Korean - Ht Cloud
HackTricks TrainingTwitterLinkedinSponsor

AWS - Nitro Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Basic Information

AWS Nitro๋Š” AWS EC2 ์ธ์Šคํ„ด์Šค์˜ ๊ธฐ๋ณธ ํ”Œ๋žซํผ์„ ํ˜•์„ฑํ•˜๋Š” ํ˜์‹ ์ ์ธ ๊ธฐ์ˆ  ๋ชจ์Œ์ž…๋‹ˆ๋‹ค. Amazon์— ์˜ํ•ด ๋ณด์•ˆ, ์„ฑ๋Šฅ ๋ฐ ์‹ ๋ขฐ์„ฑ์„ ํ–ฅ์ƒ์‹œํ‚ค๊ธฐ ์œ„ํ•ด ๋„์ž…๋œ Nitro๋Š” ๋งž์ถคํ˜• ํ•˜๋“œ์›จ์–ด ๊ตฌ์„ฑ ์š”์†Œ์™€ ๊ฒฝ๋Ÿ‰ ํ•˜์ดํผ๋ฐ”์ด์ €๋ฅผ ํ™œ์šฉํ•ฉ๋‹ˆ๋‹ค. ์ „ํ†ต์ ์ธ ๊ฐ€์ƒํ™” ๊ธฐ๋Šฅ์˜ ๋งŽ์€ ๋ถ€๋ถ„์„ ์ „์šฉ ํ•˜๋“œ์›จ์–ด์™€ ์†Œํ”„ํŠธ์›จ์–ด๋กœ ์ถ”์ƒํ™”ํ•˜์—ฌ ๊ณต๊ฒฉ ํ‘œ๋ฉด์„ ์ตœ์†Œํ™”ํ•˜๊ณ  ์ž์› ํšจ์œจ์„ฑ์„ ๊ฐœ์„ ํ•ฉ๋‹ˆ๋‹ค. ๊ฐ€์ƒํ™” ๊ธฐ๋Šฅ์„ ์˜คํ”„๋กœ๋“œํ•จ์œผ๋กœ์จ Nitro๋Š” EC2 ์ธ์Šคํ„ด์Šค๊ฐ€ ๊ฑฐ์˜ ๋ฒ ์–ด ๋ฉ”ํƒˆ ์„ฑ๋Šฅ์„ ์ œ๊ณตํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•˜์—ฌ, ์ž์› ์ง‘์•ฝ์ ์ธ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์— ํŠนํžˆ ์œ ๋ฆฌํ•ฉ๋‹ˆ๋‹ค. ๋˜ํ•œ, Nitro ๋ณด์•ˆ ์นฉ์€ ํ•˜๋“œ์›จ์–ด์™€ ํŽŒ์›จ์–ด์˜ ๋ณด์•ˆ์„ ๋ณด์žฅํ•˜์—ฌ ๊ฐ•๋ ฅํ•œ ์•„ํ‚คํ…์ฒ˜๋ฅผ ๋”์šฑ ๊ฐ•ํ™”ํ•ฉ๋‹ˆ๋‹ค.

Nitro Enclaves

AWS Nitro Enclaves๋Š” Amazon EC2 ์ธ์Šคํ„ด์Šค ๋‚ด์—์„œ ๊ณ ๋„๋กœ ๋ฏผ๊ฐํ•œ ๋ฐ์ดํ„ฐ ์ฒ˜๋ฆฌ๋ฅผ ์œ„ํ•ด ํŠน๋ณ„ํžˆ ์„ค๊ณ„๋œ ์•ˆ์ „ํ•˜๊ณ  ๊ฒฉ๋ฆฌ๋œ ์ปดํ“จํŒ… ํ™˜๊ฒฝ์„ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค. AWS Nitro ์‹œ์Šคํ…œ์„ ํ™œ์šฉํ•˜์—ฌ ์ด๋Ÿฌํ•œ ์ธํด๋ ˆ์ด๋ธŒ๋Š” ๊ฐ•๋ ฅํ•œ ๊ฒฉ๋ฆฌ ๋ฐ ๋ณด์•ˆ์„ ๋ณด์žฅํ•˜๋ฉฐ, PII ๋˜๋Š” ์žฌ๋ฌด ๊ธฐ๋ก๊ณผ ๊ฐ™์€ ๊ธฐ๋ฐ€ ์ •๋ณด ์ฒ˜๋ฆฌ์— ์ด์ƒ์ ์ž…๋‹ˆ๋‹ค. ์ด๋“ค์€ ๋ฏธ๋‹ˆ๋ฉ€ํ•œ ํ™˜๊ฒฝ์„ ํŠน์ง•์œผ๋กœ ํ•˜์—ฌ ๋ฐ์ดํ„ฐ ๋…ธ์ถœ ์œ„ํ—˜์„ ํฌ๊ฒŒ ์ค„์ž…๋‹ˆ๋‹ค. ๋˜ํ•œ, Nitro Enclaves๋Š” ์•”ํ˜ธํ™”๋œ ์ฆ๋ช…์„ ์ง€์›ํ•˜์—ฌ ์‚ฌ์šฉ์ž๊ฐ€ ์Šน์ธ๋œ ์ฝ”๋“œ๋งŒ ์‹คํ–‰๋˜๊ณ  ์žˆ๋Š”์ง€ ํ™•์ธํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•˜์—ฌ, ์—„๊ฒฉํ•œ ์ค€์ˆ˜ ๋ฐ ๋ฐ์ดํ„ฐ ๋ณดํ˜ธ ๊ธฐ์ค€์„ ์œ ์ง€ํ•˜๋Š” ๋ฐ ์ค‘์š”ํ•ฉ๋‹ˆ๋‹ค.

