{"guid":"317d369c-e694-573a-8ad6-e6e50eedd196","title":"Anatomie eines containerfähigen Linux-Kernel-Rootkits","subtitle":null,"slug":"eh19-168-anatomie-eines-containerfhigen-linux-kernel-rootkits","link":"https://conference.c3w.at/eh19/talk/D8GMPM/","description":"Dieser Vortrag gibt Einblick in die Implementierung eines containerfähigen Linux-Kernel-Rootkits.\n\nLinux-Container sind nicht zuletzt seit der Veröffentlichung von Docker sehr beliebt. Deshalb\nkann davon ausgegangen werden, dass es in naher Zukunft vermehrt Angriffe auf Container\ngeben wird. Schafft es ein Angreifer, die Sicherheitsvorkehrungen zu durchbrechen, kann er\nein Rootkit im System platzieren. Dieser Vortrag zeigt, wie ein solches Rootkit im\nDetail programmiert sein könnte. Zu Beginn werden Rootkits im allgemeinen erläutert, weiters\nwird der Aufbau von Containern, und welche Technologien dabei zum Einsatz kommen, erläutert. Es wird auch ein Einblick in die Funktionsweise von Linux-Kernel-Rootkits gegeben,\num danach, durch die Implementierunge des Rootkits “themaster“, die Anatomie eines containerfähigen Linux-Kernel-Rootkits zu untersuchen. Dabei hat sich herausgestellt, dass bei\nbestimmten Funktionen das Verändern von Systemcalls und bei anderen das Verändern von\nDateioperationen im virtuellen Dateisystem besser geeignet ist. Weiters wurden Backdoorfunktionen implementiert, welche zum einen die Privilegien eines Benutzers im Container ausweiten\nkönnen und zum anderen einen Ausbruch in Form von Kommandos mit allen Berechtigungen\nim globalen System erlauben.","original_language":"deu","persons":["Wolfgang Hotwagner"],"tags":["eh19","168","eh19","easterhegg","Wien","c3w"],"view_count":297,"promoted":false,"date":"2019-04-21T00:00:00.000+02:00","release_date":"2019-04-22T02:00:00.000+02:00","updated_at":"2026-01-08T08:00:14.185+01:00","length":2060,"duration":2060,"thumb_url":"https://static.media.ccc.de/media/conferences/eh2019/168-hd.jpg","poster_url":"https://static.media.ccc.de/media/conferences/eh2019/168-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/conferences/eh2019/168-hd.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/conferences/eh2019/168-hd.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/eh19-168-anatomie-eines-containerfhigen-linux-kernel-rootkits","url":"https://api.media.ccc.de/public/events/317d369c-e694-573a-8ad6-e6e50eedd196","conference_title":"Easterhegg 2019","conference_url":"https://api.media.ccc.de/public/conferences/eh19","related":[{"event_id":6926,"event_guid":"e51e5695-68c6-52f8-828b-472a204ffaec","weight":9},{"event_id":6932,"event_guid":"3ac46290-51e0-5ee2-93a0-8fb4b99cf67c","weight":14},{"event_id":6933,"event_guid":"9c1e1638-3379-51e5-8fa0-8cbe690a01a2","weight":7},{"event_id":6943,"event_guid":"51bbfc4c-ee81-57db-83d6-15255179dde9","weight":9},{"event_id":6944,"event_guid":"1336e3ec-c48e-53b5-87b5-ceac47d73707","weight":9},{"event_id":6947,"event_guid":"e1eda897-6cc5-54f9-bf41-7c3aa6298207","weight":3},{"event_id":6949,"event_guid":"6b660983-80d1-5bca-8065-0d5a4d51a449","weight":8},{"event_id":6952,"event_guid":"19c5dfb0-f259-5082-8688-86966fb3bde8","weight":9},{"event_id":6953,"event_guid":"69bd5b99-fbd1-568f-8cde-9694b6f7e319","weight":10},{"event_id":6954,"event_guid":"39151e7e-9ca2-594c-8888-7faa6504e32d","weight":10},{"event_id":6957,"event_guid":"5ad8b048-a657-5dbe-9b06-36af39acec5e","weight":5},{"event_id":6958,"event_guid":"458227d2-7434-527f-9771-ba3eaf0a1147","weight":8}],"recordings":[{"size