SlideShare ist ein Scribd-Unternehmen logo

Bsdtw17: mariusz zaborski: case studies of sandboxing base system with capsicum

Als DOCX, PDF herunterladen
S
Scott Tsai

This document discusses the Capsicum capability model and its use in sandboxing systems in FreeBSD. Capsicum allows tight sandboxing by limiting access when a process enters capability mode using cap_enter(). It describes debugging capabilities like ktrace and enotcap. It also introduces Casper, which provides additional capabilities through delegation before entering capability mode. Casper allows easier process separation by creating services run with user privileges that processes can then securely access through APIs. The document outlines several system services implemented through Casper and future work integrating it more fully with libc and sandboxing additional system services.

Software
1 von 3
Mariusz Zaborski: Case studies of sandboxing base system with Capsicum Outline ● capsicum ● is capsicumizing hard? ● debugging infra ● casper ● future Capsicum ● echo: can read write all data ● capability model ● kernel inra ○ tight sandboxing ○ cap_enter() Capsicum vs namespaces ● PIDs ● file paths ● NFS handles ● fs ids ● sysctl mib ● sysv ipc ● posix ipc ● clocks ● jails ● CPU sets ● protocol addrs ● routing tables Capsicum ● int cap_enter(void); ● int cap_rights_limit(int fd, const cap_rights_t *rights); ● caps as file descriptors rights ● CAP_READ, WRITE, APPEND, ACCEPT, FCHMOD, CREATE, UNLINKAT< IOCTL, RECV, LISTEN Capsicum ● two ways to obtain more caps ○ initialization phase ○ delegation ● Privileged -> Resources ○ -> Sandboxed (send resource by fd passing) Is capsicumizing hard? ● Not for new code. Existing code? 2015 sandboxing effort ● dhclient, ... 2016 sandboxing effort ● much more bspatch(1) ● SA-16:25: negative value ● SA-16:29: integer overflows bspatch(1) - Step 0: read the code ● (... C code …)
Step 1: code reorg ● every single open is done during initialization phase, i.e. move open before cap_enter() Step 2: read more code ● code attempts to read from fds, seeking on fds Step 3: limit operations on fds ● CAP_READ, CAP_SEEK cmp(1) - deduplicate code ● read file, determine if same or not capsicum helpers ● capsicum_helpers.h ● inline functions ○ caph_limit_stream(), limit_stdout(), limit_stdin(), limit_stderr() libc is not your friend ● err(3) ● localtime(3) ● syslog ● modify vdso to not open device ● more helpers ○ caph_cache_catpages(): NLS support ○ caph_cache_tzdata() debugging infrastructure ● ktrace/kdump ○ getting only trace ● very easy to miss something ● hard to cover all paths debugging - krace ● (example output) debugging - enotcap ● kern.trap_enotcap ● procctl(PROC_TRAPCAP_CTL) ● get core dump ● hard to miss something ● hard to cover all code paths debugging - enotcap ● (example enotcap SIGTRAP) libCasper ● 2nd way to get more caps: delegation Casper ● provides functionality not avail in cap mode through convenient APIs ● easier process separation ● done before entering Capability mode ● Creating zygote ● set of dynamic libs Casper: how? ● process (cap_init()) -> casper -> zygote ● casper -> service (cap_service_open()) ● cap_close(): leave only process->service Casper ● system.dns ● system.grp ● system.pwd: password files ● system.random ● system.sysctl Traceroute - capsicumize with casper
(.. C code …) casper - mocks ● reduce amount of ifdefs in code ● hide ifdefs in lib itself ● use inline/defines to create mocks ● e.g. ○ cap_gethostbyname ifdef’ed to gethostbyname in header if not using casper Future! Casper - next next generation ● integration with libc? ○ make libc more pluggable, e.g. multiple gethostbyname functions (scott: nss?) ○ start casper in _start ● sandbox services ○ services run with user privileges ○ reduce TCB Casper services ● system.filesystem ● system.syslog ● system.login ● system.tls ● system.socket ● system.configuration Casper - dhclient(8) (SIGTRAP core dump example) dhclient started before syslog in initscripts Casper - system.syslog ● change the order? (not viable) ● casper service D12824 ● fixed dhclient D12825 casper - sshd(8) (sshd core dump example) ● login_getpwclass() was failing ● opens $HOME/login.conf and /etc/login.conf ● patch specific to FreeBSD Acknowledgements Q&A ● per thread caps? A: caps represented by descriptors, so no ● much more fine grained than OpenBSD pledge? A: yes ● Is this a bit like Android permissions? A: no, fd represent a much more precise thing. More granular.

