Dynamically Hacking the Kernel with Containers · 2017-12-14 · Dynamically Hacking the Kernel...

Post on 20-May-2020

14 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

Transcript of Dynamically Hacking the Kernel with Containers · 2017-12-14 · Dynamically Hacking the Kernel...

Dynamically Hacking the Kernel with Containers

ContainerCon Japan 2016Tokyo

Quey-Liang KaoNational Tsing Hua University, Taiwan

About Myself● Research topics

– HPC (numerical), Heterogeneous computing– High-end hardware virtulization (InfiniBand, GPGPU)– Container technology

● Contributions– AUR packager and maintainer

● runc-git, openscap● kpatch

Outline● Motivation● Background● Demo: kernel detouring

– FreeBSD on Linux● Other approaches● Conclusion

Motivation

HigherPerformance

LowerIsolation

VM

Container

http://typemoon.wikia.com/wiki/Holy_Grail

Quick Survey

Terms● OS container

– Like a VM– No layered FS– LXC, OpenVZ, BSD

Jails, Solaris zones

● App container– For single service– layered FS– Docker, Rocket

https://blog.risingstack.com/operating-system-containers-vs-application-containers/

There Dimensions● System software

– OS container's perspective● Orchestration

– App container's perspective● Applications

Application

System Orchestration

DevOps

Security

NS, Cgroups KubernetesDocker Swarm

CoreOS

Application

System Orchestration

How do I OrchestrateMy Container?

By Isabel Jimenez

Application

System Orchestration

Containers at scalethanks to Kubernetes

By Brandon Philips

Application

System Orchestration

A Security State ofMind: ContainerSecurity in the

EnterpriseBy Chris Van Tuin

Application

System Orchestration

How the hell do Irun my containers

in production,and will it scale?By Daniël van Gils

Application

System Orchestration

Container Hacks &Fun Images

By Jessie Frazelle

Application

System Orchestration

Rootless Containerwith Runc

By Aleksa Sarai

Application

System Orchestration

Soft ContainerTowards 100%

Resource UtilizationBy Accela Zhao

Application

System Orchestration

Unprivileged Containers: What you Always Wanted

to Know About Name-spaces But Were Too

Afraid To AskBy James Bottomley

Application

System Orchestration

etc...

This workshould be here

Background

Modules,Live patches,

and Kerenl detouring

Kernel Module: Loading

Kernel

some_ext.ko

Kernel Space

User Space

Process:

insmod test.ko

syscall: init_module

Kernel Module: Using

Kernel some_ext.ko

Kernel Space

User Space

Process:

cat /dev/some_cdev

syscall: read

Live Patching: Building

Kernel

patch-fix.ko

Kernel Space

User Space

Process:

build fix.patch

syscall: init_module

File:fix.patch

Current kernel source

Bug()

Live Patching: Applying

Kernel

fix.ko

Kernel Space

User Space

Process:

insmod fix.ko

syscall: init_module

Bug()

Live Patching: Applying

Kernel fix.ko

Kernel Space

User Space

Bug() Bug-fixed()

ftrace

Kernel Detouring

Kernel detour.ko(namespace-aware)

Kernel Space

User Space

Normal Process Container

func() func()

Demo: Kernel Detouring

http://kirokueiga.seesaa.net/archives/201208-1.html

FreeBSD binary on Linux

01000110011100100110010101100101010000100101001101000100

Specific Challenges ( FreeBSD )● Corresponding system calls

– Flag numbers are not portable– different calling/exiting conventions

● Unique system calls– Re-implementation

General Challenges● Insufficient isolation● Limitation of development

– live patching should only be a temp. solution

Other Binary Compatibility Work● Wine

– Special loader for PEs/DLLs● FreeBSD, Windows 10

– Kernel built-in compatibility layer for Linux binary– System call remapping/re-implementation

Possible Applications● Experimental module/patch test bed● Images for other OSes● Educational purpose

– why not?

