Upgrade to Pro — share decks privately, control downloads, hide ads and more …

capsicum(論文輪講)

 capsicum(論文輪講)

bachi/yuzuhara

December 12, 2013
Tweet

More Decks by bachi/yuzuhara

Other Decks in Technology

Transcript

  1. Capsicum :
    practical capabilities for UNIX
    ࿦จྠߨ

    @yuzuhara
    Robert N. M. Waston

    University of Cambridge
    Jonathan Anderson

    University of Cambridge
    Ben Laurie

    Google UK Ltd.
    Kris Kennaway

    Google UK Ltd.
    19th USENIX Security Symposium (2010)

    View Slide

  2. Background
    • ϓϩάϥϜʹ੬ऑੑ͕͋ͬͯ΋߈ܸͷӨڹΛ࠷
    খԽ͍ͨ͠

    • Privilege Separation ΍Compartmentalization

    • Open SSH͸ಛݖ෼ׂ(Privilege Separation)

    Google Chromium͸Compartmentalizationʢִ཭ʁʣ

    • Compartmentalization͸OSͷΞΫηε੍ޚΛۦ࢖
    ࣮ͯ͠ݱ͞ΕΔ͕ɾɾɾ

    • Programmer͕͕Μ͹Βͳ͍ͱ͍͚ͳ͍

    ˠOS͕ఏڙ͢ΔΞΫηε੍ޚ͸γϯϓϧ͗͢Δ

    View Slide

  3. Problems
    • Chromiumͷ۠ըԽ͸ɽɽɽ

    • ϓϩηεΛ෼͚DAC,MACΛۦ࢖ͯ͠sandboxԽ

    • 1Process=1Userͩͱbrowser͕ͱͯͭ΋ͳ͍ݖݶΛ΋ͭ͜ͱ
    ʹͳΔͨΊʢηΩϡϦςΟ্ͷཧ༝ͰʣϓϩηεΛ෼͚Δ

    • ϓϩάϥϚͷෛ୲େ

    • sandboxͷͨΊ͚ͩʹC++Ͱ22KLOCʢຊ౰͔ʁʣ

    • ͔͠΋sandboxΛൈ͚ग़͞Εͯ͠·͏͜ͱ΋

    • Sec.5Ͱઆ໌

    View Slide

  4. Proposal
    • ޮ཰Α۠͘ըԽ͕ग़དྷΔϑϨʔϜϫʔΫΛఏҊ

    • Χʔωϧ࣮૷ʢ αϯυϘοΫεͱέʔύϏϦςΟʣ

    • Ϣʔβʔ࣮૷ʢAPI, runtimeʣ

    • Unix Capability ͸Capsicum Capabilityʹஔ͖׵͑Δ

    • طଘͷDAC,MAC͸ซ༻͢Δ͕࣮ࡍʹ͸Capsicum͕ಛ
    ݖΛoverride͢Δ

    • DAC,MAC͸ɼಛݖ෼ׂ͢ΔͨΊʹ͸ػೳ͕ෆे෼

    • ͋͘·ͰγεςϜͷηΩϡϦςΟϙϦγΛద༻͢Δ΋ͷ

    View Slide

  5. Capsicum Overview
    Kernel
    UNIX process

    ambient authority
    Browser process

    ambient authority
    Renderer process

    capability mode
    Traditional UNIX application Capsicum logical application
    becomes

    View Slide

  6. Capability based Access Controls
    • OS ͕࡞੒͢Δobjectʹର͢Δૢ࡞ݖݶ

    • ݖݶΛ͍࣋ͬͯͳ͚Ε͹objectʹΞΫηεͰ͖ͳ͍
    ProcessA
    ProcessB
    Network
    Interface
    $"[email protected]/&[email protected]"%.*
    $"[email protected]/&[email protected]"%.*
    $"[email protected]/&[email protected]"%.*
    $"[email protected]/&[email protected]"%.*



    ifup()
    ifup()

