SlideShare a Scribd company logo

Pledge in OpenBSD

Giovanni Bechis
Giovanni Bechis

Pledge is a new mitigation technique available in the OpenBSD operating system. It is used to disable system calls a process is not allowed to call.

Software
1 of 18
Download to read offline
pledge(2): mitigating security bugs Giovanni Bechis <giovanni@openbsd.org> pkgsrcCon 2017, London
About Me sys admin and developer @SNB OpenBSD developer Open Source developer in several other projects
Mitigations stack protector ASLR WˆX priv-sep and priv-drop
dangerous system calls Disable system calls a process should not call SE Linux seccomp Capsicum systrace pledge(2)
pledge(2) introduced in OpenBSD 5.8 as tame(2), than renamed to pledge(2) around 500 programs with pledge(2) support in base around 50 ports patched to have pledge(2) support (unzip, mutt, memcached, chromium, ...)
pledge(2) A new way of approaching the problem study the program figure out all syscalls the program needs promise only the operations that are really needed ktrace(1) and gdb(1) if something goes wrong
pledge(2) program is annotated with pledge(2) calls/promises kernel enforces annotations and kills the program that does not respect promises
pledge(2) promises #include <unistd.h> int pledge(const char *promises, const char *paths[]); ””: exit(2) stdio: malloc + rw stdio rpath, wpath, cpath, tmppath: open files fattr: explicit changes to ”fd” (chmod & friends) unix, inet: open sockets dns: dns requests route: routing operations sendfd: sends file descriptors via sendmsg(2) recvfd: receive file descriptors via recvmsg(2) getpw: passwd/group file access ioctl: small subset of ioctls is permitted tty: subset of ioctl for tty operations proc: fork(2), vfork(2), kill(2) and other processes related operations exec: execve(2) is allowed to create another process which will be unpledged settime: allows to set the system time pf: allows a subset of ioctl(2) operations on pf(4) device
pledge(2) logging dmesg(8) on OpenBSD ≤ 6.1 lastcomm(1) and daily(8) on OpenBSD ≥ 6.2 (with accounting enabled)
pledge(2) logging rm - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.00) ls - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.00) rm - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.00) hello -DXP giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.16) cc - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.64)
pledge(2) logging From root@bigio.paclan.it Sat Jun 17 16:08:46 2017 Delivered-To: root@bigio.paclan.it From: Charlie Root <root@bigio.paclan.it> To: root@bigio.paclan.it Subject: bigio.paclan.it daily output OpenBSD 6.1-current (GENERIC) #1: Fri Jun 16 22:37:23 CEST 2017 giovanni@bigio.paclan.it:/usr/src/sys/arch/amd64/compile/GENERIC 4:08PM up 35 mins, 3 users, load averages: 0.26, 0.13, 0.10 Purging accounting records: hello -DXP giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.16)
let’s hack #include <stdio.h> #include <unistd.h> int main(int argc, char **argv) { FILE *fd; if(pledge("stdio", NULL) != -1) { printf("Hello pkgsrcCon !n"); if((fd = fopen("/etc/passwd", "r"))) { printf("Passwd file openedn"); fclose(fd); } return 1; } else { return 0; } }
let’s hack use OpenBSD::Pledge; my $file = "/usr/share/dict/words"; pledge(qw( rpath )) || die "Unable to pledge: $!"; open my $fh, ’<’, $file or die "Unable to open $file: $!n"; while ( readline($fh) ) { print if /pledge/i; } close $fh; system("ls");
