Share
## https://sploitus.com/exploit?id=6B60869D-6661-51EA-A586-D3E5664ABAD8
# Charantej Architecture: Hardened Container Staging & Syscall Telemetry Lab

An enterprise-grade, defense-in-depth container containment and runtime security telemetry framework. Designed from the perspective of a Cisco Lead Cybersecurity Architect, the Charantej Architecture isolates staging runtimes, restricts system call surfaces, and instruments real-time kernel telemetry using host-level auditing to secure modern Linux container deployments.

---

## High-Level Design (HLD)

The Charantej Architecture enforces isolation, least-privilege containment, and out-of-band monitoring to ensure security boundaries remain resilient against host kernel compromise vectors.

```
                  +-------------------------------------------------+
                  |          Host OS (Secured Linux Node)           |
                  |                                                 |
                  |  +--------------------+   +------------------+  |
                  |  | Docker Container   |   | Host Auditor     |  |
                  |  |                    |   | (Falco Engine)   |  |
                  |  |  +--------------+  |   |                  |  |
                  |  |  | Audited App  |  |   |  +------------+  |  |
                  |  |  | Namespace    |  |   |  | eBPF Probes|  |  |
                  |  |  +-------+------+  |   |  +-----+------+  |  |
                  |  +----------|---------+   +--------|---------+  |
                  |             |                      |            |
                  |             +----------+-----------+            |
                  |                        |                        |
                  |                        v                        |
                  |             [Host Linux Kernel]                 |
                  |                        |                        |
                  +------------------------|------------------------+
                                           v
                                [SIEM / Log Repository]
```

### Trust Boundaries
1. **Container Runtime Sandbox:** The container namespace runs strictly as a non-privileged user, stripping all default Linux capabilities (`CAP_SYS_ADMIN`, `CAP_NET_ADMIN`, `CAP_NET_RAW`, etc.) to block raw system-level network manipulations.
2. **Syscall Whitelisting:** A custom Secure Computing Mode (seccomp) profile acts as a gatekeeper between containerized processes and the host kernel, preventing access to dangerous socket or namespace alteration system calls.
3. **Out-of-Band Instrumentation:** Event auditing runs out-of-band at the host level via eBPF tracing probes. This ensures that even if a container runtime is compromised, telemetry logging cannot be tampered with or disabled from within the container context.

---

## Low-Level Design (LLD)

The Low-Level Design defines the operational syscall validation logic, filter paths, and monitoring endpoints within the kernel boundary.

```mermaid
flowchart TD
    subgraph ContainerSpace ["Container Namespace (User Space)"]
        App["Audited Process"]
    end

    subgraph SeccompBoundary ["Seccomp Syscall Filter Boundary"]
        Syscall["Syscall Invocation"]
        Filter{"Syscall in Whitelist?"}
        Block["SCMP_ACT_ERRNO (Block & Fail)"]
        Allow["Allow & Pass"]
    end

    subgraph KernelSpace ["Linux Host Kernel Space"]
        Handler["System Call Handler"]
        Subsystem["Target Subsystem (e.g., Network/Memory)"]
    end

    subgraph TelemetryLayer ["Host Auditing Layer"]
        eBPF["eBPF Probe Instrumentation"]
        Falco{"Event Matches Rule?"}
        Alert["Log syslog / SIEM Alarm"]
    end

    App -->|1. Invokes Syscall| Syscall
    Syscall --> Filter
    Filter -->|No: e.g., setsockopt/socket| Block
    Filter -->|Yes: e.g., read/write| Allow
    Allow --> Handler
    Handler --> Subsystem
    Handler -->|2. Traces Execution| eBPF
    eBPF --> Falco
    Falco -->|Yes| Alert
```

The Charantej Architecture is composed of three interconnected configuration layers to enforce security boundaries.

