA Research gGmbH, 2020
  • 31. Classification: Public 47 Restriction of Actions Enforcing Mandatory Access Control SBA Research gGmbH, 2020 https://kirby-live-radio.fandom.com/wiki/Sandbox_page
  • 32. Classification: Public 48 Mandatory Access Control SBA Research gGmbH, 2020 AppArmor SELinux process /etc/passwd /bin/sh 1.1.1.1:80
  • 33. Classification: Public 50 Quick Fix with AppArmor • /etc/apparmor.d/usr.sbin.apache2 SBA Research gGmbH, 2018 profile docker-nextcloud flags=(attach_disconnected,mediate_deleted) { ... deny /bin/dash x, ... } read (r), write (w), append (a) link (l) lock (k) mmap (m) execute (ix) child profile (Cx) profile (Px) unconfined (Ux) /** recursive # apparmor_parser -r -W docker-nextcloud # aa-complain docker-nextcloud # docker run --rm -it --security-opt "apparmor=docker-nextcloud" nextcloud # aa-enforce docker-nextcloud
  • 34. Classification: Public 51 SecComp Filter syscalls SBA Research gGmbH, 2020
  • 35. Classification: Public 52 Syscall Interface SBA Research gGmbH, 2020 Kernel syscall apache2 files memory process fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0 openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2431, ...}) = 0 fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0 mmap(NULL, 139264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f60e0a40000 read(3, "root:x:0:0:root:/root:/bin/bashn"..., 131072) = 2431 write(1, "root:x:0:0:root:/root:/bin/bashn"..., 2431) = 2431 read(3, "", 131072) = 0 close(3) = 0 # /bin/cat /etc/passwd
  • 36. Classification: Public 53SBA Research gGmbH, 2020 http://man7.org/linux/man-pages/man2/syscalls.2.html
  • 37. Classification: Public 55 Seccomp BPF (filter syscalls) • Create a BPF script via macros • Load it via a syscall into the Kernel SBA Research gGmbH, 2020 /* Allow system calls other than open() and openat() */ struct sock_filter filter[] = { ... BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 2, 0), BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 1, 0), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS) } struct sock_fprog prog = { .filter=filter, .len=... }; syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog);
  • 38. Classification: Public 58 Example: BPF to kill proceses using syscalls SBA Research gGmbH, 2020 # docker run -it --security-opt seccomp=profile.json ... { "defaultAction":"SCMP_ACT_ALLOW", "syscalls":[ { "names":[ "bind", "connect", "mkdir" ], "action":"SCMP_ACT_KILL", Docker
  • 40. Classification: Public 63 Final Remarks SBA Research gGmbH, 2020 0) Don‘t break your own stuff 1) Container Image Hygene (permissions, users, capabilities) 2) Orchestrator Configuration (volumes, capabilities) 3) Platform security: LPE on Linux Kernel (VM, PaaS) *) Don‘t aim too high! https://github.com/netblue30/firejail https://github.com/flatpak/flatpak https://github.com/containers/bubblewrap https://source.android.com/security/app-sandbox
  • 41. Classification: Public 64 Whatever you do, you have to watch closely … SBA Research gGmbH, 2020 https://www.domradio.de/themen/corona/2020-08-12/was-hat-corona-mit-kindern-und-kindergaerten-gemacht-kindergartenleiterin-ueber-den-lockdown-und
  • 42. Classification: Public 65 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Forschung & Beratung unter einem Dach Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowhow Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Kontaktieren Sie uns: anfragen@sba-research.org Reinhard Kugler rkugler@sba-research.org