 Thank you everyone for joining in. Today's topic is about securing services using system D. So there are multiple different ways of defense in depth in modern Linux systems, but we're going to look into a particular part of system D. I got really excited about it because when I discovered that how system D made things made really, really easy for anyone or literally kind of new to hold security side of a service. Now, when I say service, it means a service which is under system D, which is running on the system. This can be something like an internet-facing service. This can be some other applications running on the same box. There can be anything. Now, if you're a federal contributor, if you're a package or if you're a maintainer, then I hope from this workshop, you'll find some points which you can then use in your own project. Or if you're maintaining a package, then you maybe want to submit a PR or MR to the upstream, so that we have these features enabled for the packages you're maintaining. Now, I'll try to share my screen and then see how it goes. First, can everyone see this properly? If anyone just say yes, no, that will be helpful. Perfect. So before anything else, the things I'm going to say, you can all find all of these details on your computer in a man page. So whatever I'm going to talk about, you will find everything here. This whole workshop, if you don't have time, you don't want to go watch some of the talk and come back later in maybe the record, or you want to read and find out all of these things, you can find everything here, system DEX is it. So we're going to learn about various features here. If you think, or if you know that I'm saying something wrong or something really stupid, it's perfectly okay to say that, hey, I said you said something wrong, in this case me. So because it's a thing, something like I'm always learning and it's all of us together as a community. So it's perfectly okay to tell me that something is wrong and we can fix it or I'll learn it at that moment from you. So for this workshop, I just created a VM. It's a Federal 365, I was planning to use a Federal 36 VM, but I think I don't have the image right now on this place in OpenStack. We're trying. So over the years, as I said, like system DE added multiple features, correct for securing services. And we will look into a few of those, but before anything else, let's talk about a few of the very basic cases which can go wrong. And one of my favorite example, which I found on internet, I was about access to the TMP directory, that is temporary directory for TMP slash TMP, both cases. There are times when one single computer, one single system is running more than one service and multiple services are writing on or using slash TMP or virtual. And but at the same time, they're using it in a wrong way. So that like one service is being able to write or one user is being able to write in that temporary directory and modify values, configurations or changes the behavior of the other service. So anyone doing any basic course on like, you know, those pen testing courses and things, you will find, if you go and look any of the currently available pen testing courses, tools, you will find all of those tools. They try to automatically identify like the temporary directory is where everyone can write. And if any other service is running based on the temporary directory access, that's a problem. So that's where like one of the features of SystemD is to provide a private temporary directory. Notice Matthew, if you don't mind, like I'm not sure like, if anyone else should be able to join the video or not because I'm having my headphone on, but it still feels strange that like there is no one else to talk to or not to listen to anyone else on the other side. We just started by the way. So, what do you call it? Coming back, oops, this is a different box, this box. So yeah, Fedora35 and as I was speaking, private temporary directory. So what SystemD provides is the way where each and every service can have their own private temporary directories. So those will be mounted automatically by SystemD for you. So for each of those services, when the actual service, the application inside that service, it will see that it has a complete separate team temporary directory and it will feel like there is no other service running on that system. Now I'll try to copy paste commands if I can remember the commands, because of course it's pretty bad at remembering things. To mix things simpler, I'll become a producer. I hope this is okay. So, and also one like pretty important thing, this is something again I learned from one of Lenat's talk about SystemD, is that SystemD provides this nice utility that's to be called SystemD run. Using rich, we can try out these different features of SystemD services. We can try this out without even writing a complete service file of our own. So I found this is really nice way to learn these features and then we can, at the end of the workshop, we can write these things down in a proper, what do you call, service file. So for now, we'll just start with here. And we'll start with the private PMP, private VET, PMP equal to yes or true. So that's first parameter in hyphen P. Yes, hyphen P, it may be pass. Now you can see that it's created a dynamic service file based on the configuration I provided. And it also says how to get out of this. So actually, I'll get out first and then come back again. Let's see, control V, yeah, log out. Let's try slash TMP first. We have some directories, let's try VAR PMP. We also clouded it here. So this