Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

A mainframe hacker and a container hacker get together to hack the planet. The talk is them joining together to do some interesting research on container for mainframes. Mainframes are old and slow; containers are fast and new.

ZCX runs Docker directly on the zOS for IBM mainframe. ATMs, retail sites, governments, air planes and many other things use mainframes. They are not just super old. ZCX is a hypervisor that emulates the mainframe on zOS. ZCX uses Docker.

CGroups control what the process is able to use. Namespaces control what a process is able to see, such as processes. The container is no different than any other process from the context of the kernel. This is the basis of Docker containerization. Namespace remapping (TODO). Two versions of Docker (TODO).

The mainframe hacker (Chad) initially looked at the weird installation process for the mainframe. With some static analysis on the bash scripts and encrypted file systems, they started to reverse engineer the system. They found a flag that could be turned on in the bash script that would turn on debugging for the author.

The default user for Docker on zOS had a fundamental security issue; the permission group had the ability to run containers, which could be used to get root privileges on the host immediately. Additionally, they had an auth plugin that blocked a ton of nice Docker functionality. So, how does this work?

After reading ALL OF THE DOCs, they understood what the plugin was blocking (thanks IBM)! The restrictions were missing quite a things though; reading the docs was quite helpful here. The restrictions were done with pattern matching on the standard Docker commands.

Making the Docker socket Read Only is a small security measure which only blocks Docker Run. The Docker binary has an HTTP server that can be used to work around all of the restrictions mentioned above. TODO - Getting around namespace renaming.

The security of the container relies on a set of keys. Once Ian escaped the container, there is a set of keys (signing private key) that they found and gave to Chad. The encryption keys for the file system were shared across instances, giving a false sense of security.

The AuthPlugin was interacting with different services then doing pattern matching to determine codes for system exists. A system exit is similar to an interrupt plugged into the mainframe. While Ian was confused about this, Chad took time to understand what the system exists in the AuthPlugin was.

The reference slides for the talk have a bunch of background information. If interested, these are the best resources for learning how to go about hacking. The storytelling and back-forth of the talk is amazing. The cross disciplinary action of this helped them learn a bunch!