Upgrade to Pro — share decks privately, control downloads, hide ads and more …

capsicum(論文輪講)

bachi/yuzuhara
December 12, 2013
Technology
0
210

 capsicum(論文輪講)

bachi/yuzuhara

December 12, 2013
Tweet

More Decks by bachi/yuzuhara

See All by bachi/yuzuhara
セキュリティ・キャンプ2019 Z2. ELFマルウェア検知エンジンの試作 成果報告
yuzuhara
1
780
wrapup_z_2018.pdf
yuzuhara
0
370
セキュリティ・キャンプ2017 集中Zトラック成果報告
yuzuhara
0
1.1k
How to Survey for Research (system/w Security Fields)
yuzuhara
0
290
Linux Mode 2 Seccomp Tutorial
yuzuhara
1
6.3k

Other Decks in Technology

See All in Technology
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
24k
データベース超入門(座学編)
nomu
0
270
DHCPオプションセットって何だろう??
amarelo_n24
1
130
Cloudflare_MeetUp_Sapporo_KickOff.pdf
taketakekaho
1
100
6G/テラヘルツの取り組み
sbtechnight
PRO
0
450
[CI/CD2023]OSSで構築するOpenAPI開発のCI/CD
xibuka
2
210
Kafka Consumers at Naver
dongjin
0
180
就活は相談したもの勝ち
carta_engineering
0
110
“品質”をみんなのものにするために行なっている入社者オンボーディング/Onboarding new members to think about "quality" together
mii3king
0
200
SNS投稿を使ってクラウド障害を検知してみた
sbtechnight
PRO
0
400
自動運転レベル4解禁にあたり求められる遠隔監視技術
sbtechnight
PRO
0
540
インターネットの最新技術をモバイル網に持ち込んで最強のエッジコンピューティング基盤を作ってみた
sbtechnight
PRO
0
380

Featured

See All Featured
How GitHub Uses GitHub to Build GitHub
holman
466
280k
Building Applications with DynamoDB
mza
86
5k
Intergalactic Javascript Robots from Outer Space
tanoku
261
26k
How to train your dragon (web standard)
notwaldorf
66
4.3k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.6k
It's Worth the Effort
3n
177
26k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.2k
StorybookのUI Testing Handbookを読んだ
zakiyama
8
3.4k
Producing Creativity
orderedlist
PRO
335
38k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
The Invisible Customer
myddelton
113
12k
Product Roadmaps are Hard
iamctodd
38
7.9k

Transcript

  1. Capsicum :
    practical capabilities for UNIX
    ࿦จྠߨ

    @yuzuhara
    Robert N. M. Waston

    University of Cambridge
    Jonathan Anderson

    University of Cambridge
    Ben Laurie

    Google UK Ltd.
    Kris Kennaway

    Google UK Ltd.
    19th USENIX Security Symposium (2010)

    View Slide

  2. Background
    • ϓϩάϥϜʹ੬ऑੑ͕͋ͬͯ΋߈ܸͷӨڹΛ࠷
    খԽ͍ͨ͠

    • Privilege Separation ΍Compartmentalization

    • Open SSH͸ಛݖ෼ׂ(Privilege Separation)