":158,"length":2060,"mime_type":"video/mp4","language":"deu","filename":"eh19-168-deu-Anatomie_eines_containerfaehigen_Linux-Kernel-Rootkits_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-04-22T01:41:14.777+02:00","recording_url":"https://cdn.media.ccc.de/events/eh2019/h264-hd/eh19-168-deu-Anatomie_eines_containerfaehigen_Linux-Kernel-Rootkits_hd.mp4","url":"https://api.media.ccc.de/public/recordings/34783","event_url":"https://api.media.ccc.de/public/events/317d369c-e694-573a-8ad6-e6e50eedd196","conference_url":"https://api.media.ccc.de/public/conferences/eh19"},{"size":31,"length":2060,"mime_type":"audio/mpeg","language":"deu","filename":"eh19-168-deu-Anatomie_eines_containerfaehigen_Linux-Kernel-Rootkits_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2019-04-22T01:43:05.524+02:00","recording_url":"https://cdn.media.ccc.de/events/eh2019/mp3/eh19-168-deu-Anatomie_eines_containerfaehigen_Linux-Kernel-Rootkits_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/34787","event_url":"https://api.media.ccc.de/public/events/317d369c-e694-573a-8ad6-e6e50eedd196","conference_url":"https://api.media.ccc.de/public/conferences/eh19"},{"size":19,"length":2060,"mime_type":"audio/opus","language":"deu","filename":"eh19-168-deu-Anatomie_eines_containerfaehigen_Linux-Kernel-Rootkits_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2019-04-22T01:43:35.778+02:00","recording_url":"https://cdn.media.ccc.de/events/eh2019/opus/eh19-168-deu-Anatomie_eines_containerfaehigen_Linux-Kernel-Rootkits_opus.opus","url":"https://api.media.ccc.de/public/recordings/34788","event_url":"https://api.media.ccc.de/public/events/317d369c-e694-573a-8ad6-e6e50eedd196","conference_url":"https://api.media.ccc.de/public/conferences/eh19"},{"size":57,"length":2060,"mime_type":"video/mp4","language":"deu","filename":"eh19-168-deu-Anatomie_eines_containerfaehigen_Linux-Kernel-Rootkits_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2019-04-22T01:44:06.447+02:00","recording_url":"https://cdn.media.ccc.de/events/eh2019/h264-sd/eh19-168-deu-Anatomie_eines_containerfaehigen_Linux-Kernel-Rootkits_sd.mp4","url":"https://api.media.ccc.de/public/recordings/34789","event_url":"https://api.media.ccc.de/public/events/317d369c-e694-573a-8ad6-e6e50eedd196","conference_url":"https://api.media.ccc.de/public/conferences/eh19"},{"size":87,"length":2060,"mime_type":"video/webm","language":"deu","filename":"eh19-168-deu-Anatomie_eines_containerfaehigen_Linux-Kernel-Rootkits_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2019-04-22T01:54:36.900+02:00","recording_url":"https://cdn.media.ccc.de/events/eh2019/webm-sd/eh19-168-deu-Anatomie_eines_containerfaehigen_Linux-Kernel-Rootkits_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/34791","event_url":"https://api.media.ccc.de/public/events/317d369c-e694-573a-8ad6-e6e50eedd196","conference_url":"https://api.media.ccc.de/public/conferences/eh19"},{"size":204,"length":2060,"mime_type":"video/webm","language":"deu","filename":"eh19-168-deu-Anatomie_eines_containerfaehigen_Linux-Kernel-Rootkits_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-04-22T02:44:09.813+02:00","recording_url":"https://cdn.media.ccc.de/events/eh2019/webm-hd/eh19-168-deu-Anatomie_eines_containerfaehigen_Linux-Kernel-Rootkits_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/34794","event_url":"https://api.media.ccc.de/public/events/317d369c-e694-573a-8ad6-e6e50eedd196","conference_url":"https://api.media.ccc.de/public/conferences/eh19"}]}