Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
capsicum(論文輪講)
Search
bachi/yuzuhara
December 12, 2013
Technology
0
420
capsicum(論文輪講)
bachi/yuzuhara
December 12, 2013
Tweet
Share
More Decks by bachi/yuzuhara
See All by bachi/yuzuhara
セキュリティ・キャンプ2019 Z2. ELFマルウェア検知エンジンの試作 成果報告
yuzuhara
1
870
wrapup_z_2018.pdf
yuzuhara
0
390
セキュリティ・キャンプ2017 集中Zトラック成果報告
yuzuhara
0
1.4k
How to Survey for Research (system/w Security Fields)
yuzuhara
0
370
Linux Mode 2 Seccomp Tutorial
yuzuhara
1
7k
Other Decks in Technology
See All in Technology
EncryptedSharedPreferences が deprecated になっちゃった!どうしよう! / Oh no! EncryptedSharedPreferences has been deprecated! What should I do?
yanzm
0
470
AIエージェントで90秒の広告動画を制作!台本・音声・映像・編集をつなぐAWS最新アーキテクチャの実践
nasuvitz
3
320
AIをプライベートや業務で使ってみよう!効果的な認定資格の活かし方
fukazawashun
0
100
Practical Agentic AI in Software Engineering
uzyn
0
110
開発者を支える Internal Developer Portal のイマとコレカラ / To-day and To-morrow of Internal Developer Portals: Supporting Developers
aoto
PRO
1
470
新アイテムをどう使っていくか?みんなであーだこーだ言ってみよう / 20250911-rpi-jam-tokyo
akkiesoft
0
310
品質視点から考える組織デザイン/Organizational Design from Quality
mii3king
0
210
職種の壁を溶かして開発サイクルを高速に回す~情報透明性と職種越境から考えるAIフレンドリーな職種間連携~
daitasu
0
170
ハードウェアとソフトウェアをつなぐ全てを内製している企業の E2E テストの作り方 / How to create E2E tests for a company that builds everything connecting hardware and software in-house
bitkey
PRO
1
160
Snowflake Intelligenceにはこうやって立ち向かう!クラシルが考えるAI Readyなデータ基盤と活用のためのDataOps
gappy50
0
270
DDD集約とサービスコンテキスト境界との関係性
pandayumi
3
290
roppongirb_20250911
igaiga
1
240
Featured
See All Featured
Building Adaptive Systems
keathley
43
2.7k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.4k
The Invisible Side of Design
smashingmag
301
51k
Embracing the Ebb and Flow
colly
87
4.8k
Side Projects
sachag
455
43k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
36
2.5k
GraphQLの誤解/rethinking-graphql
sonatard
72
11k
Documentation Writing (for coders)
carmenintech
74
5k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.9k
Designing Experiences People Love
moore
142
24k
Transcript
Capsicum : practical capabilities for UNIX จྠߨ @yuzuhara Robert
N. M. Waston University of Cambridge Jonathan Anderson University of Cambridge Ben Laurie Google UK Ltd. Kris Kennaway Google UK Ltd. 19th USENIX Security Symposium (2010)