let’s hack Index: worms.c =================================================================== RCS file: /var/cvs/src/games/worms/worms.c,v retrieving revision 1.22 retrieving revision 1.23 diff -u -p -r1.22 -r1.23 --- worms.c 18 Feb 2015 23:16:08 -0000 1.22 +++ worms.c 21 Nov 2015 05:29:42 -0000 1.23 @@ -1,4 +1,4 @@ -/* $OpenBSD: worms.c,v 1.22 2015/02/18 23:16:08 tedu Exp $ */ +/* $OpenBSD: worms.c,v 1.23 2015/11/21 05:29:42 deraadt Exp $ */ /* * Copyright (c) 1980, 1993 @@ -182,6 +182,9 @@ main(int argc, char *argv[]) struct termios term; speed_t speed; time_t delay = 0; + + if (pledge("stdio rpath tty", NULL) == -1) + err(1, "pledge"); /* set default delay based on terminal baud rate */ if (tcgetattr(STDOUT_FILENO, &term) == 0 &&
let’s hack, ports(7) $OpenBSD: patch-memcached_c,v 1.11 2016/09/02 14:20:31 giovanni Exp $ --- memcached.c.orig Fri Jun 24 19:41:24 2016 +++ memcached.c Thu Jun 30 00:02:09 2016 @@ -23,6 +23,7 @@ #include <sys/uio.h> #include <ctype.h> #include <stdarg.h> +#include <unistd.h> /* some POSIX systems need the following definition * to get mlockall flags out of sys/mman.h. */ @@ -6100,6 +6101,32 @@ int main (int argc, char **argv) { if (pid_file != NULL) { save_pid(pid_file); + } + + if (settings.socketpath != NULL) { + if (pid_file != NULL) { + if (pledge("stdio cpath unix", NULL) == -1) { + fprintf(stderr, "%s: pledge: %sn", argv[0], strerror(errno)); + exit(1); + } + } else { + if (pledge("stdio unix", NULL) == -1) { + fprintf(stderr, "%s: pledge: %sn", argv[0], strerror(errno)); + exit(1); + } + } + } else { + if (pid_file != NULL) { + if (pledge("stdio cpath inet", NULL) == -1) { + fprintf(stderr, "%s: pledge: %sn", argv[0], strerror(errno)); + exit(1); + } + } else { + if (pledge("stdio inet", NULL) == -1) { + fprintf(stderr, "%s: pledge: %sn", argv[0], strerror(errno)); + exit(1); + } + } } /* Drop privileges no longer needed */
what to do if something goes wrong ? 94140 hello CALL write(1,0xb56246ae000,0x8) 94140 hello GIO fd 1 wrote 8 bytes "Hello pkgsrcCon ! " 94140 hello RET write 8 94140 hello CALL kbind(0x7f7ffffcbee8,24,0x73b422cd44dee9e4) 94140 hello RET kbind 0 94140 hello CALL open(0xb53f8a00b20,0<O_RDONLY>) 94140 hello NAMI "/etc/passwd" 94140 hello PLDG open, "rpath", errno 1 Operation not permitted 94140 hello PSIG SIGABRT SIG_DFL 94140 hello NAMI "hello.core"
what to do if something goes wrong ? $ gdb hello hello.core GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-unknown-openbsd6.1"... Core was generated by ‘hello’. Program terminated with signal 6, Aborted. Loaded symbols for /home/data/server/dati/Documenti/convegni/pkgsrcCon 2017/src/hello Reading symbols from /usr/lib/libc.so.89.5...done. Loaded symbols for /usr/lib/libc.so.89.5 Reading symbols from /usr/libexec/ld.so...done. Loaded symbols for /usr/libexec/ld.so #0 0x000009f584a507aa in _thread_sys_open () at {standard input}:5 5 {standard input}: No such file or directory. in {standard input} (gdb) bt #0 0x000009f584a507aa in _thread_sys_open () at {standard input}:5 #1 0x000009f584a3f559 in *_libc_open_cancel (path=Variable "path" is not available. ) at /usr/src/lib/libc/sys/w_open.c:36 #2 0x000009f584aaab82 in *_libc_fopen (file=0x9f2b8b00b20 "/etc/passwd", mode=Variable "mode" is not available. ) at /usr/src/lib/libc/stdio/fopen.c:54 #3 0x000009f2b8a005dc in main (argc=1, argv=0x7f7ffffc3c58) at hello.c:8 Current language: auto; currently asm (gdb)
The future ?

