Upgrade to Pro — share decks privately, control downloads, hide ads and more …

capsicum(論文輪講)

 capsicum(論文輪講)

F84f8fb6188c67bd9bd9477f546a8347?s=128

bachi/yuzuhara

December 12, 2013
Tweet

Transcript

  1. Capsicum :  practical capabilities for UNIX ࿦จྠߨ @yuzuhara Robert

    N. M. Waston University of Cambridge Jonathan Anderson University of Cambridge Ben Laurie Google UK Ltd. Kris Kennaway Google UK Ltd. 19th USENIX Security Symposium (2010)
  2. Background • ϓϩάϥϜʹ੬ऑੑ͕͋ͬͯ΋߈ܸͷӨڹΛ࠷ খԽ͍ͨ͠ • Privilege Separation ΍Compartmentalization • Open

    SSH͸ಛݖ෼ׂ(Privilege Separation)
 Google Chromium͸Compartmentalizationʢִ཭ʁʣ • Compartmentalization͸OSͷΞΫηε੍ޚΛۦ࢖ ࣮ͯ͠ݱ͞ΕΔ͕ɾɾɾ • Programmer͕͕Μ͹Βͳ͍ͱ͍͚ͳ͍
 ˠOS͕ఏڙ͢ΔΞΫηε੍ޚ͸γϯϓϧ͗͢Δ
  3. Problems • Chromiumͷ۠ըԽ͸ɽɽɽ • ϓϩηεΛ෼͚DAC,MACΛۦ࢖ͯ͠sandboxԽ • 1Process=1Userͩͱbrowser͕ͱͯͭ΋ͳ͍ݖݶΛ΋ͭ͜ͱ ʹͳΔͨΊʢηΩϡϦςΟ্ͷཧ༝ͰʣϓϩηεΛ෼͚Δ • ϓϩάϥϚͷෛ୲େ

    • sandboxͷͨΊ͚ͩʹC++Ͱ22KLOCʢຊ౰͔ʁʣ • ͔͠΋sandboxΛൈ͚ग़͞Εͯ͠·͏͜ͱ΋ • Sec.5Ͱઆ໌
  4. Proposal • ޮ཰Α۠͘ըԽ͕ग़དྷΔϑϨʔϜϫʔΫΛఏҊ • Χʔωϧ࣮૷ʢ αϯυϘοΫεͱέʔύϏϦςΟʣ • Ϣʔβʔ࣮૷ʢAPI, runtimeʣ •

    Unix Capability ͸Capsicum Capabilityʹஔ͖׵͑Δ • طଘͷDAC,MAC͸ซ༻͢Δ͕࣮ࡍʹ͸Capsicum͕ಛ ݖΛoverride͢Δ • DAC,MAC͸ɼಛݖ෼ׂ͢ΔͨΊʹ͸ػೳ͕ෆे෼ • ͋͘·ͰγεςϜͷηΩϡϦςΟϙϦγΛద༻͢Δ΋ͷ
  5. Capsicum Overview Kernel UNIX process ambient authority Browser process ambient

    authority Renderer process capability mode Traditional UNIX application Capsicum logical application becomes
  6. Capability based Access Controls • OS ͕࡞੒͢Δobjectʹର͢Δૢ࡞ݖݶ • ݖݶΛ͍࣋ͬͯͳ͚Ε͹objectʹΞΫηεͰ͖ͳ͍ ProcessA

    ProcessB Network Interface $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.*    ifup() ifup()
  7. Design

  8. • Capability mode ( extend kernel ) • ϓϩηε͕ൃߦ͢ΔγεςϜίʔϧΛ੍ݶ͢Δ •

    ϓϩηεͷܧঝɾ௨৴ʹΑΔέʔύϏϦςΟͷ delegation • Capabilities ( replace API & capabilities ) • ϑΝΠϧσΟεΫϦϓλΛwrap͠ɼ
 Capsicum CapabilityΛؔ࿈෇͚Δ • దٓcapabilityΛ
  9. Capability mode • ࢦఆͨ͠ϓϩηεΛsandboxԽ͢Δsyscallͷ௥Ճ • cap_enter()ɹ˞ϑϥάΛཱͯΔ͚ͩ • ϓϩηε͸cap_enter()ޙʹglobal namespace͔Βִ཭ ͞ΕΔ

    • *atܥʢ૬ରύεʹΑΔϑΝΠϧૢ࡞ʣͷΈར༻Մೳ • global namespace = (PID, File paths, NFS file handle, File System ID, Protocol Address, System V IPC, POSIX IPC, Jail... ) ※sysctl͸30ݸexplicitʹڐՄɽ͋ͱ͸denied sysctl, shm_open͸ಗ໊ϝϞϦΦϒδΣΫτ ͷΈ࡞੒Մೳ (Extended kernel)
  10. Logical Application Capability Mode (cont.) • ʢྫʣfile paths namespaceͷ৔߹
 ύε໊ϕʔεͰର৅ͱͳΔϑΝΠϧΛࢦఆ

