Welcome to Container Escapes 101 at the AppSec Village at DEF CON 33!! 🎯 Goal: to have a working knowledge of container escapes and how each security measure or risk maps to potential for exploit...

So far, we’ve been SSH’d directly into our host node. This isn’t how we normally have access to escape so … how does these tactics still work? We’re going to use the same storage-based escapes as...

In this workshop, we’re going to mess with the host’s memory from inside a container. 😈 This workshop is the only one that requires an x86_64 architecture to run. Other architectures will lik...

In this workshop, we’re going to use a common configuration to avoid one bad security thing (explicitly privileged containers) by implementing another only-slightly-better feature - sharing the con...

In this workshop, we’re going to use the default container runtime group to escalate our privileges on the host. This is useful to escalate privileges by launching a privileged process even if we ...

In this workshop, we’re going to start exploring escapes using chroot. This is a great way to cross the boundary between a container’s filesystem and the host’s filesystem. This one starts with ...

In this workshop, we’re going to write to the host’s filesystem from inside of a container using a shared mountpoint. This is a good tactic to gain persistence, but also to escalate privileges or ...

Seccomp 101 The lowest level of our container stack is the operating system on the host. These resources are accessed by any process in the operating system (a container or not) by system calls (...

What capabilities do I have? Capabilities define what a process is allowed to do. Instead of an all-or-nothing approach of either being root with all the permissions or a user with nothing, capab...

Our shared kernel One of the fundamental tenants of containers is that they’re a process that shares a kernel’s resources. It is not a virtual machine. Let’s try something together … $ docker r...