Recommended

Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
Giovanni Bechis
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
Giovanni Bechis
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
 
Preparation for mit ose lab4
Preparation for mit ose lab4Preparation for mit ose lab4
Preparation for mit ose lab4
Benux Wei
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
Cyber Security Alliance
 
System Calls
System CallsSystem Calls
System Calls
David Evans
 

Recommended

Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
Giovanni Bechis
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
Giovanni Bechis
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
 
Preparation for mit ose lab4
Preparation for mit ose lab4Preparation for mit ose lab4
Preparation for mit ose lab4
Benux Wei
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
Cyber Security Alliance
 
System Calls
System CallsSystem Calls
System Calls
David Evans
 
SSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingSSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and Scheduling
David Evans
 
ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2
Shuya Osaki
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
Marian Marinov
 
How to make a large C++-code base manageable
How to make a large C++-code base manageableHow to make a large C++-code base manageable
How to make a large C++-code base manageable
corehard_by
 
Kernel crashdump
Kernel crashdumpKernel crashdump
Kernel crashdump
Adrien Mahieux
 
Масштабируемая конфигурация Nginx, Игорь Сысоев (Nginx)
Масштабируемая конфигурация Nginx, Игорь Сысоев (Nginx)Масштабируемая конфигурация Nginx, Игорь Сысоев (Nginx)
Масштабируемая конфигурация Nginx, Игорь Сысоев (Nginx)
Ontico
 
Plan 9カーネルにおけるTCP/IP実装(未完)
Plan 9カーネルにおけるTCP/IP実装(未完)Plan 9カーネルにおけるTCP/IP実装(未完)
Plan 9カーネルにおけるTCP/IP実装(未完)
Ryousei Takano
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)
David Evans
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
Alexey Troshichev
 
The origin: Init (compact version)
The origin: Init (compact version)The origin: Init (compact version)
The origin: Init (compact version)
Tzung-Bi Shih
 
nouka inventry manager
nouka inventry managernouka inventry manager
nouka inventry manager
Toshiaki Baba
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
Hacks in Taiwan (HITCON)
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administration
Mohammed Farrag
 
IL: 失われたプロトコル
IL: 失われたプロトコルIL: 失われたプロトコル
IL: 失われたプロトコル
Ryousei Takano
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Gavin Guo
 
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureKernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Anne Nicolas
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
yang bingwu
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
Ontico
 
agri inventory - nouka data collector / yaoya data convertor
agri inventory - nouka data collector / yaoya data convertoragri inventory - nouka data collector / yaoya data convertor
agri inventory - nouka data collector / yaoya data convertor
Toshiaki Baba
 
Oracle-GoldenGate-18c-Workshop-Lab-16.docx
Oracle-GoldenGate-18c-Workshop-Lab-16.docxOracle-GoldenGate-18c-Workshop-Lab-16.docx
Oracle-GoldenGate-18c-Workshop-Lab-16.docx
tricantino1973
 
PyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by examplePyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by example
YunWon Jeong
 

More Related Content

What's hot

Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Plan 9カーネルにおけるTCP/IP実装(未完)
Plan 9カーネルにおけるTCP/IP実装(未完)Plan 9カーネルにおけるTCP/IP実装(未完)
Plan 9カーネルにおけるTCP/IP実装(未完)
Ryousei Takano
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administration
Mohammed Farrag
 
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureKernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Anne Nicolas
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
Ontico
 

What's hot (20)

SSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingSSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and Scheduling
 
ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 
How to make a large C++-code base manageable
How to make a large C++-code base manageableHow to make a large C++-code base manageable
How to make a large C++-code base manageable
 
Kernel crashdump
Kernel crashdumpKernel crashdump
Kernel crashdump
 
Масштабируемая конфигурация Nginx, Игорь Сысоев (Nginx)
Масштабируемая конфигурация Nginx, Игорь Сысоев (Nginx)Масштабируемая конфигурация Nginx, Игорь Сысоев (Nginx)
Масштабируемая конфигурация Nginx, Игорь Сысоев (Nginx)
 