Empfohlen

PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackupPLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
Jervin Real
 
20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack
Jeff Yang
 
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
Jeff Yang
 
Is It Faster to Go with Redpanda Transactions than Without Them?!
Is It Faster to Go with Redpanda Transactions than Without Them?!Is It Faster to Go with Redpanda Transactions than Without Them?!
Is It Faster to Go with Redpanda Transactions than Without Them?!
ScyllaDB
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge
Nicolas De Loof
 
Meetup #28
Meetup #28Meetup #28
Meetup #28
MVP Microsoft
 
Php perf
Php perfPhp perf
Php perf
ericjonah
 
Caching in Docker - the hardest thing in computer science
Caching in Docker - the hardest thing in computer scienceCaching in Docker - the hardest thing in computer science
Caching in Docker - the hardest thing in computer science
Jarek Potiuk
 

Empfohlen

PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackupPLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
Jervin Real
 
20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack
Jeff Yang
 
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
Jeff Yang
 
Is It Faster to Go with Redpanda Transactions than Without Them?!
Is It Faster to Go with Redpanda Transactions than Without Them?!Is It Faster to Go with Redpanda Transactions than Without Them?!
Is It Faster to Go with Redpanda Transactions than Without Them?!
ScyllaDB
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge
Nicolas De Loof
 
Meetup #28
Meetup #28Meetup #28
Meetup #28
MVP Microsoft
 
Php perf
Php perfPhp perf
Php perf
ericjonah
 
Caching in Docker - the hardest thing in computer science
Caching in Docker - the hardest thing in computer scienceCaching in Docker - the hardest thing in computer science
Caching in Docker - the hardest thing in computer science
Jarek Potiuk
 
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Tanya Denisyuk
 
Gsummit apis-2013
Gsummit apis-2013Gsummit apis-2013
Gsummit apis-2013
Gluster.org
 
Puppet Camp Dallas 2014: Replacing Simple Puppet Modules with Providers
Puppet Camp Dallas 2014: Replacing Simple Puppet Modules with Providers Puppet Camp Dallas 2014: Replacing Simple Puppet Modules with Providers
Puppet Camp Dallas 2014: Replacing Simple Puppet Modules with Providers
Puppet
 
zmq.rs - A brief history of concurrency in Rust
zmq.rs - A brief history of concurrency in Rustzmq.rs - A brief history of concurrency in Rust
zmq.rs - A brief history of concurrency in Rust
Fantix King 王川
 
Replacing Simple Puppet Modules with Providers
Replacing Simple Puppet Modules with ProvidersReplacing Simple Puppet Modules with Providers
Replacing Simple Puppet Modules with Providers
Puppet
 
8 Ways Network Engineers use Snabb (RIPE 77)
8 Ways Network Engineers use Snabb (RIPE 77)8 Ways Network Engineers use Snabb (RIPE 77)
8 Ways Network Engineers use Snabb (RIPE 77)
Igalia
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* Logging
ESUG
 
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupДоклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
Badoo Development
 
Kubernetes
KubernetesKubernetes
Kubernetes
Diego Pacheco
 
Talk on PHP Day Uruguay about Docker
Talk on PHP Day Uruguay about DockerTalk on PHP Day Uruguay about Docker
Talk on PHP Day Uruguay about Docker
Wellington Silva
 
Restinio - header-only http and websocket server
Restinio - header-only http and websocket serverRestinio - header-only http and websocket server
Restinio - header-only http and websocket server
corehard_by
 
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Codemotion
 
Some Tricks in Using Terminal - KienDT
Some Tricks in Using Terminal - KienDTSome Tricks in Using Terminal - KienDT
Some Tricks in Using Terminal - KienDT
Framgia Vietnam
 
How to manage stateful applications in Kubernetes
How to manage stateful applications in KubernetesHow to manage stateful applications in Kubernetes
How to manage stateful applications in Kubernetes
Florian Woerner
 
Unikraft: Fast, Specialized Unikernels the Easy Way
Unikraft: Fast, Specialized Unikernels the Easy WayUnikraft: Fast, Specialized Unikernels the Easy Way
Unikraft: Fast, Specialized Unikernels the Easy Way
ScyllaDB
 