Background • ϓϩάϥϜʹ੬ऑੑ͕͋ͬͯ߈ܸͷӨڹΛ࠷ খԽ͍ͨ͠ • Privilege Separation Compartmentalization • Open
SSHಛݖׂ(Privilege Separation) Google ChromiumCompartmentalizationʢִʁʣ • CompartmentalizationOSͷΞΫηε੍ޚΛۦ ࣮ͯ͠ݱ͞ΕΔ͕ɾɾɾ • Programmer͕͕ΜΒͳ͍ͱ͍͚ͳ͍ ˠOS͕ఏڙ͢ΔΞΫηε੍ޚγϯϓϧ͗͢Δ
Problems • Chromiumͷ۠ըԽɽɽɽ • ϓϩηεΛ͚DAC,MACΛۦͯ͠sandboxԽ • 1Process=1Userͩͱbrowser͕ͱͯͭͳ͍ݖݶΛͭ͜ͱ ʹͳΔͨΊʢηΩϡϦςΟ্ͷཧ༝ͰʣϓϩηεΛ͚Δ • ϓϩάϥϚͷෛ୲େ
• sandboxͷͨΊ͚ͩʹC++Ͱ22KLOCʢຊ͔ʁʣ • ͔͠sandboxΛൈ͚ग़͞Εͯ͠·͏͜ͱ • Sec.5Ͱઆ໌
Proposal • ޮΑ۠͘ըԽ͕ग़དྷΔϑϨʔϜϫʔΫΛఏҊ • Χʔωϧ࣮ʢ αϯυϘοΫεͱέʔύϏϦςΟʣ • Ϣʔβʔ࣮ʢAPI, runtimeʣ •
Unix Capability Capsicum Capabilityʹஔ͖͑Δ • طଘͷDAC,MACซ༻͢Δ͕࣮ࡍʹCapsicum͕ಛ ݖΛoverride͢Δ • DAC,MACɼಛݖׂ͢ΔͨΊʹػೳ͕ෆे • ͋͘·ͰγεςϜͷηΩϡϦςΟϙϦγΛద༻͢Δͷ
Capsicum Overview Kernel UNIX process ambient authority Browser process ambient
authority Renderer process capability mode Traditional UNIX application Capsicum logical application becomes
Capability based Access Controls • OS ͕࡞͢Δobjectʹର͢Δૢ࡞ݖݶ • ݖݶΛ͍࣋ͬͯͳ͚ΕobjectʹΞΫηεͰ͖ͳ͍ ProcessA
ProcessB Network Interface $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* ifup() ifup()
Design
• Capability mode ( extend kernel ) • ϓϩηε͕ൃߦ͢ΔγεςϜίʔϧΛ੍ݶ͢Δ •
ϓϩηεͷܧঝɾ௨৴ʹΑΔέʔύϏϦςΟͷ delegation • Capabilities ( replace API & capabilities ) • ϑΝΠϧσΟεΫϦϓλΛwrap͠ɼ Capsicum CapabilityΛؔ࿈͚Δ • దٓcapabilityΛ
Capability mode • ࢦఆͨ͠ϓϩηεΛsandboxԽ͢ΔsyscallͷՃ • cap_enter()ɹ˞ϑϥάΛཱͯΔ͚ͩ • ϓϩηεcap_enter()ޙʹglobal namespace͔Βִ ͞ΕΔ
• *atܥʢ૬ରύεʹΑΔϑΝΠϧૢ࡞ʣͷΈར༻Մೳ • global namespace = (PID, File paths, NFS file handle, File System ID, Protocol Address, System V IPC, POSIX IPC, Jail... ) ※sysctl30ݸexplicitʹڐՄɽ͋ͱdenied sysctl, shm_openಗ໊ϝϞϦΦϒδΣΫτ ͷΈ࡞Մೳ (Extended kernel)
Logical Application Capability Mode (cont.) • ʢྫʣfile paths namespaceͷ߹ ύε໊ϕʔεͰରͱͳΔϑΝΠϧΛࢦఆ
• Ҿʹઈରύεɼ”..” ΛؚΉͱ͖αϯυϘοΫε ͔Βग़ͳ͍͔νΣοΫ͢Δ • chrootΛൈ͚ΔςΫχοΫͰൈ͚ΒΕͳ͍ͨΊ / etc var apache passwd www site1 site2 worker1 worker2 apache
Capabilities • طଘͷϑΝΠϧσΟεΫϦϓλʹಠࣗͷΞΫη εϚεΫΛΈ߹Θ࣮ͤͯݱ • 60छྨͷέʔύϏϦςΟΛར༻Մೳ • ϝοηʔδύογϯάʢsend or receiveͷ2छ͔͠ݖݶ͕ແ
͍ʣͱMACʢڧ੍ΞΫηε੍ޚɼඦͷݖݶ͕͋Δʣͷؒ • sandboxͱϗετIPCΛͬͯ௨৴ • ݖݶΛ༩͢Δࡍlibcapsicumͱ͍͏ϥΠϒϥϦܦ༝ Ͱߦ͏ • έʔύϏϦςΟͷҕৡfdlistʢϑΝΠϧσΟεΫϦϓ λͷϦετʣͷड͚͠Ͱදݱ
Capabilities(cont’d) • File DescriptorΛwrap࣮ͯ͠ݱ • capabilityΛ࣋ͬͨΞΫηεʹ ಛఆͷσΟεΫϦϓλΛ௨ͨ͡ΞΫηε ... 8 ...