Other approaches● Hyper-V● Multi-Kernel● Unikernel

Microsoft Hyper-V● A private kernel per container

– stripped kernel reduced from Windows server● Unix-likes support

– as VMs ( in a VM-like container ) ( container-like VM )

Multi-Kernel● Barrelfish

– Philosophy: separation and duplication rather than keep syncing

– One kernel per core– Scalability and heterogeneity

● VirtuOS, Arrakis, Quest-V, etc.– Performance improvement

UniKernel● Rump Kernel, MirageOS, OSv, etc.

– Application oriented● no more general-purpose

– “Compiler” approach

http://www.penninkhof.com/2015/05/minimalist-cassandra-vm-using-osv/

HigherPerformance

LowerIsolation

VM

Container

http://typemoon.wikia.com/wiki/Holy_Grail

Hyper-V

Kernel detouring( or some kernel-space ext. )

New paradigms( Multi-kernel, Unikernels )

Conclusion● The kernel detouring demo attempts to

indicate a possible movement of the development of OS containers– as a proof-of-concept

● Future direction– Make more fun– Make it more complete

Q & A

Top related

Reliability of dynamically sensitive offshore platforms ... · Reliability of Dynamically Sensitive Offshore Platforms Exposed to Extreme Waves ii probability of dynamically sensitive
 Documents
HP-UX Containers Technical white paper - (US English) · HP-UX delivers built-in integration of virtualization and management software to dynamically enhance IT infrastructure. Within
 Documents
Hacking / Hacking Exposed 6: Network Security Secrets & …cdn.ttgtmedia.com/searchMidmarketSecurity/downloads/Hacking... · 153 Hacking / Hacking Exposed 6: Network Security Secrets
 Documents
CORSO CYBERSECURITY HACKING ETICO AVANZATO · CORSO CYBERSECURITY – HACKING ETICO AVANZATO Hacking ETICO ... • Google Hacking Tool: Google HackingDatabase (GH B) • Google Hacking
 Documents
Open Access Dynamically Tunable Electromagnetically Induced … · 2017. 9. 9. · IEEE Photonics Journal Dynamically Tunable Electromagnetically Induced Dynamically Tunable Electromagnetically
 Documents
Dynamically Loaded Bolts
 Documents
DYNAMICALLY-CONNECTED TRANSPORT
 Documents
A Hacking Atlas: Holistic Hacking in the Urban Theater · 2018-12-05 · of hacking and holistic hacking, and hacking spaces (and seven types of hacking spaces, each described below)
 Documents
Containers #101 Meetup: Containers & OpenStack
 Technology
Dynamically Linked Libraries
 Documents
Hacking Rural Medicine - Hacking 101
 Health & Medicine
HACKING AUTHENTICATION CHECKS IN WEB … · INDEX •Hacking Authentication Checks in Web Applications Hacking Application Designs Hacking J2EE Container Managed Authentication Hacking
 Documents
GOOGLE HACKING GOOGLE HACKING
 Documents
How to stop worrying about Application Container Security (v2) · 3: Defined • Enabling read-only containers to reduce attack surface • Data volumes are dynamically managed under
 Documents
Thinking Dynamically About Biological Mechanisms: Networks ...mechanism.ucsd.edu/~bill/research/Thinking Dynamically About... · Thinking Dynamically About Biological Mechanisms:
 Documents
Dynamically Incompressible Flow - InTech - Opencdn.intechopen.com/pdfs/32257/InTech-Dynamically... · 2018-09-25 · Dynamically Incompressible Flow 73 () ()u u dx x = (4) with partial
 Documents
HACKING CONTAINERS AND KUBERNETES...HACKING CONTAINERS AND KUBERNETES Exploiting and protecting containers with a few lines of scripting Chaos Communication Camp 2019 Mildenberg, August
 Documents
Deploy your Modern Private Cloud - Oracle Cloud · observable, and dynamically scalable to global enterprise levels. Containers Micro Services Serverless Development Pipelines Infrastructure
 Documents
Hacking: Computer Hacking Beginners Guide
 Documents
BPMN Modelling of Services with Dynamically … · containers. Attributes describe ... we show how the Business Process Modelling Notation ... BPMN, EJB attributes, and our case study.
 Documents

Copyright © 2022 FDOCUMENTS