SlideShare uma empresa Scribd logo
1 de 14
Baixar para ler offline
Hacking Containers
Looking at Cgroups
Eng Teong Cheah
Microsoft MVP
Looking at Cgroups
Inside the Kali virtual machine in the cloud, let’s begin by creating a very simple container
that will give us a shell:
Looking at Cgroups
We should now be editing our Dockerfile within the containers/easy directory. The
following lines should be entered into that file to be able to create a simple container:
The file we have created is known as Dockerfile.
Each and every command in the file has meaning; for example,
FROM (1) represents one command in the container and will be stored as a Singapore
command in the storage file system
CMD (2) represents another command.
Looking at Cgroups
Let’s build and run our container so that we can explore cgroups:
These container commands will first build a container in the current directory (3) using
the Dockerfile we created and will assign it tag of the ghh-easy (4).
We can then execute a dicker command to run the container in interactive mode.
Looking at Cgroups
The control groups on a Kali System will be based on cgroups version 2, which allows for
tight controls.
One of the major differences between version 1 and version 2 is the directory hierarchy,
which is viewable by using the syst file at /sys/fs/cgroup.
Looking at Cgroups
In cgroup version 1, each resource had its own hierarchy, and the map to namespaces:
• CPU
• cpuacct
• cpuset
• devices
• freezer
• memory
• netcls
• PIDs
Looking at Cgroups
The following commands should be performed in a new windows, as we should leave a
Docker container running:
The first command will put us in the proc directory of Linux, specifically in the process ID
of the running Docker container (5)
The second command will output the cgroup location that our process is running.
Looking at Cgroups
Let’s return to our Kali host. Here are some commands that can help us work with the
Docker API:
docker container ls
This command shows all containers running or stopped.
docker stop
This command stops stops the containers.
docker run
This command removes a container.
Namespaces
Nsmespaces and cgroups are tightly linked, as namespaces are how the Linux Kernel can
form constraints around specific items.
Namespaces, similar to how programming like C++ use them, allow for a process or
collection of kernel control objects to be grouped together.
This grouping limits or controls what that process or object can see.
Namespaces
To leverage the namespace, we can use a set of APIs that are exposed by the kernel itself:
clone()
This will clone a process and then create the appropriate namespace for it.
setns()
This allows an existing process to move into a namespace that we may be able to use.
unshare()
This moves the process out of a namespace
Namespaces
You might find that exploits designed for use in the kernel outside of a container fail, and
the reason they fail may have to do with the visibility the exploit has on the individual
items on the disk.
You may have to rewrite your exploit to leverage a different set of APIs to move outside
of a namespace and back into the global namespace.
Demo
Looking at Cgroups
References
Gray Hat Hacking, Sixth Edition

Mais conteúdo relacionado

Semelhante a Hacking Containers - Looking at Cgroups

Semelhante a Hacking Containers - Looking at Cgroups (20)

Docker @ Atlogys
Docker @ AtlogysDocker @ Atlogys
Docker @ Atlogys
 
Securing docker containers
Securing docker containersSecuring docker containers
Securing docker containers
 
Docker.pdf
Docker.pdfDocker.pdf
Docker.pdf
 
Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization  XP conference 2016Introduction to Docker - Learning containerization  XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016
 
Academy PRO: Docker. Lecture 2
Academy PRO: Docker. Lecture 2Academy PRO: Docker. Lecture 2
Academy PRO: Docker. Lecture 2
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Docker
DockerDocker
Docker
 
Docker by Example - Quiz
Docker by Example - QuizDocker by Example - Quiz
Docker by Example - Quiz
 
Docker by Example - Quiz
Docker by Example - QuizDocker by Example - Quiz
Docker by Example - Quiz
 
Docker interview Questions-2.pdf
Docker interview Questions-2.pdfDocker interview Questions-2.pdf
Docker interview Questions-2.pdf
 
Academy PRO: Docker. Part 2
Academy PRO: Docker. Part 2Academy PRO: Docker. Part 2
Academy PRO: Docker. Part 2
 
Containerization and Docker
Containerization and DockerContainerization and Docker
Containerization and Docker
 
Containers & Security
Containers & SecurityContainers & Security
Containers & Security
 
Docker workshop 0507 Taichung
Docker workshop 0507 Taichung Docker workshop 0507 Taichung
Docker workshop 0507 Taichung
 
手把手帶你學 Docker 入門篇
手把手帶你學 Docker 入門篇手把手帶你學 Docker 入門篇
手把手帶你學 Docker 入門篇
 
Docker dDessi november 2015
Docker dDessi november 2015Docker dDessi november 2015
Docker dDessi november 2015
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbies
 