Whoops! I Rewrote It in Rust
Whoops! I Rewrote It in RustWhoops! I Rewrote It in Rust
Whoops! I Rewrote It in Rust
ScyllaDB
 
Profiling and optimizing go programs
Profiling and optimizing go programsProfiling and optimizing go programs
Profiling and optimizing go programs
Badoo Development
 
Crimson: Ceph for the Age of NVMe and Persistent Memory
Crimson: Ceph for the Age of NVMe and Persistent MemoryCrimson: Ceph for the Age of NVMe and Persistent Memory
Crimson: Ceph for the Age of NVMe and Persistent Memory
ScyllaDB
 
GCE NFS HA
GCE NFS HAGCE NFS HA
GCE NFS HA
Simon Su
 
WebCamp 2016: PHP.Алексей Петров.PHP at Scale: System Architect Toolbox
WebCamp 2016: PHP.Алексей Петров.PHP at Scale: System Architect ToolboxWebCamp 2016: PHP.Алексей Петров.PHP at Scale: System Architect Toolbox
WebCamp 2016: PHP.Алексей Петров.PHP at Scale: System Architect Toolbox
WebCamp
 
CS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXCS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIX
ruchith
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
libfetion
 

Weitere ähnliche Inhalte

Was ist angesagt?

Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Tanya Denisyuk
 
Replacing Simple Puppet Modules with Providers
Replacing Simple Puppet Modules with ProvidersReplacing Simple Puppet Modules with Providers
Replacing Simple Puppet Modules with Providers
Puppet
 
Unikraft: Fast, Specialized Unikernels the Easy Way
Unikraft: Fast, Specialized Unikernels the Easy WayUnikraft: Fast, Specialized Unikernels the Easy Way
Unikraft: Fast, Specialized Unikernels the Easy Way
ScyllaDB
 
Whoops! I Rewrote It in Rust
Whoops! I Rewrote It in RustWhoops! I Rewrote It in Rust
Whoops! I Rewrote It in Rust
ScyllaDB
 
Profiling and optimizing go programs
Profiling and optimizing go programsProfiling and optimizing go programs
Profiling and optimizing go programs
Badoo Development
 

Was ist angesagt? (20)

Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
 
Gsummit apis-2013
Gsummit apis-2013Gsummit apis-2013
Gsummit apis-2013
 
Puppet Camp Dallas 2014: Replacing Simple Puppet Modules with Providers
Puppet Camp Dallas 2014: Replacing Simple Puppet Modules with Providers Puppet Camp Dallas 2014: Replacing Simple Puppet Modules with Providers
Puppet Camp Dallas 2014: Replacing Simple Puppet Modules with Providers
 
zmq.rs - A brief history of concurrency in Rust
zmq.rs - A brief history of concurrency in Rustzmq.rs - A brief history of concurrency in Rust
zmq.rs - A brief history of concurrency in Rust
 
Replacing Simple Puppet Modules with Providers
Replacing Simple Puppet Modules with ProvidersReplacing Simple Puppet Modules with Providers
Replacing Simple Puppet Modules with Providers
 
8 Ways Network Engineers use Snabb (RIPE 77)
8 Ways Network Engineers use Snabb (RIPE 77)8 Ways Network Engineers use Snabb (RIPE 77)
8 Ways Network Engineers use Snabb (RIPE 77)
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* Logging
 
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupДоклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Talk on PHP Day Uruguay about Docker
Talk on PHP Day Uruguay about DockerTalk on PHP Day Uruguay about Docker
Talk on PHP Day Uruguay about Docker
 
Restinio - header-only http and websocket server
Restinio - header-only http and websocket serverRestinio - header-only http and websocket server
Restinio - header-only http and websocket server
 
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
 
Some Tricks in Using Terminal - KienDT
Some Tricks in Using Terminal - KienDTSome Tricks in Using Terminal - KienDT
Some Tricks in Using Terminal - KienDT
 
How to manage stateful applications in Kubernetes
How to manage stateful applications in KubernetesHow to manage stateful applications in Kubernetes
How to manage stateful applications in Kubernetes
 
Unikraft: Fast, Specialized Unikernels the Easy Way
Unikraft: Fast, Specialized Unikernels the Easy WayUnikraft: Fast, Specialized Unikernels the Easy Way
Unikraft: Fast, Specialized Unikernels the Easy Way
 
Whoops! I Rewrote It in Rust
Whoops! I Rewrote It in RustWhoops! I Rewrote It in Rust
Whoops! I Rewrote It in Rust
 