Nitro Enclave ์ด๋ฏธ์ง€๋Š” EC2 ์ธ์Šคํ„ด์Šค ๋‚ด๋ถ€์—์„œ ์‹คํ–‰๋˜๋ฉฐ, AWS ์›น ์ฝ˜์†”์—์„œ EC2 ์ธ์Šคํ„ด์Šค๊ฐ€ Nitro Enclave์—์„œ ์ด๋ฏธ์ง€๋ฅผ ์‹คํ–‰ ์ค‘์ธ์ง€ ์—ฌ๋ถ€๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค.

Nitro Enclave CLI installation

๋ชจ๋“  ์ง€์นจ์€ ๋ฌธ์„œ์—์„œ๋ฅผ ๋”ฐ๋ฅด์‹ญ์‹œ์˜ค. ๊ทธ๋Ÿฌ๋‚˜ ๊ฐ€์žฅ ์ค‘์š”ํ•œ ์ง€์นจ์€ ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค:

# Install tools
sudo amazon-linux-extras install aws-nitro-enclaves-cli -y
sudo yum install aws-nitro-enclaves-cli-devel -y

# Config perms
sudo usermod -aG ne $USER
sudo usermod -aG docker $USER

# Check installation
nitro-cli --version

# Start and enable the Nitro Enclaves allocator service.
sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service

Nitro Enclave Images

Nitro Enclave์—์„œ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๋Š” ์ด๋ฏธ์ง€๋Š” ๋„์ปค ์ด๋ฏธ์ง€ ๊ธฐ๋ฐ˜์ด๋ฏ€๋กœ, ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋„์ปค ์ด๋ฏธ์ง€์—์„œ Nitro Enclave ์ด๋ฏธ์ง€๋ฅผ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

# You need to have the docker image accesible in your running local registry
# Or indicate the full docker image URL to access the image
nitro-cli build-enclave --docker-uri <docker-img>:<tag> --output-file nitro-img.eif

Nitro Enclave ์ด๋ฏธ์ง€๊ฐ€ eif (Enclave Image File) ํ™•์žฅ์ž๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ถœ๋ ฅ์€ ๋‹ค์Œ๊ณผ ์œ ์‚ฌํ•˜๊ฒŒ ๋ณด์ผ ๊ฒƒ์ž…๋‹ˆ๋‹ค:

Using the locally available Docker image...
Enclave Image successfully created.
{
"Measurements": {
"HashAlgorithm": "Sha384 { ... }",
"PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
"PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
"PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
}
}

Run an Image

๋ฌธ์„œ์— ๋”ฐ๋ฅด๋ฉด, enclave ์ด๋ฏธ์ง€๋ฅผ ์‹คํ–‰ํ•˜๋ ค๋ฉด eif ํŒŒ์ผ ํฌ๊ธฐ์˜ ์ตœ์†Œ 4๋ฐฐ์— ํ•ด๋‹นํ•˜๋Š” ๋ฉ”๋ชจ๋ฆฌ๋ฅผ ํ• ๋‹นํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ํŒŒ์ผ์—์„œ ๊ธฐ๋ณธ ๋ฆฌ์†Œ์Šค๋ฅผ ๊ตฌ์„ฑํ•˜์—ฌ ํ• ๋‹นํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

/etc/nitro_enclaves/allocator.yaml

ํ•ญ์ƒ ๋ถ€๋ชจ EC2 ์ธ์Šคํ„ด์Šค๋ฅผ ์œ„ํ•ด ์ผ๋ถ€ ๋ฆฌ์†Œ์Šค๋ฅผ ์˜ˆ์•ฝํ•ด์•ผ ํ•œ๋‹ค๋Š” ๊ฒƒ์„ ๊ธฐ์–ตํ•˜์„ธ์š”!