is something nice to see. Now let's, yep, because I press control D here, do this, let's see. If I remember correctly, this is what happens when you try to do live demo. I completely did a wrong command because, yep. So what happened is that it went into the run new 27.service and it also never stayed back on that. So now I have to see what I did type wrong. As I said that, always making mistakes and now I have to go and see the man page if I actually remember the command. I have all things written down, like the things I'm going to talk about, the things I'm going to do, et cetera, but completely forgot to write down the actual command to verify how this works. So if you don't mind, in a second I'll open up new terminal. Federal 35 and with system D run, AC Linux has something to say. So it's the AC Linux which stopped that service. I know why it is not running. So for now, okay, let's get back into that demo part. So this is my actual VM. We can see directories in slash DMP and we can see directories in part DMP. We can see the cloud unit. Now I'm saying private temporary directories, yes. And user thing passed. So you can see these two failed units were failed thanks to AC Linux. But we are now in a different environment. So if now I do slash DMP, it's empty. If I do slash what, empty, it's empty. So any service, even if you can see that I'm still wrote in this. I'm still wrote, but I'm still, this process, this user been passed, you cannot find anything on the temporary directories. So if you have three different services running in this box and one of the service is vulnerable to an attack via temporary directories, maybe it's reading user input or maybe it's reading reloading automatically from some configuration file. So that issue is gone at this moment because the services maybe which is facing internet right now is having private TMP, yes, or true. So that, you know, a private will be on, I think, so that the service will have its own private temporary directories. It cannot talk to or see anything else happening on the actual temporary director of the host. I hope this is, and if anyone, again, if anyone of you please try it out, feel free to try it out. It's always nice in a workshop if somebody tries out the same features as you know. I have a question about private temp, while I'm here, this is a coincidence, but someone was just telling me that private temp actually has some consequences beyond slash TMP that causes some other things to be namespaced separately as well. Is that true? Hey, do you know the details? If you don't, I didn't mean to be a gotcha. No, perfect. See, this is, I don't, first of all, answer. I know that I checked that what temp, those are the two directories which were namespaced into separately, but I really would love to hear these questions and this discussion, Matthew, because it's about learning together, right? I'm also learning all the time. I just remembered that now, something I was going to check later, and I thought, wait a minute, maybe this is the easiest way to check. Continue. So that's private TMP for all of us. We'll just get out of this. And now, let's say something else. If a process is running with access to the home directories, it can try to still, you know, if somebody can reach other users' home directories or if it's root or something similar, it can, like, you know, try maybe an RCE or like random file access. So it can try to read any other users' home directories. So just like private TMP, yes, we can also say to protect the home directories. So this will take care of the home directories. In the same, just like the private TMP, it will create temporary file systems with TMP FS and then it will mount. And when we say protect home, it will protect the slash home slash root and I think run user. So just before that, you can see in my host, it is slash, it is slash home, there is a federal user before the cloud account. And then maybe I will type PXT. Define this in my root directory. And I hope there are a lot of things in the slash run. Some of them will be at 11. So slash run, yes. Yeah, and this is one of them is our federal user. So it's to be run. So instead of private TMP, we do protect user being best and let's try. First thing to notice is that from our disk prompt, we moved into a completely different prompt because it's a, no, it's, okay, there's a question, mounting new file systems. Sage root, you can think like this, that it's created a temporary directory that namespace it completely. So yes, kind of Sage root, but not only Sage root. And it's taking care of creating those and deleting those or bringing them back as required. A system, we will take care of everything. You as a person who is starting on stopping the service, you don't have to worry anything or even like, you know, how to mount them properly or not. So there, you can see the home is not safe. I'm still rude if I do slash home, not there, slash, let's try run user. I think the 1000, the federal user is not there. Any questions about home directories? No questions. So, we're going to take home, but we still have access to various other parts of the Linux system. Let's say it's last proc, a lot of things running on this box, a lot of processes and details we can read because I'm still rude. So, just to protect the proc file system, system we provide something called perfect proc. We will try this out, not right now, mainly because to protect the proc, you have to make sure that the service is running as a different user than boot. So, protect proc equal to the values, that will not help you