Profiling and optimizing go programs
Profiling and optimizing go programsProfiling and optimizing go programs
Profiling and optimizing go programs
 
Crimson: Ceph for the Age of NVMe and Persistent Memory
Crimson: Ceph for the Age of NVMe and Persistent MemoryCrimson: Ceph for the Age of NVMe and Persistent Memory
Crimson: Ceph for the Age of NVMe and Persistent Memory
 
GCE NFS HA
GCE NFS HAGCE NFS HA
GCE NFS HA
 
WebCamp 2016: PHP.Алексей Петров.PHP at Scale: System Architect Toolbox
WebCamp 2016: PHP.Алексей Петров.PHP at Scale: System Architect ToolboxWebCamp 2016: PHP.Алексей Петров.PHP at Scale: System Architect Toolbox
WebCamp 2016: PHP.Алексей Петров.PHP at Scale: System Architect Toolbox
 

Ähnlich wie Bsdtw17: mariusz zaborski: case studies of sandboxing base system with capsicum

CS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXCS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIX
ruchith
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Docker, Inc.
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
Yandex
 
ELC-E Linux Awareness
ELC-E Linux AwarenessELC-E Linux Awareness
ELC-E Linux Awareness
Peter Griffin
 

Ähnlich wie Bsdtw17: mariusz zaborski: case studies of sandboxing base system with capsicum (20)

CS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXCS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIX
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
Automating complex infrastructures with Puppet
Automating complex infrastructures with PuppetAutomating complex infrastructures with Puppet
Automating complex infrastructures with Puppet
 
Kvm optimizations
Kvm optimizationsKvm optimizations
Kvm optimizations
 
Time to rethink /proc
Time to rethink /procTime to rethink /proc
Time to rethink /proc
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
The Accidental DBA
The Accidental DBAThe Accidental DBA
The Accidental DBA
 
CAPI and OpenCAPI Hardware acceleration enablement
CAPI and OpenCAPI Hardware acceleration enablementCAPI and OpenCAPI Hardware acceleration enablement
CAPI and OpenCAPI Hardware acceleration enablement
 
Community Update at OpenStack Summit Boston
Community Update at OpenStack Summit BostonCommunity Update at OpenStack Summit Boston
Community Update at OpenStack Summit Boston
 
LXC on Ganeti
LXC on GanetiLXC on Ganeti
LXC on Ganeti
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System Workshop
 
Automating Complex Setups with Puppet
Automating Complex Setups with PuppetAutomating Complex Setups with Puppet
Automating Complex Setups with Puppet
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzer
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
 
ELC-E Linux Awareness
ELC-E Linux AwarenessELC-E Linux Awareness
ELC-E Linux Awareness
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
 
Serialization in Go
Serialization in GoSerialization in Go
Serialization in Go
 

Mehr von Scott Tsai

Mehr von Scott Tsai (8)

Bsdtw17: brooks davis: is it time to replace mmap?
Bsdtw17: brooks davis: is it time to replace mmap?Bsdtw17: brooks davis: is it time to replace mmap?
Bsdtw17: brooks davis: is it time to replace mmap?
 
Bsdtw17: arun thomas: risc v berkeley hardware for your berkeley software dis...
Bsdtw17: arun thomas: risc v berkeley hardware for your berkeley software dis...Bsdtw17: arun thomas: risc v berkeley hardware for your berkeley software dis...
Bsdtw17: arun thomas: risc v berkeley hardware for your berkeley software dis...
 
Bsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdBsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsd
 
Bsdtw17: allan jude: zfs: advanced integration
Bsdtw17: allan jude: zfs: advanced integrationBsdtw17: allan jude: zfs: advanced integration
Bsdtw17: allan jude: zfs: advanced integration
 
Bsdtw17: ruslan bukin: free bsd/risc-v and device drivers
Bsdtw17: ruslan bukin: free bsd/risc-v and device driversBsdtw17: ruslan bukin: free bsd/risc-v and device drivers
Bsdtw17: ruslan bukin: free bsd/risc-v and device drivers
 
Bsdtw17: theo de raadt: mitigations and other real security features
Bsdtw17: theo de raadt: mitigations and other real security featuresBsdtw17: theo de raadt: mitigations and other real security features
Bsdtw17: theo de raadt: mitigations and other real security features
 
Bsdtw17: lightning talks/wip sessions
Bsdtw17: lightning talks/wip sessionsBsdtw17: lightning talks/wip sessions
Bsdtw17: lightning talks/wip sessions
 
Bsdtw17: johannes m dieterich: high performance computing and gpu acceleratio...
Bsdtw17: johannes m dieterich: high performance computing and gpu acceleratio...Bsdtw17: johannes m dieterich: high performance computing and gpu acceleratio...
Bsdtw17: johannes m dieterich: high performance computing and gpu acceleratio...
 