Plan 9カーネルにおけるTCP/IP実装(未完)
Plan 9カーネルにおけるTCP/IP実装(未完)Plan 9カーネルにおけるTCP/IP実装(未完)
Plan 9カーネルにおけるTCP/IP実装(未完)
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
The origin: Init (compact version)
The origin: Init (compact version)The origin: Init (compact version)
The origin: Init (compact version)
 
nouka inventry manager
nouka inventry managernouka inventry manager
nouka inventry manager
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administration
 
IL: 失われたプロトコル
IL: 失われたプロトコルIL: 失われたプロトコル
IL: 失われたプロトコル
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureKernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architecture
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
 
agri inventory - nouka data collector / yaoya data convertor
agri inventory - nouka data collector / yaoya data convertoragri inventory - nouka data collector / yaoya data convertor
agri inventory - nouka data collector / yaoya data convertor
 

Similar to Pledge in OpenBSD

Oracle-GoldenGate-18c-Workshop-Lab-16.docx
Oracle-GoldenGate-18c-Workshop-Lab-16.docxOracle-GoldenGate-18c-Workshop-Lab-16.docx
Oracle-GoldenGate-18c-Workshop-Lab-16.docx
tricantino1973
 
Biicode OpenExpoDay
Biicode OpenExpoDayBiicode OpenExpoDay
Biicode OpenExpoDay
fcofdezc
 
ELC-E Linux Awareness
ELC-E Linux AwarenessELC-E Linux Awareness
ELC-E Linux Awareness
Peter Griffin
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
eurobsdcon
 
44 con slides
44 con slides44 con slides
44 con slides
geeksec80
 
44 con slides (1)
44 con slides (1)44 con slides (1)
44 con slides (1)
geeksec80
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 

Similar to Pledge in OpenBSD (20)

Oracle-GoldenGate-18c-Workshop-Lab-16.docx
Oracle-GoldenGate-18c-Workshop-Lab-16.docxOracle-GoldenGate-18c-Workshop-Lab-16.docx
Oracle-GoldenGate-18c-Workshop-Lab-16.docx
 
PyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by examplePyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by example
 
Biicode OpenExpoDay
Biicode OpenExpoDayBiicode OpenExpoDay
Biicode OpenExpoDay
 
ELC-E Linux Awareness
ELC-E Linux AwarenessELC-E Linux Awareness
ELC-E Linux Awareness
 
PythonBrasil[8] - CPython for dummies
PythonBrasil[8] - CPython for dummiesPythonBrasil[8] - CPython for dummies
PythonBrasil[8] - CPython for dummies
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Building a DSL with GraalVM (VoxxedDays Luxembourg)
Building a DSL with GraalVM (VoxxedDays Luxembourg)Building a DSL with GraalVM (VoxxedDays Luxembourg)
Building a DSL with GraalVM (VoxxedDays Luxembourg)
 
44 con slides
44 con slides44 con slides
44 con slides
 
44 con slides (1)
44 con slides (1)44 con slides (1)
44 con slides (1)
 
Velocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard WayVelocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard Way
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
 
Gpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaGpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cuda
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
 
IoT with openHAB on pcDuino3B
IoT with openHAB on pcDuino3BIoT with openHAB on pcDuino3B
IoT with openHAB on pcDuino3B
 
r2con 2017 r2cLEMENCy
r2con 2017 r2cLEMENCyr2con 2017 r2cLEMENCy
r2con 2017 r2cLEMENCy
 
Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
 

More from Giovanni Bechis

More from Giovanni Bechis (20)

the Apache way
the Apache waythe Apache way
the Apache way
 
SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new features
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easy
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with Puppet
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profit
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management framework
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
LibreSSL
LibreSSLLibreSSL
LibreSSL
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open Source
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con te
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSD
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezza
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internet
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografia
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
 
Pf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open sourcePf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open source
 
Mysql diventa grande
Mysql diventa grandeMysql diventa grande
Mysql diventa grande
 