until you get into a different, like you run your service as a different user altogether, not as a, what do you call it, a rude user in this case. Any questions? Do this procedure take away root's power, to create start, create delete files and start or start, stop services? Yes and no, yes and no, because it can stop, take away a lot of root's power, at the same time it will still have access to some parts of the system and things, including like, what is the value? I think it's called protect kernel modules. Yes, so if we, instead of this, if we do protect kernel modules equal to yes, so this value will make sure that even if you are rude, you cannot be able to load or unload any kernel modules and can we combine multiple options? Yes, that's what we have to do, actually. So, for our demo and so you, something else we're going to get into those details in few minutes and then there we will actually make sure that we write or use a real service which is extremely vulnerable and then we'll try to see how can we protect the system even though we are running a really, really bad web application. Now, two different ways of doing that. Now here the workshop can go into two different ways. One is I can keep showing you one by one separate of these features in the command line or we can try out a new complete service altogether where we'll first start the service with all the vulnerability and then go ahead and try to fix parts of it one by one. And I'll tell you some stories, the things I learned while doing this. So, if you have any preference between these two different parts, you can tell meanwhile I'll go and try to see another options, just to get out of this and then someone asked if we can put multiple options. Yes, you put multiple slash p, hyphen p, it's not slash hyphen p in this case and in a service file you can just write them down one by one. So, another example we can use is a temporary file system. Using this, we can actually say that, hey, these particular directories we want to mount but we want to mount those temporary file systems and we can even say these are read only. So, let's say an example would be a slash bar and I want it to be read only. Again, we are here because CD no home is not set. LS, CD slash bar and LS, it's empty. Because we say for this particular service we want to make sure that the bar is a temporary directory and read only. It's created like that and as, oh, that's a new pole, sorry. Certainly it was long buzz. Even though I'm a root user, let's see if I try to create a file here what will happen, read only file system. So, who asked that? Alex, Alex asked about if we could take away root's power. So, this is one example where even though I'm root and I can't do much about it right now in slash bar. Mathu, are you saying something? It does this by dropping capabilities. So, the kernels root things are capabilities defined in Linux. There's a bunch of constants that are like being able to open a network socket and I forget there's a bunch of them. And so, the various options basically remove those things and I think it sets up the sec comp filters. Basically, there's a part of the kernel also where you can set up basically blocking certain system calls. So, you could do that in different ways but what system D is giving here is basically a pre-thought out and pre-packaged set of those things to actually do a specific thing. So, that's perfect if the specific things match what you want to do. If you want to do something that is for a different use case you might wanna do your own filters or maybe SELinux or some combination to do the restriction. Just kind of thinking about the question. Is that, am I right in all that? Correct me if I'm wrong. No, correct and that's where the, I'll say that the beauty of system D comes here is that for many of the existing services we can think about these very basic features which we can enable in system D. And it's not like you should only enable system D. We should also make sure that the SELinux is up and running on that box in the proper way. So that it's not only system D we have all those features and someone may just say but hey, you're showing us all the features of containers in code. So, yes, we are seeing the same kind of features of the Linux kernel but it's just that system D provide these to be used inside each of the separate services of the box in a very nice way. And if we package that service file along with our RPM package, it will be available to every user of Fedora. And when the system CDL starts a service, the service will automatically get those default security features. So, yeah. And also to note because my VAR is still empty and as Matthew said that maybe this is not what we want. Maybe we still want to have access to VARLIF system D. For example, this is just an example. So we'll try to see. So we pass another feed option and I'll say give me VARLIF system D from the host computer. So let's try this. I can see that we have VARLIF system D on my service, inside of my service. Everything else, it's still completely empty. Is this good? If anyone can type in anything on the chat, it will be nice for me because then I know what's right. If people can see this. Perfect, thank you. I'll get out. And because no one answered about like, if we want to keep seeing these kind of examples of our service, I'll keep showing this and then we'll move into a service if I hope that is okay. So next feature, I'll keep adding here one by one. Yeah, I hope that's okay. But before that, let's see my more battery. Last day, devices. Now, this is also a