    View Slide

  7. Design

    View Slide

  8. • Capability mode ( extend kernel )

    • ϓϩηε͕ൃߦ͢ΔγεςϜίʔϧΛ੍ݶ͢Δ

    • ϓϩηεͷܧঝɾ௨৴ʹΑΔέʔύϏϦςΟͷ
    delegation

    • Capabilities ( replace API & capabilities )

    • ϑΝΠϧσΟεΫϦϓλΛwrap͠ɼ

    Capsicum CapabilityΛؔ࿈෇͚Δ

    • దٓcapabilityΛ

    View Slide

  9. Capability mode
    • ࢦఆͨ͠ϓϩηεΛsandboxԽ͢Δsyscallͷ௥Ճ

    • cap_enter()ɹ˞ϑϥάΛཱͯΔ͚ͩ

    • ϓϩηε͸cap_enter()ޙʹglobal namespace͔Βִ཭
    ͞ΕΔ

    • *atܥʢ૬ରύεʹΑΔϑΝΠϧૢ࡞ʣͷΈར༻Մೳ

    • global namespace = (PID, File paths, NFS file handle, File
    System ID, Protocol Address, System V IPC, POSIX IPC, Jail... )
    ※sysctl͸30ݸexplicitʹڐՄɽ͋ͱ͸denied
    sysctl, shm_open͸ಗ໊ϝϞϦΦϒδΣΫτ
    ͷΈ࡞੒Մೳ
    (Extended kernel)

    View Slide

  10. Logical Application
    Capability Mode (cont.)
    • ʢྫʣfile paths namespaceͷ৔߹

    ύε໊ϕʔεͰର৅ͱͳΔϑΝΠϧΛࢦఆ

    • Ҿ਺ʹઈରύε΍ɼ”..” ΛؚΉͱ͖͸αϯυϘοΫε
    ͔Βग़ͳ͍͔νΣοΫ͢Δ

    • chrootΛൈ͚ΔςΫχοΫͰൈ͚ΒΕͳ͍ͨΊ
    /
    etc var
    apache passwd www
    site1 site2
    worker1 worker2
    apache

    View Slide

  11. Capabilities
    • طଘͷϑΝΠϧσΟεΫϦϓλʹಠࣗͷΞΫη
    εϚεΫΛ૊Έ߹Θ࣮ͤͯݱ

    • 60छྨͷέʔύϏϦςΟΛར༻Մೳ

    • ϝοηʔδύογϯάʢsend or receiveͷ2छ͔͠ݖݶ͕ແ
    ͍ʣͱMACʢڧ੍ΞΫηε੍ޚɼ਺ඦͷݖݶ͕͋Δʣͷؒ

    • sandboxͱϗετ͸IPCΛ࢖ͬͯ௨৴

    • ݖݶΛ෇༩͢Δࡍ͸libcapsicumͱ͍͏ϥΠϒϥϦܦ༝

    Ͱߦ͏

    • έʔύϏϦςΟͷҕৡ͸fdlistʢϑΝΠϧσΟεΫϦϓ
    λͷϦετʣͷड͚౉͠Ͱදݱ

    View Slide

  12. Capabilities(cont’d)
    • File DescriptorΛwrap࣮ͯ͠ݱ

    • capabilityΛ࣋ͬͨΞΫηεʹ

    ಛఆͷσΟεΫϦϓλΛ௨ͨ͡ΞΫηε
    ...
    8
    ...
    10
    ...
    12
    struct
    file
    struct capability