10 ... 12 struct file struct capability mask = READ | WRITE struct file struct capability mask = READ struct vnode (inode) struct file Process file descriptors
Implementation
Kernel Changes • ΞΫηεͷݕࠪfget(Χʔωϧ)ͷதͰߦ͏ • systemcall͝ͱʹϑοΫΑΓɼkernelͷfd->fileม ࣌ʹνΣοΫ͢Δํ͕౷ҰతʹݕࠪͰ͖Δ • nameiͰ໊લۭؒΛ۠ըԽ͢ΕΑ͍ɽ͓खܰ •
۠ըԽ͞ΕͨΞϓϦέʔγϣϯͰ workerͷཧ͕ࡶʹͳΔ -Implementation-
Runtime Environments • ϢʔβϥΠϒϥϦlibcapsicumʹΑΔαϯυϘοΫ εͷཧ • rtld-elf-capʢϦϯΧʣ • ϦϯΫ࣌ʹڞ༗ϥΠϒϥϦͳͲΛ໊લۭ͔ؒΒΓ͢ ʢfdʹมͯ͠fdͷϦετͰ͢ʣ
• ཧ༻IPCʢhost<->sandboxʣΛࣗಈతʹηοτΞοϓ -Implementation-
Runtime Environmentsʢcont’dʣ -Implementation- ϗετϓϩηε͕ αϯυϘοΫεԽ ϦϯΧ͕࡞ΔϥΠϒϥϦ ͷfdϦετΛ༻͍ͯɼ ໊લۭ͔ؒΒΓ͢ libcapsicumܦ༝Ͱ ݖݶΛ͍߹Θͤ
adapting Applications • tcpdump • gzip
tcpdump • tcpdumpҎԼͷ̏ͭͷػೳΛॱ൪ʹ࣮ߦ͢Δ 1. Barkley Packet FilterͷύλʔϯΛίϯύΠϧ 2. BPFσόΠεʢೖྗʣΛઃఆ 3.
औಘͨ͠ύέοτΛඪ४ग़ྗʹॻ͖ࠐΉϧʔϓ • 3ɽͰcap_enter()͠ɼαϯυϘοΫεԽ ʢ+2ߦͰ࣮ݱʣ ←↑1͔࣮͠ߦ͞Εͳ͍
tcpdump(cont’d) • sandboxingޙʹ৽ͨʹඞཁʹͳΔͷҎԼͷࡾͭ • ඪ४ग़ྗ/Τϥʔͷॻ͖ࠐΈ • ඪ४ೖྗ͔Βͷsignalड͚͚
gzip • ۠ըԽ͞Ε͍ͯͳ͍ΞϓϦέʔγϣϯ • chroot৽نͷUIDͩͱେ͛͞ʢಛݖ͕ඞཁʣ • ·ͣnatural fault linesΛܾΊΔ •
ίϚϯυҾΛड͚औΔϝΠϯϧʔϓ • Ҿ͔ΒϑΝΠϧΛࣝผ͢Δγʔέϯε • ѹॖϧʔνϯͷΠϯϓοτͱѹॖϑΝΠϧͷΞτ ϓοτʢˡ͜͜Λ۠ըԽʣ
gzip • libcapsicumΛ༻͍ͯ۠ըԽ • gz_compressͱgz_uncompress, unbunzip2ͦΕͧΕͷؔ ΛsandboxԽ • ιʔείʔυʹ409ߦͷՃ •
σʔλड͚͠ͷγϦΞϥΠζ/σγϦΞϥΠζ͕େ ͖͍
·ͱΊ