Recently uploaded

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
anilsa9823
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 

Recently uploaded (20)

How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 

Pledge in OpenBSD

  • 1. pledge(2): mitigating security bugs Giovanni Bechis <giovanni@openbsd.org> pkgsrcCon 2017, London
  • 2. About Me sys admin and developer @SNB OpenBSD developer Open Source developer in several other projects
  • 4. dangerous system calls Disable system calls a process should not call SE Linux seccomp Capsicum systrace pledge(2)
  • 5. pledge(2) introduced in OpenBSD 5.8 as tame(2), than renamed to pledge(2) around 500 programs with pledge(2) support in base around 50 ports patched to have pledge(2) support (unzip, mutt, memcached, chromium, ...)
  • 6. pledge(2) A new way of approaching the problem study the program figure out all syscalls the program needs promise only the operations that are really needed ktrace(1) and gdb(1) if something goes wrong
  • 7. pledge(2) program is annotated with pledge(2) calls/promises kernel enforces annotations and kills the program that does not respect promises
  • 8. pledge(2) promises #include <unistd.h> int pledge(const char *promises, const char *paths[]); ””: exit(2) stdio: malloc + rw stdio rpath, wpath, cpath, tmppath: open files fattr: explicit changes to ”fd” (chmod & friends) unix, inet: open sockets dns: dns requests route: routing operations sendfd: sends file descriptors via sendmsg(2) recvfd: receive file descriptors via recvmsg(2) getpw: passwd/group file access ioctl: small subset of ioctls is permitted tty: subset of ioctl for tty operations proc: fork(2), vfork(2), kill(2) and other processes related operations exec: execve(2) is allowed to create another process which will be unpledged settime: allows to set the system time pf: allows a subset of ioctl(2) operations on pf(4) device
  • 9. pledge(2) logging dmesg(8) on OpenBSD ≤ 6.1 lastcomm(1) and daily(8) on OpenBSD ≥ 6.2 (with accounting enabled)
  • 10. pledge(2) logging rm - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.00) ls - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.00) rm - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.00) hello -DXP giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.16) cc - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.64)
  • 11. pledge(2) logging From root@bigio.paclan.it Sat Jun 17 16:08:46 2017 Delivered-To: root@bigio.paclan.it From: Charlie Root <root@bigio.paclan.it> To: root@bigio.paclan.it Subject: bigio.paclan.it daily output OpenBSD 6.1-current (GENERIC) #1: Fri Jun 16 22:37:23 CEST 2017 giovanni@bigio.paclan.it:/usr/src/sys/arch/amd64/compile/GENERIC 4:08PM up 35 mins, 3 users, load averages: 0.26, 0.13, 0.10 Purging accounting records: hello -DXP giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.16)
  • 12. let’s hack #include <stdio.h> #include <unistd.h> int main(int argc, char **argv) { FILE *fd; if(pledge("stdio", NULL) != -1) { printf("Hello pkgsrcCon !n"); if((fd = fopen("/etc/passwd", "r"))) { printf("Passwd file openedn"); fclose(fd); } return 1; } else { return 0; } }
  • 13. let’s hack use OpenBSD::Pledge; my $file = "/usr/share/dict/words"; pledge(qw( rpath )) || die "Unable to pledge: $!"; open my $fh, ’<’, $file or die "Unable to open $file: $!n"; while ( readline($fh) ) { print if /pledge/i; } close $fh; system("ls");