pretty nice place for an attacker. If somebody get an access, I'll say access to your system that they will try to see what all devices are there, how much of those they can access. So to make sure that the service can only see the minimal devices and some special ones like dead zero, dead null, all of this, there is a feature called Private Devices, just like Private EMP details. So Private Devices, that is yes. This is the same command. There you go. So this is within the service. This is what it can see. This is the actual devices, the host root can see. Many of them are API-enabled pseudo devices and then dead zero, dead null. One of the completely new devices, which is new for me, not Linux or many of you, is last day's full. I never knew about it a few months ago and I'll tell you how I find out this particular device in an experiment related to these system-based security features. Is this okay, everyone? There is a question, Adam. Can you say system-level defaults for all services? As I understand, these are all power service options. System-level, if we can do something or not, I don't know, but at the same time, I don't think we can, like, I'm sure system-level has some default options, but all these features, depending on what kind of service you're running, it will have to change. So that's why we have to enable them one by one. This is the video, this is what happens. I was clicking continuously on the browser in the video to type something which will never work. Then there is a couple of more features which we can talk about. I already talked about kernel, but there is something which I cannot demo at this moment in this VL, but we can even say what kind of file system this service can access. And we can provide, let's say, PXP4, NDP and PFS. If you know that there is a network-mounted file system and you don't want the service to read those or access those, you can mention it here. So John. So in Ray does the $XSUSD system run with different options? That's something I do not know. If somebody else here who knows this better than me, can you please answer? Anyone else knows this question? I don't think EXCC by default will use a system rerun. I think the command, that's something I don't know. So you have to ask someone who knows better than me on this. Now, instead of going through all of these different features like I said, like protect proc will not work unless you are a different user altogether, et cetera. There is one feature which is given again, configuration from the system D which will enable multiple of these configurations together and those cannot be turned off. Like protect home, like temporary file system, like protect proc, all of that automatically, which is dynamic user. So when we say that let's have a dynamic user, system D will take care of adding all of these different configurations and will apply to the service. Get back and let's try this. This will work, let's try, yep, let's try ID. You can see that it created a new user and dynamic group for this particular service and made sure that the service starts with that user. If we do slash TMP slash word TMP still MP, slash, let's say if this is not enabled by default, we still have access, so that means we have to make sure that we protect the devices while running this service and slash home, it has still has access here. That's all, what else we can see. So what are the features, by the way? These are getting automatically enabled when we do dynamic user equal to yes. As I said, we can use this system D.exe scene man page here. So these particular sections talks about all related to dynamic user and we can read and understand how it creates dynamic user based on the service name and makes sure that next time when you restart the service, in case it tries to give the same exact dynamic user ID so that if any file is created or any kind of access the user or service had will continue having. Here are a few things mentioned that remove IPC, private TMP, they are implied and cannot be turned off and then many other features like restics, SUID, GUID, protocol is read only, that means you can read other directories, what do you call it, other users home directories but you cannot write anything there. And then there are many multiple other parts and directories which can still enable and allow access or not. But to see how this dynamic user is still working or what else can we do along with all of this, we should really try to write it in actual service file and then try this out. Up to command line, I felt like few things are pretty nice to try out in a command line but after that we should really try to do this in a real service file. So there is a different chat going on about DxAC and system rerun so I'll skip it for now, get back into the workshop details. So to see how this, how good is this, I did an experiment multiple months ago, I created a project in a language called Rust. It's a web application and even though it's written in Rust, the code has multiple vulnerabilities. Like you literally have remote code execution, the project also has like arbitrary file rights or you can read literally any file, any directories and you can do directory traversal. So all the nightmare things in a web application. So this project gives us all of that together. But I wrote it in Rust for another specific reason because I wanted to tell my like a couple of friends that if you're using a, let's say more secure language like Rust but that doesn't mean all of your projects and code will become secure by default. This means that you get all the powers from