All COSSAS projects are hosted on GitLab with a push mirror to GitHub. For issues/contributions check CONTRIBUTING.md
This repository features all the software developed for the self-healing proof-of-concept. Below you can find information on each component and where it is located in the directory structure
Sample application that can be used to perform a DoS attack on the Authentication-bastion.
Single point of access to the underlying docker daemon of a host. Used by the lymphocyte to obtain information on running containers and their status.
Syslog server used by Falco to deliver a log stream.
Pinned version of Falco, used for anomaly detection using eBPF.
Small application that counts the amount of events added in a redis pub/sub channel. If a certain treshold of messages over minute is exceeded, a message is published on another pub/sub channel.
In the PoC setup a lymphocyte is a python docker container that runs together with a job container in a kubernetes pod. The lymphocyte container is inspired by T Killer cells. It decides if and when to send to the Docker Proxy the signal to kill (or pause or restart) the job container.
Python library code used by multiple components in the proof of concept.
Sample authentication service that can provide tokens and validation of tokens for other services.
PHP server that is exploitable to remote code execution. Is not accessed directly but through the nginx-frontend
Web proxy that handles traffic towards Authentication-bastion and Vulnerable php container
Contains descriptors and docker-compose files to start the HDDP, Falco, Mongo and syslog on the host
Contains descriptors to start the self-healing pod, featuring the lymphocyte, frequency monitor, nginx, php, authentication bastion.
Features an overview per software component with ran (security) scans and their results for each component listed under components
Prepare kubernetes on a host somewhere, according to normal procedures. Docker and docker-compose also need to be installed
Build components using bash build_components.sh
You can either start the components manually yourself by following below options, or run bash deploy.sh in the root folder.
Enter deployment/host-deployment, run bash deploy.sh
This will start the HDDP, Falco, Mongo and Syslog
After this is done, go into deployment/pod-deployment
Start the deployment bash deploy.sh
Show the logs of lymphcyte using kubelctl logs <lymphocyte> -f
docker exec -it <php-container> bash
touch /dev
Run a random container with bash in k8s
kubectl run -it --image debian:latest debian-bash
Attach to it, e.g.:
docker exec -it <k8s-debian-container> bash
Send login attempts with bad password, 10+ times:
curl -k -X POST https://nginx:443/api/v1/user/login -H "accept: application/json" --data 'username=sample_username&password=xyz'