    Google Chromium͸Compartmentalizationʢִ཭ʁʣ

    • Compartmentalization͸OSͷΞΫηε੍ޚΛۦ࢖
    ࣮ͯ͠ݱ͞ΕΔ͕ɾɾɾ

    • Programmer͕͕Μ͹Βͳ͍ͱ͍͚ͳ͍

    ˠOS͕ఏڙ͢ΔΞΫηε੍ޚ͸γϯϓϧ͗͢Δ

    View Slide

  3. Problems
    • Chromiumͷ۠ըԽ͸ɽɽɽ

    • ϓϩηεΛ෼͚DAC,MACΛۦ࢖ͯ͠sandboxԽ

    • 1Process=1Userͩͱbrowser͕ͱͯͭ΋ͳ͍ݖݶΛ΋ͭ͜ͱ
    ʹͳΔͨΊʢηΩϡϦςΟ্ͷཧ༝ͰʣϓϩηεΛ෼͚Δ

    • ϓϩάϥϚͷෛ୲େ

    • sandboxͷͨΊ͚ͩʹC++Ͱ22KLOCʢຊ౰͔ʁʣ

    • ͔͠΋sandboxΛൈ͚ग़͞Εͯ͠·͏͜ͱ΋

    • Sec.5Ͱઆ໌

    View Slide

  4. Proposal
    • ޮ཰Α۠͘ըԽ͕ग़དྷΔϑϨʔϜϫʔΫΛఏҊ

    • Χʔωϧ࣮૷ʢ αϯυϘοΫεͱέʔύϏϦςΟʣ

    • Ϣʔβʔ࣮૷ʢAPI, runtimeʣ

    • Unix Capability ͸Capsicum Capabilityʹஔ͖׵͑Δ

    • طଘͷDAC,MAC͸ซ༻͢Δ͕࣮ࡍʹ͸Capsicum͕ಛ
    ݖΛoverride͢Δ

    • DAC,MAC͸ɼಛݖ෼ׂ͢ΔͨΊʹ͸ػೳ͕ෆे෼

    • ͋͘·ͰγεςϜͷηΩϡϦςΟϙϦγΛద༻͢Δ΋ͷ

    View Slide

  5. Capsicum Overview
    Kernel
    UNIX process

    ambient authority
    Browser process

    ambient authority
    Renderer process

    capability mode
    Traditional UNIX application Capsicum logical application
    becomes

    View Slide

  6. Capability based Access Controls
    • OS ͕࡞੒͢Δobjectʹର͢Δૢ࡞ݖݶ

    • ݖݶΛ͍࣋ͬͯͳ͚Ε͹objectʹΞΫηεͰ͖ͳ͍
    ProcessA
    ProcessB
    Network
    Interface
    $"[email protected]/&[email protected]"%.*
    $"[email protected]/&[email protected]"%.*
    $"[email protected]/&[email protected]"%.*
    $"[email protected]/&[email protected]"%.*



    ifup()
    ifup()

    View Slide

  7. Design

    View Slide

  8. • Capability mode ( extend kernel )

    • ϓϩηε͕ൃߦ͢ΔγεςϜίʔϧΛ੍ݶ͢Δ

    • ϓϩηεͷܧঝɾ௨৴ʹΑΔέʔύϏϦςΟͷ
    delegation

    • Capabilities ( replace API & capabilities )

    • ϑΝΠϧσΟεΫϦϓλΛwrap͠ɼ

    Capsicum CapabilityΛؔ࿈෇͚Δ

    • దٓcapabilityΛ

    View Slide

  9. Capability mode
    • ࢦఆͨ͠ϓϩηεΛsandboxԽ͢Δsyscallͷ௥Ճ

    • cap_enter()ɹ˞ϑϥάΛཱͯΔ͚ͩ

    • ϓϩηε͸cap_enter()ޙʹglobal namespace͔Βִ཭
    ͞ΕΔ

    • *atܥʢ૬ରύεʹΑΔϑΝΠϧૢ࡞ʣͷΈར༻Մೳ

    • global namespace = (PID, File paths, NFS file handle, File
    System ID, Protocol Address, System V IPC, POSIX IPC, Jail... )
    ※sysctl͸30ݸexplicitʹڐՄɽ͋ͱ͸denied
    sysctl, shm_open͸ಗ໊ϝϞϦΦϒδΣΫτ
    ͷΈ࡞੒Մೳ
    (Extended kernel)

    View Slide

  10. Logical Application
    Capability Mode (cont.)
    • ʢྫʣfile paths namespaceͷ৔߹

    ύε໊ϕʔεͰର৅ͱͳΔϑΝΠϧΛࢦఆ

    • Ҿ਺ʹઈରύε΍ɼ”..” ΛؚΉͱ͖͸αϯυϘοΫε
    ͔Βग़ͳ͍͔νΣοΫ͢Δ

    • chrootΛൈ͚ΔςΫχοΫͰൈ͚ΒΕͳ͍ͨΊ
    /
    etc var
    apache passwd www
    site1 site2
    worker1 worker2
    apache

    View Slide

  11. Capabilities
    • طଘͷϑΝΠϧσΟεΫϦϓλʹಠࣗͷΞΫη
    εϚεΫΛ૊Έ߹Θ࣮ͤͯݱ

    • 60छྨͷέʔύϏϦςΟΛར༻Մೳ

    • ϝοηʔδύογϯάʢsend or receiveͷ2छ͔͠ݖݶ͕ແ
    ͍ʣͱMACʢڧ੍ΞΫηε੍ޚɼ਺ඦͷݖݶ͕͋Δʣͷؒ

    • sandboxͱϗετ͸IPCΛ࢖ͬͯ௨৴

    • ݖݶΛ෇༩͢Δࡍ͸libcapsicumͱ͍͏ϥΠϒϥϦܦ༝

    Ͱߦ͏

    • έʔύϏϦςΟͷҕৡ͸fdlistʢϑΝΠϧσΟεΫϦϓ
    λͷϦετʣͷड͚౉͠Ͱදݱ

    View Slide

  12. Capabilities(cont’d)
    • File DescriptorΛwrap࣮ͯ͠ݱ

    • capabilityΛ࣋ͬͨΞΫηεʹ

    ಛఆͷσΟεΫϦϓλΛ௨ͨ͡ΞΫηε
    ...
    8
    ...
    10
    ...
    12
    struct
    file
    struct capability