the language but if we write wrong code, our final application will still be wrong. It will still have all the vulnerabilities we ever can imagine. So to try this out, at first, let me just install Rust here or we do it live. I'll use the Rust app, not system Rust in this case, Rust in this case, just to make the steps which I wrote down before, follow my written notes. So this is on a VM in a data center. So this will work fast enough. If any other question, please feel free to ask. We now have access to cargo and I will also need PCC in the future. So for the project, so I'll just install, okay. You can follow along the project is actually available on my GitHub, it's called very bad. The name is given so that people understand that this is not a thing you want to run on a regular system. So what I did for this experiment that I was running very bad, I'm still running very bad in a publicly connected VM and asked all of my friends and many other people on internet to attack it to see if they can break into the computer. That's why I found like some people tried hours to make sure that they get proper access to the via this application. And I learned about, as I was speaking before, I learned about their full because someone tried to read their full and took down the service a couple of times. The service was down and systemally took care of starting it up again. So then at that moment I could make sure that this service is not being able to access DevFull. Oh, see, new VM, so it is not there. Let's install it. Hit run, then I can build that room as I release cargo build release. So this will build the very bad application locally. So please make sure to not install or test this out in a internet connected service. I'll just see what really is here. And as Bob said, yes, it's really very bad. We'll see why part of it. But meanwhile, if you have any questions, feel free to ask. Wait for one more minute, maybe one or two minutes to make sure the build is done. Any other questions, anyone? Having no questions sometimes so scary that means like either everyone in understanding everything they can, people can understand everything or no one can understand what I'm speaking about. And because I guess for a few minutes Matthew was online so I could see him, his face and get some feedback like with voice, otherwise like I'm talking to the void. I didn't go out there, it's still. Thank you Bob. Bob said, we understand your worries. So it's almost done, let's stay in the room. Compiling, I tried all these kinds of things for the workshop yesterday in a different VM but I made a completely phased VM, complete phased new federal VM for the workshop so that you can see that I don't have any extra special sauce here in this box running. It's just step by step what I'm doing so that you can follow along. And later I'll provide you with the write-ups I wrote about on this topic so that you can read, follow and do the exact same topic, next steps if you want. So the data application is actually using the rocket framework in Rust which is a web framework extremely fast, works as it should be and we're almost there. I think it's compiling and linking the final application binary done into three minutes instead of one minute. Yay. So if we see target release, this is the executable which we are going to use. So let's unroot correct. So I can see the file into user as pin and then we'll use it from there and we also have a very bad top service file here but this is what happens again. Press Cloud. So I also have a very simple service file, very bare minimal. The, you can see the working directive we say it's web slash web slash amazing. For this workshop we'll change it to something else and we'll try to use it. We can actually keep slash image amazing also. Let's see. Yeah. Okay. So as the next step, we should be at that first directory called class, web slash. Done. Then we'll copy the service file into slash, QTCs with QT slash system. QT, Demand Reload or system to Demand Reload. Correct. And I think, system CDL. Only nine PM. I'm still missing all the command. By the way, if you can hear some loud music, please let me know that's my daughter listening to something really strange and pretty loud behind. So I'm sorry for the noise, but we'll start the service. Journal CDL, hyphen, new, and very bad. It started the service. So that's the services running. We know the services running. So let's see what happens with this service. So this service is running the web application in port 8,000. So let's try this out. So the index page, example of the written code. We have a few different API. Get OS, we'll give you the details of the OS. Get slash file name from the current directory, which is running here. Web amazing. It can read a like file and give it to us. We can also execute the date command to find out the date and time on the server. Or we can write to a file. So let's try the get OS. This is the output. So anyone who is not new to Linux systems, they can understand like, wait a second, we know that this is not a standard command output, but instead it's a file from Slash ATC, correct? So what the application is doing, it's reading the file inside Slash ATC. If I can go up a little bit, it also says Slash file name. If we provide a file name, it will read the file and give us the details. So just like any standard pain-gasting fellow human being, our tools, we'll try to pass it some other values. So percentage to F slash, that is slash ATC. And then again, another slash. And maybe saddle file, let's see if this works. Yes, we can read the saddle