์ด๋ฏธ์ง€์— ์ œ๊ณตํ•  ๋ฆฌ์†Œ์Šค๋ฅผ ์•Œ๊ณ  ๊ตฌ์„ฑ ํŒŒ์ผ์„ ์ˆ˜์ •ํ•œ ํ›„์—๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์ด ์—”ํด๋ ˆ์ด๋ธŒ ์ด๋ฏธ์ง€๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

# Restart the service so the new default values apply
sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service

# Indicate the CPUs and memory to give
nitro-cli run-enclave --cpu-count 2 --memory 3072 --eif-path hello.eif --debug-mode --enclave-cid 16

Enํด๋ ˆ์ด๋ธŒ ์—ด๊ฑฐ

EC2 ํ˜ธ์ŠคํŠธ๋ฅผ ์†์ƒ์‹œํ‚ค๋ฉด ๋‹ค์Œ์„ ์‚ฌ์šฉํ•˜์—ฌ ์‹คํ–‰ ์ค‘์ธ ์—”ํด๋ ˆ์ด๋ธŒ ์ด๋ฏธ์ง€ ๋ชฉ๋ก์„ ์–ป์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

nitro-cli describe-enclaves

It's not possible to get a shell inside a running enclave image because thats the main purpose of enclave, however, if you used the parameter --debug-mode, it's possible to get the stdout of it with:

์‹คํ–‰ ์ค‘์ธ ์—”ํด๋ ˆ์ด๋ธŒ ์ด๋ฏธ์ง€ ๋‚ด๋ถ€์—์„œ **์…ธ์„ ์–ป๋Š” ๊ฒƒ์€ ๋ถˆ๊ฐ€๋Šฅ**ํ•ฉ๋‹ˆ๋‹ค. ์ด๋Š” ์—”ํด๋ ˆ์ด๋ธŒ์˜ ์ฃผ์š” ๋ชฉ์ ์ด๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ **`--debug-mode`** ๋งค๊ฐœ๋ณ€์ˆ˜๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™์ด **stdout**์„ ์–ป์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:
ENCLAVE_ID=$(nitro-cli describe-enclaves | jq -r ".[0].EnclaveID")
nitro-cli console --enclave-id ${ENCLAVE_ID}

Terminate Enclaves

๊ณต๊ฒฉ์ž๊ฐ€ EC2 ์ธ์Šคํ„ด์Šค๋ฅผ ์†์ƒ์‹œํ‚ค๋ฉด ๊ธฐ๋ณธ์ ์œผ๋กœ ๊ทธ ์•ˆ์— ์…ธ์„ ์–ป์„ ์ˆ˜๋Š” ์—†์ง€๋งŒ, ๋‹ค์Œ๊ณผ ๊ฐ™์ด terminate them ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

nitro-cli terminate-enclave --enclave-id ${ENCLAVE_ID}

Vsocks

enclave์—์„œ ์‹คํ–‰ ์ค‘์ธ ์ด๋ฏธ์ง€๋ฅผ ํ†ต์‹ ํ•˜๋Š” ์œ ์ผํ•œ ๋ฐฉ๋ฒ•์€ vsocks๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.