    mask = READ | WRITE
    struct
    file
    struct capability

    mask = READ
    struct
    vnode

    (inode)
    struct
    file
    Process file descriptors

    View Slide

  13. Implementation

    View Slide

  14. Kernel Changes
    • ΞΫηεͷݕࠪ͸fget(Χʔωϧ಺)ͷதͰߦ͏

    • systemcall͝ͱʹϑοΫΑΓ΋ɼkernel಺ͷfd->fileม׵
    ࣌ʹνΣοΫ͢Δํ͕౷ҰతʹݕࠪͰ͖Δ

    • nameiͰ໊લۭؒΛ۠ըԽ͢Ε͹Α͍ɽ͓खܰ

    • ۠ըԽ͞ΕͨΞϓϦέʔγϣϯͰ͸

    workerͷ؅ཧ౳͕൥ࡶʹͳΔ

    -Implementation-

    View Slide

  15. Runtime Environments
    • ϢʔβϥΠϒϥϦlibcapsicumʹΑΔαϯυϘοΫ
    εͷ؅ཧ

    • rtld-elf-capʢϦϯΧʣ

    • ϦϯΫ࣌ʹڞ༗ϥΠϒϥϦͳͲΛ໊લۭ͔ؒΒ੾Γ཭͢

    ʢfdʹม׵ͯ͠fdͷϦετͰ౉͢ʣ

    • ؅ཧ༻IPCʢhostsandboxʣΛࣗಈతʹηοτΞοϓ
    -Implementation-

    View Slide

  16. Runtime Environmentsʢcont’dʣ
    -Implementation-
    ϗετϓϩηε͕
    αϯυϘοΫεԽ
    ϦϯΧ͕࡞ΔϥΠϒϥϦ
    ͷfdϦετΛ༻͍ͯɼ

    ໊લۭ͔ؒΒ੾Γ཭͢
    libcapsicumܦ༝Ͱ

    ݖݶΛ໰͍߹Θͤ

    View Slide

  17. adapting Applications
    • tcpdump

    • gzip

    View Slide

  18. tcpdump
    • tcpdump͸ҎԼͷ̏ͭͷػೳΛॱ൪ʹ࣮ߦ͢Δ

    1. Barkley Packet FilterͷύλʔϯΛίϯύΠϧ

    2. BPFσόΠεʢೖྗʣΛઃఆ

    3. औಘͨ͠ύέοτΛඪ४ग़ྗʹॻ͖ࠐΉϧʔϓ

    • 3ɽͰcap_enter()͠ɼαϯυϘοΫεԽ

    ʢ+2ߦͰ࣮ݱʣ
    ←↑1౓͔࣮͠ߦ͞Εͳ͍

    View Slide

  19. tcpdump(cont’d)
    • sandboxingޙʹ৽ͨʹඞཁʹͳΔͷ͸ҎԼͷࡾͭ

    • ඪ४ग़ྗ/Τϥʔ΁ͷॻ͖ࠐΈ

    • ඪ४ೖྗ͔Βͷsignalड͚෇͚

    View Slide

  20. gzip
    • ۠ըԽ͞Ε͍ͯͳ͍ΞϓϦέʔγϣϯ

    • chroot΍৽نͷUIDͩͱେ͛͞ʢಛݖ͕ඞཁʣ

    • ·ͣnatural fault linesΛܾΊΔ

    • ίϚϯυҾ਺Λड͚औΔϝΠϯϧʔϓ

    • Ҿ਺͔ΒϑΝΠϧ౳Λࣝผ͢Δγʔέϯε

    • ѹॖϧʔνϯ΁ͷΠϯϓοτͱѹॖϑΝΠϧͷΞ΢τ
    ϓοτʢˡ͜͜Λ۠ըԽʣ

    View Slide

  21. gzip
    • libcapsicumΛ༻͍ͯ۠ըԽ

    • gz_compressͱgz_uncompress, unbunzip2ͦΕͧΕͷؔ਺
    ΛsandboxԽ

    • ιʔείʔυʹ409ߦͷ௥Ճ

    • σʔλड͚౉͠ͷγϦΞϥΠζ/σγϦΞϥΠζ͕େ
    ͖͍

    View Slide

  22. ·ͱΊ

    View Slide