file. So this means if this was actually running on an internet connected system, anyone can read the ATC saddle file. I can actually rewrite the file. So I will, I'm trying to think if I should try to rewrite or not. Maybe I should not. What is the GitHub link again? So GitHub.com slash push and ask. That's my name and the URL copy. Thank you Bob. So let's try to write something else maybe. I have an example file here. Just to showcase that, if it were account. Yes. So instead of writing CTC saddle, I'll rewrite some different file. Just don't want to mess up in the middle of the demo because I already messed it up a couple of times. So let's say I will create a file. Maybe I will call it local saddle. I have a pre-known root password in this, which is in this case, this is the password, is actually password. And then I can use the same code command to tell like, hey, rewrite saddle file. So instead of saddle, just for the demo, I'll rewrite, let's say, CTC saddle two. So that would be curl, data, binary. And let's reach the local saddle five. And then just have to say where to write. So it is in local host colon 8,000, that's the code and the file path. So percentage two F that is last, CTC, again, percentage two F. It says saddle two, just for the demo purpose. Done, okay. So I'm still in the same computer. So 952 slash CTC saddle two. I can see there is a file exists now. It's there. And I can even verify it by reading it here. Still ask the application to go with CTC saddle two and give it to me. Arbitrify rate, yep. So we can rewrite our SSH keys, like authorize keys or anything else via this or any application binary we want. So next, we'll still see what all things can go wrong. So local host, 8,000 slash EX, EC slash data. So this API or URI gives us the data and time. And if you see this command, you like wait a second. This looks like the output of the data command. So what if we run this, I recommend. Look, this application is now running as root on this box. So you can now imagine that you can run literally any command of the system. So I don't know, tell me any command. So the very good application now has, as I showed you already, like some literally the nightmare is while it is on this application running and selling as root, we have all the access, whichever way you want on this box. So our job is to protect this service. But using things we saw before using system D only, nothing else. So it is in system D, systems slash, very much of service. I can write it anywhere, I'll start with here. So you remember that all the different features or options we talked about, we can write them on here one by one. So multiple options together, multiple configuration values together. So to start with, we'll just protect the temporary directories and protect these two. So this means now, even though service is running as root, it will not be able to do things much on other people's users. Let's say, I thought SSH directory authorized keys files in those to get them on reload. Maybe we go to command with reading files. Instead of this, it says slash on. Okay, slash on is a directory. So instead of, so here we can maybe say, let me say LS, maybe LS and then space is percentage 20, percentage 2F, still has Fedora and again percentage 2F. Maybe, yeah, maybe I did not restart. Okay, thank you. Now it's in, thanks a lot. So this is, I think I'm actually doing this third time, this previous two times, I gave it as talks instead of workshops and this is third time and every time I forgot to restart the service. So now I have to make a different mental note or a post-it note somewhere on the top of my screen saying remember to restart the service. But yeah, as we can see, slash home is now empty because protect. At least this is the one best thing about having workshops kind of scenario where you all are giving me feedback and tell me that what I missed because first time when I get the talk, I was literally having no clue why things are not running and nobody told me from the audience and it was a real physical workshop, talk a couple of months ago. So we enabled or we can see that there's nothing in the home saying those PMP because we said private PMP, yes, the PMP is also empty and you can try out different things. We know we have access to slash Vib, percentage to F and then amazing, there's nothing. So if I do, then if I keep the same path, hello.txt, okay, so my slash Vib amazing now has a file which we wrote. So we just try to make sure that this dynamic of this directory where the services running or it should like the logs directory, the cast directory, all of these different directories, we try to make sure that these directories are also like private to the service itself and along with all of those services, we first moving to dynamic user, yes. This time I'll remember, then I'll reload and then restart the service. So now if we do xvc slash id and we can see the service is not anymore running as root, it's automatically chosen our service UID based on the name of the service and it's running there. So now, and also like no issue ID, UID calls, et cetera, so this means we cannot just now arbitrarily execute the things like executable switcher where root can cause trouble. If we go back again, we can also say that, hey, I want the working directory to be a different one. Let's say, one is very bad, yeah. And I also want to say that this directory will be there between restarts. So we can say that, hey, this holds the state of the service. So, s-t-a-t-e state directory, that's the name of the directory, that's very bad. I'm