    • Ҿ਺ʹઈରύε΍ɼ”..” ΛؚΉͱ͖͸αϯυϘοΫε ͔Βग़ͳ͍͔νΣοΫ͢Δ • chrootΛൈ͚ΔςΫχοΫͰൈ͚ΒΕͳ͍ͨΊ / etc var apache passwd www site1 site2 worker1 worker2 apache
  11. Capabilities • طଘͷϑΝΠϧσΟεΫϦϓλʹಠࣗͷΞΫη εϚεΫΛ૊Έ߹Θ࣮ͤͯݱ • 60छྨͷέʔύϏϦςΟΛར༻Մೳ • ϝοηʔδύογϯάʢsend or receiveͷ2छ͔͠ݖݶ͕ແ

    ͍ʣͱMACʢڧ੍ΞΫηε੍ޚɼ਺ඦͷݖݶ͕͋Δʣͷؒ • sandboxͱϗετ͸IPCΛ࢖ͬͯ௨৴ • ݖݶΛ෇༩͢Δࡍ͸libcapsicumͱ͍͏ϥΠϒϥϦܦ༝
 Ͱߦ͏ • έʔύϏϦςΟͷҕৡ͸fdlistʢϑΝΠϧσΟεΫϦϓ λͷϦετʣͷड͚౉͠Ͱදݱ
  12. Capabilities(cont’d) • File DescriptorΛwrap࣮ͯ͠ݱ • capabilityΛ࣋ͬͨΞΫηεʹ
 ಛఆͷσΟεΫϦϓλΛ௨ͨ͡ΞΫηε ... 8 ...

    10 ... 12 struct file struct capability mask = READ | WRITE struct file struct capability mask = READ struct vnode (inode) struct file Process file descriptors
  13. Implementation

  14. Kernel Changes • ΞΫηεͷݕࠪ͸fget(Χʔωϧ಺)ͷதͰߦ͏ • systemcall͝ͱʹϑοΫΑΓ΋ɼkernel಺ͷfd->fileม׵ ࣌ʹνΣοΫ͢Δํ͕౷ҰతʹݕࠪͰ͖Δ • nameiͰ໊લۭؒΛ۠ըԽ͢Ε͹Α͍ɽ͓खܰ •

    ۠ըԽ͞ΕͨΞϓϦέʔγϣϯͰ͸
 workerͷ؅ཧ౳͕൥ࡶʹͳΔ
 -Implementation-
  15. Runtime Environments • ϢʔβϥΠϒϥϦlibcapsicumʹΑΔαϯυϘοΫ εͷ؅ཧ • rtld-elf-capʢϦϯΧʣ • ϦϯΫ࣌ʹڞ༗ϥΠϒϥϦͳͲΛ໊લۭ͔ؒΒ੾Γ཭͢
 ʢfdʹม׵ͯ͠fdͷϦετͰ౉͢ʣ


    • ؅ཧ༻IPCʢhost<->sandboxʣΛࣗಈతʹηοτΞοϓ -Implementation-
  16. Runtime Environmentsʢcont’dʣ -Implementation- ϗετϓϩηε͕ αϯυϘοΫεԽ ϦϯΧ͕࡞ΔϥΠϒϥϦ ͷfdϦετΛ༻͍ͯɼ ໊લۭ͔ؒΒ੾Γ཭͢ libcapsicumܦ༝Ͱ ݖݶΛ໰͍߹Θͤ

  17. adapting Applications • tcpdump • gzip

  18. tcpdump • tcpdump͸ҎԼͷ̏ͭͷػೳΛॱ൪ʹ࣮ߦ͢Δ 1. Barkley Packet FilterͷύλʔϯΛίϯύΠϧ 2. BPFσόΠεʢೖྗʣΛઃఆ 3.

    औಘͨ͠ύέοτΛඪ४ग़ྗʹॻ͖ࠐΉϧʔϓ • 3ɽͰcap_enter()͠ɼαϯυϘοΫεԽ
 ʢ+2ߦͰ࣮ݱʣ ←↑1౓͔࣮͠ߦ͞Εͳ͍
  19. tcpdump(cont’d) • sandboxingޙʹ৽ͨʹඞཁʹͳΔͷ͸ҎԼͷࡾͭ • ඪ४ग़ྗ/Τϥʔ΁ͷॻ͖ࠐΈ • ඪ४ೖྗ͔Βͷsignalड͚෇͚

  20. gzip • ۠ըԽ͞Ε͍ͯͳ͍ΞϓϦέʔγϣϯ • chroot΍৽نͷUIDͩͱେ͛͞ʢಛݖ͕ඞཁʣ • ·ͣnatural fault linesΛܾΊΔ •

    ίϚϯυҾ਺Λड͚औΔϝΠϯϧʔϓ • Ҿ਺͔ΒϑΝΠϧ౳Λࣝผ͢Δγʔέϯε • ѹॖϧʔνϯ΁ͷΠϯϓοτͱѹॖϑΝΠϧͷΞ΢τ ϓοτʢˡ͜͜Λ۠ըԽʣ
  21. gzip • libcapsicumΛ༻͍ͯ۠ըԽ • gz_compressͱgz_uncompress, unbunzip2ͦΕͧΕͷؔ਺ ΛsandboxԽ • ιʔείʔυʹ409ߦͷ௥Ճ •

    σʔλड͚౉͠ͷγϦΞϥΠζ/σγϦΞϥΠζ͕େ ͖͍
  22. ·ͱΊ