1. Andy BrodyGreg BrockmanSiddarth Chandrasekaran@alberge@thegdb@sidd __(__) ||______________________________ ||| ||| ||| ||| ||| ||| ||| ||| ||~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ || || || ||

2. Stripe makes it easy to startaccepting credit cards on the web today.Why a CTF? 3. EducationalChallenging 4. Fun! 5. SomeNumbers 6. Numbers: IPs at each level 7. Numbers: cumulative IPs / level 8. Numbers: cumulative IPs / level 9. Numbers: concurrent logins 10. CTF SecurityOh, UNIX has multiuser in its bones this will be easy. 11. CTF SecuritySupport for anonymous users isnt great. 12. CTF SecurityServices vulnerable to execution ofarbitrary code! 13. Goal: per-user sandbox 14. Goal: per-user sandbox- lightweight spin-up- locked down environment- blissful unawareness of other users 15. Implementation: chroot jail 16. Implementation: chroot jail User for each levelDebootstrap full install inside chrootSeparate filesystem for writable data No /proc, no setuid binaries in /bin Limited nodes in /dev 17. Implementation: chroot enforcementchroot by user group with sshchroot with suPHP 18. Implementation: R/O FSGreat for security even root cant modify without remounting.Terrible for maintenance: cant make changes on the fly. 19. Implementation: R/O FSNext time:Mount the filesystem R/W elsewhere.Bind mount it R/O inside the chroot. 20. Reality: imperfect isolation 21. Isolation: fork bombsperl -e fork while fork 22. Isolation: fork bombsCauses- script kiddies- people trying to brute force level06- process exhaustion from lots of users 23. Isolation: fork bombsMitigation- cgroups- ulimits- killall -STOP ; killall -KILL - by tty - by pgid or sid- by user + process name- send CONT to innocent bystanders 24. Isolation: others- disk exhaustion- memory exhaustion- greedy I/O- level05 server Didnt want setuid for python Arbitrary code execution Cron job to kill & restart 25. Next timemake user accounts!let built-in user isolation do the workcontrol level access with groups, setgid 26. Cloud supported 27. Cloud supportedCompletely isolated from the rest of our serversOutbound traffic open during spin-up, but firewalled off in productionSpin up capacity to handle unexpected load 28. Questions?