  • 14. let’s hack Index: worms.c =================================================================== RCS file: /var/cvs/src/games/worms/worms.c,v retrieving revision 1.22 retrieving revision 1.23 diff -u -p -r1.22 -r1.23 --- worms.c 18 Feb 2015 23:16:08 -0000 1.22 +++ worms.c 21 Nov 2015 05:29:42 -0000 1.23 @@ -1,4 +1,4 @@ -/* $OpenBSD: worms.c,v 1.22 2015/02/18 23:16:08 tedu Exp $ */ +/* $OpenBSD: worms.c,v 1.23 2015/11/21 05:29:42 deraadt Exp $ */ /* * Copyright (c) 1980, 1993 @@ -182,6 +182,9 @@ main(int argc, char *argv[]) struct termios term; speed_t speed; time_t delay = 0; + + if (pledge("stdio rpath tty", NULL) == -1) + err(1, "pledge"); /* set default delay based on terminal baud rate */ if (tcgetattr(STDOUT_FILENO, &term) == 0 &&
  • 15. let’s hack, ports(7) $OpenBSD: patch-memcached_c,v 1.11 2016/09/02 14:20:31 giovanni Exp $ --- memcached.c.orig Fri Jun 24 19:41:24 2016 +++ memcached.c Thu Jun 30 00:02:09 2016 @@ -23,6 +23,7 @@ #include <sys/uio.h> #include <ctype.h> #include <stdarg.h> +#include <unistd.h> /* some POSIX systems need the following definition * to get mlockall flags out of sys/mman.h. */ @@ -6100,6 +6101,32 @@ int main (int argc, char **argv) { if (pid_file != NULL) { save_pid(pid_file); + } + + if (settings.socketpath != NULL) { + if (pid_file != NULL) { + if (pledge("stdio cpath unix", NULL) == -1) { + fprintf(stderr, "%s: pledge: %sn", argv[0], strerror(errno)); + exit(1); + } + } else { + if (pledge("stdio unix", NULL) == -1) { + fprintf(stderr, "%s: pledge: %sn", argv[0], strerror(errno)); + exit(1); + } + } + } else { + if (pid_file != NULL) { + if (pledge("stdio cpath inet", NULL) == -1) { + fprintf(stderr, "%s: pledge: %sn", argv[0], strerror(errno)); + exit(1); + } + } else { + if (pledge("stdio inet", NULL) == -1) { + fprintf(stderr, "%s: pledge: %sn", argv[0], strerror(errno)); + exit(1); + } + } } /* Drop privileges no longer needed */
  • 16. what to do if something goes wrong ? 94140 hello CALL write(1,0xb56246ae000,0x8) 94140 hello GIO fd 1 wrote 8 bytes "Hello pkgsrcCon ! " 94140 hello RET write 8 94140 hello CALL kbind(0x7f7ffffcbee8,24,0x73b422cd44dee9e4) 94140 hello RET kbind 0 94140 hello CALL open(0xb53f8a00b20,0<O_RDONLY>) 94140 hello NAMI "/etc/passwd" 94140 hello PLDG open, "rpath", errno 1 Operation not permitted 94140 hello PSIG SIGABRT SIG_DFL 94140 hello NAMI "hello.core"
  • 17. what to do if something goes wrong ? $ gdb hello hello.core GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-unknown-openbsd6.1"... Core was generated by ‘hello’. Program terminated with signal 6, Aborted. Loaded symbols for /home/data/server/dati/Documenti/convegni/pkgsrcCon 2017/src/hello Reading symbols from /usr/lib/libc.so.89.5...done. Loaded symbols for /usr/lib/libc.so.89.5 Reading symbols from /usr/libexec/ld.so...done. Loaded symbols for /usr/libexec/ld.so #0 0x000009f584a507aa in _thread_sys_open () at {standard input}:5 5 {standard input}: No such file or directory. in {standard input} (gdb) bt #0 0x000009f584a507aa in _thread_sys_open () at {standard input}:5 #1 0x000009f584a3f559 in *_libc_open_cancel (path=Variable "path" is not available. ) at /usr/src/lib/libc/sys/w_open.c:36 #2 0x000009f584aaab82 in *_libc_fopen (file=0x9f2b8b00b20 "/etc/passwd", mode=Variable "mode" is not available. ) at /usr/src/lib/libc/stdio/fopen.c:54 #3 0x000009f2b8a005dc in main (argc=1, argv=0x7f7ffffc3c58) at hello.c:8 Current language: auto; currently asm (gdb)