going to reload and then restart the application. What should we try here? I'm just looking into my notes, like commands to try, et cetera, maybe some other commands. If it is the only command we really want our users to execute, nothing else. So let's try if we have still have access to something else, okay, no output. This is mostly because my application doesn't throw the error message back to the user. So maybe I would try, maybe percentage two zero, that is space, percentage two F. And John is asking in between, if system dnsc function means, system ds is written in C. So if you're asking me that, and I think you found the actual function call. So I don't know how system d works inside, so I know it's written in C. So I'm sure there must be a function which has been used inside. And for anything else, you have to talk to the system d-developers and ask them for more details. Can I extend to RM of a five percentage two F, let's say the shadow two, the five we created. There's nothing, so let's try not delete it. Can anyone tell us why? No access, correct? Because if we, instead of RM, if we do this, it's LACTC. If we try to see what is there in LACTC, it's here. It has access to LACTC directory, but how to see the percentage, maybe hyphen L? Hyphen allowed, yes. Percentage space, hyphen L, and then another space, then slash ETC, this, it still says that we have access to the file, but as read only, and because it's rude, correct? So our service is running right now as very bad. So it cannot delete that file, but it can still read whole of LACTC, which may be not the thing that we want. So how to do that? Now, if we know, most of the applications maybe we not need it, but if we know that our application needs to execute some other command, some other executables within the systems, we can find out those like the libraries, the set libraries it depends on and that particular executable, and then say only allow these to run. So to do that, and do I have a LED? Yeah, I have a LED. Sorry, now we want to know what are libraries that date command is dependent on so that we can only allow those libraries to be loaded as executable on memory and the date command. Everything else will not allow them to load. So LED user being dead, so three links here, and because we've stopped everything else to be like accessed or allow, this also means we have to make sure that we can still access to the system D itself and the very bad application, because the application needs to load, like make sure that it can access to the executable memory portion for that. So we'll do user is being very bad. A few more libraries and I already noted them down. So we can say service and not to configure this. And first of all, we say that no yet see parts. With this value, we can say that this service will not be allowed to execute anything under this path. And I'll say slash, that is this executable is not allowed to do any executable under slash root, everything. We closed down everything. And then only enable the things which we know we need via EXTC parts. Another, I'll just copy this because it's long. So you can see it's all the libraries and the executables. So that they can be mapped into memory for execution. So this will change if you know what all things you want to execute, allow to execute from the service and what all things you want to, you know, don't allow. Go to next, M and reload and restart. I did not forget restart, restart. We'll try ESCC date command works. What about ID? That service actually crashed. It's not service crashed, it's actually the service, the code which I wrote, it found it, oh, it cannot execute this command. So it throws a error 500 page. And this is the default error 500 page of Rocket. So that's what we can see. So now if you want to try any other command on the system, same error. It can only talk about system D, it can only talk about the service line. But this also means it still has allowed, it still can access to multiple other files and directories, et cetera. Let's say someone can try to reach there's zero, there's full like those. So we have to make sure that those devices cannot also be accessed. And let's say any other files, let me see if the files I wrote here. Yeah, so if you remember that slash the MPI like temporary file system, and oh, it can also read this file, let's say, not EXCC, slow percentage to F, PTC, percentage to F, let's say, not always to this, because we need to read it. Let's try some other file and read it fast forward. No, because it's not running as root anymore, but maybe it will try to read any other file it has access, maybe the service file itself. So system D, no, sorry, slash PTC, slash system D, slash system, slash very bad, no, service. So if I'm an attacker, I can still read this particular file, correct. And we should try to see how much we can block here. So you can actually say that slash PTC becomes, I wrote slash PTC password. Okay, I should try not to do workshops or any talks after 8 p.m. that means this also shows I'm getting old. And at only 9 p.m. I'm typing multiple typos, but this also, I'm a human being, not being able to type properly at night. I have coffee, I don't want to drink it at night at this moment. Anyway, thank you for pointing the actual typing errors. For now, I'll go back here. I'm saying that let's make slash PTC as a temporary file system, but because we are still executing the dead command and also reading the OS release file, we should be able to read those two files from the host. So our copy case goes to file. So bind read on the box, ETC OS