**Virtual Socket (vsock)**์€ Linux์—์„œ ๊ฐ€์ƒ ๋จธ์‹ (VMs)๊ณผ ๊ทธ hypervisors ๊ฐ„, ๋˜๋Š” VMs ์ž์ฒด ๊ฐ„์˜ communication์„ ์ด‰์ง„ํ•˜๊ธฐ ์œ„ํ•ด ํŠน๋ณ„ํžˆ ์„ค๊ณ„๋œ ์†Œ์ผ“ ํŒจ๋ฐ€๋ฆฌ์ž…๋‹ˆ๋‹ค. Vsock์€ ํ˜ธ์ŠคํŠธ์˜ ๋„คํŠธ์›Œํ‚น ์Šคํƒ์— ์˜์กดํ•˜์ง€ ์•Š๊ณ  ํšจ์œจ์ ์ธ bi-directional communication์„ ๊ฐ€๋Šฅํ•˜๊ฒŒ ํ•ฉ๋‹ˆ๋‹ค. ์ด๋ฅผ ํ†ตํ•ด VMs๋Š” ๋„คํŠธ์›Œํฌ ๊ตฌ์„ฑ ์—†์ด๋„ 32-bit Context ID (CID) ๋ฐ ํฌํŠธ ๋ฒˆํ˜ธ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์—ฐ๊ฒฐ์„ ์‹๋ณ„ํ•˜๊ณ  ๊ด€๋ฆฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. vsock API๋Š” TCP ๋ฐ UDP์™€ ์œ ์‚ฌํ•œ ์ŠคํŠธ๋ฆผ ๋ฐ ๋ฐ์ดํ„ฐ๊ทธ๋žจ ์†Œ์ผ“ ์œ ํ˜•์„ ๋ชจ๋‘ ์ง€์›ํ•˜์—ฌ ๊ฐ€์ƒ ํ™˜๊ฒฝ์—์„œ ์‚ฌ์šฉ์ž ์ˆ˜์ค€ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์„ ์œ„ํ•œ ๋‹ค๋ชฉ์  ๋„๊ตฌ๋ฅผ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค.

๋”ฐ๋ผ์„œ, vsock ์ฃผ์†Œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์ด ๋ณด์ž…๋‹ˆ๋‹ค: <CID>:<Port>

CIDs๋ฅผ ์ฐพ๊ธฐ ์œ„ํ•ด enclave์—์„œ ์‹คํ–‰ ์ค‘์ธ ์ด๋ฏธ์ง€๋ฅผ ์ฐพ์œผ๋ ค๋ฉด ๋‹ค์Œ cmd๋ฅผ ์‹คํ–‰ํ•˜๊ณ  **EnclaveCID**๋ฅผ ํ™•์ธํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค:

nitro-cli describe-enclaves

[
{
"EnclaveName": "secure-channel-example",
"EnclaveID": "i-0bc274f83ade02a62-enc18ef3d09c886748",
"ProcessID": 10131,
    "EnclaveCID": 16,
    "NumberOfCPUs": 2,
"CPUIDs": [
1,
3
],
"MemoryMiB": 1024,
"State": "RUNNING",
"Flags": "DEBUG_MODE",
"Measurements": {
"HashAlgorithm": "Sha384 { ... }",
"PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
"PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
"PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
}
}
]

ํ˜ธ์ŠคํŠธ์—์„œ CID๊ฐ€ ์–ด๋–ค ํฌํŠธ๋ฅผ ๋…ธ์ถœํ•˜๊ณ  ์žˆ๋Š”์ง€ ์•Œ ์ˆ˜ ์žˆ๋Š” ๋ฐฉ๋ฒ•์€ ์—†์Šต๋‹ˆ๋‹ค! vsock ํฌํŠธ ์Šค์บ๋„ˆ์ธ https://github.com/carlospolop/Vsock-scanner๋ฅผ ์‚ฌ์šฉํ•˜์ง€ ์•Š๋Š” ํ•œ ๋ง์ž…๋‹ˆ๋‹ค.

Vsock Server/Listener

์—ฌ๊ธฐ ๋ช‡ ๊ฐ€์ง€ ์˜ˆ์ œ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค:

๊ฐ„๋‹จํ•œ Python Listener

```python #!/usr/bin/env python3

From

https://medium.com/@F.DL/understanding-vsock-684016cf0eb0

import socket

CID = socket.VMADDR_CID_HOST PORT = 9999

s = socket.socket(socket.AF_VSOCK, socket.SOCK_STREAM) s.bind((CID, PORT)) s.listen() (conn, (remote_cid, remote_port)) = s.accept()

print(f"Connection opened by cid={remote_cid} port={remote_port}")

while True: buf = conn.recv(64) if not buf: break

print(f"Received bytes: {buf}")

</details>
```bash
# Using socat
socat VSOCK-LISTEN:<port>,fork EXEC:"echo Hello from server!"

Vsock ํด๋ผ์ด์–ธํŠธ

์˜ˆ์‹œ:

PreviousAWS - EC2, EBS, ELB, SSM, VPC & VPN EnumNextAWS - VPC & Networking Basic Information

Last updated