Kürzlich hochgeladen

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 

Kürzlich hochgeladen (20)

%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 

Bsdtw17: mariusz zaborski: case studies of sandboxing base system with capsicum

  • 1. Mariusz Zaborski: Case studies of sandboxing base system with Capsicum Outline ● capsicum ● is capsicumizing hard? ● debugging infra ● casper ● future Capsicum ● echo: can read write all data ● capability model ● kernel inra ○ tight sandboxing ○ cap_enter() Capsicum vs namespaces ● PIDs ● file paths ● NFS handles ● fs ids ● sysctl mib ● sysv ipc ● posix ipc ● clocks ● jails ● CPU sets ● protocol addrs ● routing tables Capsicum ● int cap_enter(void); ● int cap_rights_limit(int fd, const cap_rights_t *rights); ● caps as file descriptors rights ● CAP_READ, WRITE, APPEND, ACCEPT, FCHMOD, CREATE, UNLINKAT< IOCTL, RECV, LISTEN Capsicum ● two ways to obtain more caps ○ initialization phase ○ delegation ● Privileged -> Resources ○ -> Sandboxed (send resource by fd passing) Is capsicumizing hard? ● Not for new code. Existing code? 2015 sandboxing effort ● dhclient, ... 2016 sandboxing effort ● much more bspatch(1) ● SA-16:25: negative value ● SA-16:29: integer overflows bspatch(1) - Step 0: read the code ● (... C code …)
  • 2. Step 1: code reorg ● every single open is done during initialization phase, i.e. move open before cap_enter() Step 2: read more code ● code attempts to read from fds, seeking on fds Step 3: limit operations on fds ● CAP_READ, CAP_SEEK cmp(1) - deduplicate code ● read file, determine if same or not capsicum helpers ● capsicum_helpers.h ● inline functions ○ caph_limit_stream(), limit_stdout(), limit_stdin(), limit_stderr() libc is not your friend ● err(3) ● localtime(3) ● syslog ● modify vdso to not open device ● more helpers ○ caph_cache_catpages(): NLS support ○ caph_cache_tzdata() debugging infrastructure ● ktrace/kdump ○ getting only trace ● very easy to miss something ● hard to cover all paths debugging - krace ● (example output) debugging - enotcap ● kern.trap_enotcap ● procctl(PROC_TRAPCAP_CTL) ● get core dump ● hard to miss something ● hard to cover all code paths debugging - enotcap ● (example enotcap SIGTRAP) libCasper ● 2nd way to get more caps: delegation Casper ● provides functionality not avail in cap mode through convenient APIs ● easier process separation ● done before entering Capability mode ● Creating zygote ● set of dynamic libs Casper: how? ● process (cap_init()) -> casper -> zygote ● casper -> service (cap_service_open()) ● cap_close(): leave only process->service Casper ● system.dns ● system.grp ● system.pwd: password files ● system.random ● system.sysctl Traceroute - capsicumize with casper
  • 3. (.. C code …) casper - mocks ● reduce amount of ifdefs in code ● hide ifdefs in lib itself ● use inline/defines to create mocks ● e.g. ○ cap_gethostbyname ifdef’ed to gethostbyname in header if not using casper Future! Casper - next next generation ● integration with libc? ○ make libc more pluggable, e.g. multiple gethostbyname functions (scott: nss?) ○ start casper in _start ● sandbox services ○ services run with user privileges ○ reduce TCB Casper services ● system.filesystem ● system.syslog ● system.login ● system.tls ● system.socket ● system.configuration Casper - dhclient(8) (SIGTRAP core dump example) dhclient started before syslog in initscripts Casper - system.syslog ● change the order? (not viable) ● casper service D12824 ● fixed dhclient D12825 casper - sshd(8) (sshd core dump example) ● login_getpwclass() was failing ● opens $HOME/login.conf and /etc/login.conf ● patch specific to FreeBSD Acknowledgements Q&A ● per thread caps? A: caps represented by descriptors, so no ● much more fine grained than OpenBSD pledge? A: yes ● Is this a bit like Android permissions? A: no, fd represent a much more precise thing. More granular.