release and ETC local time. So we'll run reload and then restart the service. So control R, okay OS. So we can still read ETC OS release. We can still do EX EC dead because it is in local time file. We need to read that, but if I could read any other file, let's say percentage to F, now it fails. Yeah, like, because if, okay, to see why this is happening, but we have to disable and remove the EX EC command so that we can see nicely what's going on, I want to just make sure that I can do a less command. So here, because we are now mounting slash ETC into this service as a temporary file system and then saying, give us only these two file access. So we can see that the service cannot see any other files under slash ETC. And we can also say particular parts which can be blocked. Let's say they're fully dead zero, as I said, because I found that that's a nice way to, you cannot be able to do a remote code execution, but you may be able to take down the whole service and if the service has to restart. As I was speaking, like how I learned about this is that I am right now running a service at very bad.kushal-dars.in at 48,000. So you can see that this is running with all, like all the different features I found inside system D which can help us to as fast bike, I guess, I'm sorry. It's running facing internet. This is the service which I made available to D1Ls to attack. A few people managed to read random files under slash Dave and crash the application that's the system D service, but the service restarted itself. And I learned a lot about how people think about attacking similar services. So if you want, you can actually right now try and see if we can go ahead and attack the service. It's running over from I think March, April, April or May. I don't remember which month, but it's running pretty good. Like nobody managed to get a sale itself. Right now, and as Adam said, that we could just have it mounted to own config directory. Yes, this one doesn't have any much configuration. So it totally depending on what you need to do. And that's why it doesn't have, existing doesn't provide all of these features automatically to every service on the system. We need per service. We have to figure out as users or developers or contributors to the project, what all things, what all security features we should enable or disable here. And please remember that this is not the end. System D is just making it super easy for all of us to have these features. But we should also make sure that we are running SNNX. We are making sure all the other basic things like the kind of in-codes mistakes I did in my code, which allows me to do all of these scary things on a service. So if anyone of you actually planning to execute things on that against that service, feel free to if you can actually get an access to the sender or something, if you can pin me and see if we can send some nice things. So why exactly do you have system D in the excc path? Honest answer, I found the service will not start up if I do not have system D in the excc path. A little bit more detailed answer. When I found this and when I started writing this service and running it on the network, I was on internet. I started talking with Leonard, make me sure he knows what all things I'm finding. And at that moment, Leonard told me that in a future release of system D, we'll not have to put system D in the excc path. That's what I remember. But I had to ask him once again, if it's already the last release after figure 35, in figure 36, if I need it or not, I have to double check. I don't remember, right? But he knew why exactly that issue was there and how to fix it. So that's why. And can I do a list? Yeah, this thing is running right now, but it is running with all those security features enabled. So I cannot run a list here right now and see what all files are there. And I don't want to, like I'm sure, like there are multiple people trying to write various files in the state directly and don't want to try to read them because there might be any kind of exploits inside or like bad text, which I don't want to put it in the recording here. But there is nothing much to show. I hope that there are only more people trying out this with us today. And I learned a lot during this. And one of the major things is that I should not do talks after 8 p.m. like this because there was multiple failures in the typing, including forgetting systems. It didn't even reload. But I will be here for the rest of the conference, maybe couple of hours today also and tomorrow and day after. I hope that's a three-day conference. And I'm available on IRC all the time. My nickname on IRC is Kushal. I'm on Twitter or multiple other places. So if you have any questions, feel free to ask me. And like, if you know how we, what can I do more to make it better? Like, you know, put it better. Feel free to help me to learn those things. I hope this will be useful for all of you. And I try to write regularly in my blog which is kushandars.com. And that's my blog. And I actually blogged about this particular experiment in my blog if you go back a couple of months back. And I also talked about how people found some issues and I fixed them one by one and restarted the service. So thank you everyone for attending. I'll wait for a minute if you have any questions or anything or else I can stop sharing and get out of the room. I don't know how to stop recording. That's a different question. I never started the recording. Okay, I guess no questions. Thank you once again. I'll stop the sharing and then get out of the room. Thank you.