    mask = READ | WRITE
    struct
    file
    struct capability

    mask = READ
    struct
    vnode

    (inode)
    struct
    file
    Process file descriptors

    View Slide

  13. Implementation

    View Slide

  14. Kernel Changes
    • ΞΫηεͷݕࠪ͸fget(Χʔωϧ಺)ͷதͰߦ͏

    • systemcall͝ͱʹϑοΫΑΓ΋ɼkernel಺ͷfd->fileม׵
    ࣌ʹνΣοΫ͢Δํ͕౷ҰతʹݕࠪͰ͖Δ

    • nameiͰ໊લۭؒΛ۠ըԽ͢Ε͹Α͍ɽ͓खܰ

    • ۠ըԽ͞ΕͨΞϓϦέʔγϣϯͰ͸

    workerͷ؅ཧ౳͕൥ࡶʹͳΔ

    -Implementation-

    View Slide

  15. Runtime Environments
    • ϢʔβϥΠϒϥϦlibcapsicumʹΑΔαϯυϘοΫ
    εͷ؅ཧ

    • rtld-elf-capʢϦϯΧʣ

    • ϦϯΫ࣌ʹڞ༗ϥΠϒϥϦͳͲΛ໊લۭ͔ؒΒ੾Γ཭͢

    ʢfdʹม׵ͯ͠fdͷϦετͰ౉͢ʣ

    • ؅ཧ༻IPCʢhostsandboxʣΛࣗಈతʹηοτΞοϓ
    -Implementation-

    View Slide

  16. Runtime Environmentsʢcont’dʣ
    -Implementation-
    ϗετϓϩηε͕
    αϯυϘοΫεԽ
    ϦϯΧ͕࡞ΔϥΠϒϥϦ
    ͷfdϦετΛ༻͍ͯɼ

    ໊લۭ͔ؒΒ੾Γ཭͢
    libcapsicumܦ༝Ͱ

    ݖݶΛ໰͍߹Θͤ

    View Slide

  17. adapting Applications
    • tcpdump

    • gzip

    View Slide

  18. tcpdump
    • tcpdump͸ҎԼͷ̏ͭͷػೳΛॱ൪ʹ࣮ߦ͢Δ

    1. Barkley Packet FilterͷύλʔϯΛίϯύΠϧ

    2. BPFσόΠεʢೖྗʣΛઃఆ

    3. औಘͨ͠ύέοτΛඪ४ग़ྗʹॻ͖ࠐΉϧʔϓ

    • 3ɽͰcap_enter()͠ɼαϯυϘοΫεԽ

    ʢ+2ߦͰ࣮ݱʣ
    ←↑1౓͔࣮͠ߦ͞Εͳ͍

    View Slide

  19. tcpdump(cont’d)
    • sandboxingޙʹ৽ͨʹඞཁʹͳΔͷ͸ҎԼͷࡾͭ

    • ඪ४ग़ྗ/Τϥʔ΁ͷॻ͖ࠐΈ

    • ඪ४ೖྗ͔Βͷsignalड͚෇͚

    View Slide

  20. gzip
    • ۠ըԽ͞Ε͍ͯͳ͍ΞϓϦέʔγϣϯ

    • chroot΍৽نͷUIDͩͱେ͛͞ʢಛݖ͕ඞཁʣ

    • ·ͣnatural fault linesΛܾΊΔ

    • ίϚϯυҾ਺Λड͚औΔϝΠϯϧʔϓ

    • Ҿ਺͔ΒϑΝΠϧ౳Λࣝผ͢Δγʔέϯε

    • ѹॖϧʔνϯ΁ͷΠϯϓοτͱѹॖϑΝΠϧͷΞ΢τ
    ϓοτʢˡ͜͜Λ۠ըԽʣ

    View Slide

  21. gzip
    • libcapsicumΛ༻͍ͯ۠ըԽ

    • gz_compressͱgz_uncompress, unbunzip2ͦΕͧΕͷؔ਺
    ΛsandboxԽ

    • ιʔείʔυʹ409ߦͷ௥Ճ

    • σʔλड͚౉͠ͷγϦΞϥΠζ/σγϦΞϥΠζ͕େ
    ͖͍

    View Slide

  22. ·ͱΊ

    View Slide