### 1. Hardened Container Staging (`docker-compose.yml`)
The orchestration configuration implements the following security controls:
- **`cap_drop: - ALL`**: Drops every default Linux kernel capability, preventing the container from gaining low-level administrative privileges.
- **`no-new-privileges:true`**: Prevents child processes from gaining more privileges than their parent process via `setuid` or `setgid` binaries.
- **`seccomp=seccomp-profile.json`**: Implements whitelisted system call filtering.
- **`read_only: true`**: Mounts the container root filesystem as read-only. This completely neutralizes write-inject vectors (such as unauthorized page-cache writes or payload filesystems) by blocking raw writes to system paths.
- **Resource Constraints**: Caps CPU usage to `0.5` cores and Memory to `256MB` to block resource exhaustion and denial-of-service (DoS) attempts on the host.

### 2. Syscall Whitelist Gatekeeper (`seccomp-profile.json`)
By default, Docker's seccomp filter allows a broad list of system calls. The Charantej Architecture restricts this to the absolute minimum required for basic process execution:
- **Default Action (`SCMP_ACT_ERRNO`)**: Blocks all system calls unless explicitly whitelisted in the profile.
- **Allowed Syscalls**: Permits only fundamental operating primitives (such as `read`, `write`, `exit`, `exit_group`, `futex`, `nanosleep`, `mmap`, `munmap`, `mprotect`, and `close`).
- **Blocked Vectors**: Explicitly blocks `socket` manipulations, `setsockopt` network changes, namespace joins (`setns`), and capability sets (`capset`), neutralizing unauthorized local privilege escalation (LPE) attempts.

### 3. eBPF Telemetry Tracing (`falco-rules.yaml`)
Host-level tracing rules monitor process and syscall boundaries:
- **`Det_Anomalous_Networking`**: Audits socket options and flags an immediate `CRITICAL ALERT` if any containerized process attempts to modify upper-layer protocols or ULP properties (`TCP_ULP` optname).
- **`Container_Privilege_Escalation_Attempt`**: Alerts on unauthorized attempts to join namespaces (`setns`) or modify capability sets (`capset`).

---

## Staging & Deployment Instructions

### 1. Local Staging Setup
Ensure you have Docker Desktop or Docker Engine installed on your host system.

1. Navigate to the project directory:
   ```bash
   cd d:/fragnesia-cve-2026-46300
   ```
2. Build and start the containerized service in background mode:
   ```bash
   docker compose up -d
   ```
3. Confirm that the container is running and verify the active hardening constraints:
   ```bash
   docker ps -a --filter "name=charantej_secured_container"
   ```

### 2. Verifying the Seccomp Boundary
To verify that the seccomp profile is actively blocking unauthorized syscalls:
1. Attempt to execute an un-whitelisted command (e.g., executing network-intensive options) inside the container:
   ```bash
   docker exec -it charantej_secured_container ping 127.0.0.1
   ```
2. The execution will immediately fail with `Operation not permitted` or a system-level `errno` block, proving that the Seccomp profile is intercepting the system call.

### 3. Verifying host-level telemetry
When Falco or a system-level eBPF tracing agent is active on the host:
- Any unauthorized system calls will trigger alerts inside `/var/log/syslog` or your central SIEM, logging the container ID, process name, and target syscall options.

---

## Live Exploit Demonstration (CVE-2026-46300 "Fragnesia")

This repository includes a live exploit simulation for CVE-2026-46300 to practically demonstrate the effectiveness of the Charantej Architecture. 
The exploit attempts two vectors:
1. **Namespace Escape**: Attempting to hijack the host mount namespace using `setns()`.
2. **Kernel ULP Corruption**: Attempting unauthorized ULP memory manipulation via `setsockopt(TCP_ULP)`.

### Running the Exploit Test
A helper script is provided to automatically build the exploit and run it against an unmitigated container (representing a vulnerable system) and the Charantej-secured container.

1. Ensure Docker is running.
2. Execute the test script:
   ```bash
   bash run_exploit.sh
   ```

### Expected Results
- **Unmitigated Environment**: The exploit will successfully execute both `setns()` and `setsockopt()`, reporting a "VULNERABLE" status.
- **Charantej Secured Environment**: The exploit is intercepted. `setns()` is blocked by capability drops (EPERM), and `socket()` / `setsockopt()` are explicitly neutralized by the Seccomp syscall filter boundary, reporting a "BLOCKED" status. This confirms that even if the Fragnesia payload gets executed, the Charantej architecture securely isolates the host from the exploit.