An introduction to contianers and Docker for PHP developers
An introduction to contianers and Docker for PHP developersAn introduction to contianers and Docker for PHP developers
An introduction to contianers and Docker for PHP developers
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
 

Mais de Eng Teong Cheah

Mais de Eng Teong Cheah (20)

Monitoring Models
Monitoring ModelsMonitoring Models
Monitoring Models
 
Responsible Machine Learning
Responsible Machine LearningResponsible Machine Learning
Responsible Machine Learning
 
Training Optimal Models
Training Optimal ModelsTraining Optimal Models
Training Optimal Models
 
Deploying Models
Deploying ModelsDeploying Models
Deploying Models
 
Machine Learning Workflows
Machine Learning WorkflowsMachine Learning Workflows
Machine Learning Workflows
 
Working with Compute
Working with ComputeWorking with Compute
Working with Compute
 
Working with Data
Working with DataWorking with Data
Working with Data
 
Experiments & TrainingModels
Experiments & TrainingModelsExperiments & TrainingModels
Experiments & TrainingModels
 
Automated Machine Learning
Automated Machine LearningAutomated Machine Learning
Automated Machine Learning
 
Getting Started with Azure Machine Learning
Getting Started with Azure Machine LearningGetting Started with Azure Machine Learning
Getting Started with Azure Machine Learning
 
Hacking Containers - Container Storage
Hacking Containers - Container StorageHacking Containers - Container Storage
Hacking Containers - Container Storage
 
Hacking Containers - Linux Containers
Hacking Containers - Linux ContainersHacking Containers - Linux Containers
Hacking Containers - Linux Containers
 
Data Security - Storage Security
Data Security - Storage SecurityData Security - Storage Security
Data Security - Storage Security
 
Application Security- App security
Application Security- App securityApplication Security- App security
Application Security- App security
 
Application Security - Key Vault
Application Security - Key VaultApplication Security - Key Vault
Application Security - Key Vault
 
Compute Security - Container Security
Compute Security - Container SecurityCompute Security - Container Security
Compute Security - Container Security
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network Security
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter Security
 
Access Security - Hybrid Identity
Access Security - Hybrid IdentityAccess Security - Hybrid Identity
Access Security - Hybrid Identity
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Hacking Containers - Looking at Cgroups

  • 3. Looking at Cgroups Inside the Kali virtual machine in the cloud, let’s begin by creating a very simple container that will give us a shell:
  • 4. Looking at Cgroups We should now be editing our Dockerfile within the containers/easy directory. The following lines should be entered into that file to be able to create a simple container: The file we have created is known as Dockerfile. Each and every command in the file has meaning; for example, FROM (1) represents one command in the container and will be stored as a Singapore command in the storage file system CMD (2) represents another command.
  • 5. Looking at Cgroups Let’s build and run our container so that we can explore cgroups: These container commands will first build a container in the current directory (3) using the Dockerfile we created and will assign it tag of the ghh-easy (4). We can then execute a dicker command to run the container in interactive mode.
  • 6. Looking at Cgroups The control groups on a Kali System will be based on cgroups version 2, which allows for tight controls. One of the major differences between version 1 and version 2 is the directory hierarchy, which is viewable by using the syst file at /sys/fs/cgroup.
  • 7. Looking at Cgroups In cgroup version 1, each resource had its own hierarchy, and the map to namespaces: • CPU • cpuacct • cpuset • devices • freezer • memory • netcls • PIDs
  • 8. Looking at Cgroups The following commands should be performed in a new windows, as we should leave a Docker container running: The first command will put us in the proc directory of Linux, specifically in the process ID of the running Docker container (5) The second command will output the cgroup location that our process is running.
  • 9. Looking at Cgroups Let’s return to our Kali host. Here are some commands that can help us work with the Docker API: docker container ls This command shows all containers running or stopped. docker stop This command stops stops the containers. docker run This command removes a container.
  • 10. Namespaces Nsmespaces and cgroups are tightly linked, as namespaces are how the Linux Kernel can form constraints around specific items. Namespaces, similar to how programming like C++ use them, allow for a process or collection of kernel control objects to be grouped together. This grouping limits or controls what that process or object can see.
  • 11. Namespaces To leverage the namespace, we can use a set of APIs that are exposed by the kernel itself: clone() This will clone a process and then create the appropriate namespace for it. setns() This allows an existing process to move into a namespace that we may be able to use. unshare() This moves the process out of a namespace
  • 12. Namespaces You might find that exploits designed for use in the kernel outside of a container fail, and the reason they fail may have to do with the visibility the exploit has on the individual items on the disk. You may have to rewrite your exploit to leverage a different set of APIs to move outside of a namespace and back into the global namespace.