capsicum(論文輪講)

Transcript

1. Capsicum :
   practical capabilities for UNIX ࿦จྠߨ @yuzuhara Robert

   N. M. Waston University of Cambridge Jonathan Anderson University of Cambridge Ben Laurie Google UK Ltd. Kris Kennaway Google UK Ltd. 19th USENIX Security Symposium (2010)

2. Background • ϓϩάϥϜʹ੬ऑੑ͕͋ͬͯ΋߈ܸͷӨڹΛ࠷ খԽ͍ͨ͠ • Privilege Separation ΍Compartmentalization • Open

   SSH͸ಛݖ෼ׂ(Privilege Separation)
 Google Chromium͸Compartmentalizationʢִ཭ʁʣ • Compartmentalization͸OSͷΞΫηε੍ޚΛۦ࢖ ࣮ͯ͠ݱ͞ΕΔ͕ɾɾɾ • Programmer͕͕Μ͹Βͳ͍ͱ͍͚ͳ͍
 ˠOS͕ఏڙ͢ΔΞΫηε੍ޚ͸γϯϓϧ͗͢Δ

3. Problems • Chromiumͷ۠ըԽ͸ɽɽɽ • ϓϩηεΛ෼͚DAC,MACΛۦ࢖ͯ͠sandboxԽ • 1Process=1Userͩͱbrowser͕ͱͯͭ΋ͳ͍ݖݶΛ΋ͭ͜ͱ ʹͳΔͨΊʢηΩϡϦςΟ্ͷཧ༝ͰʣϓϩηεΛ෼͚Δ • ϓϩάϥϚͷෛ୲େ

   • sandboxͷͨΊ͚ͩʹC++Ͱ22KLOCʢຊ౰͔ʁʣ • ͔͠΋sandboxΛൈ͚ग़͞Εͯ͠·͏͜ͱ΋ • Sec.5Ͱઆ໌

4. Proposal • ޮ཰Α۠͘ըԽ͕ग़དྷΔϑϨʔϜϫʔΫΛఏҊ • Χʔωϧ࣮૷ʢ αϯυϘοΫεͱέʔύϏϦςΟʣ • Ϣʔβʔ࣮૷ʢAPI, runtimeʣ •

   Unix Capability ͸Capsicum Capabilityʹஔ͖׵͑Δ • طଘͷDAC,MAC͸ซ༻͢Δ͕࣮ࡍʹ͸Capsicum͕ಛ ݖΛoverride͢Δ • DAC,MAC͸ɼಛݖ෼ׂ͢ΔͨΊʹ͸ػೳ͕ෆे෼ • ͋͘·ͰγεςϜͷηΩϡϦςΟϙϦγΛద༻͢Δ΋ͷ

5. Capsicum Overview Kernel UNIX process ambient authority Browser process ambient

   authority Renderer process capability mode Traditional UNIX application Capsicum logical application becomes

6. Capability based Access Controls • OS ͕࡞੒͢Δobjectʹର͢Δૢ࡞ݖݶ • ݖݶΛ͍࣋ͬͯͳ͚Ε͹objectʹΞΫηεͰ͖ͳ͍ ProcessA

   ProcessB Network Interface $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.*    ifup() ifup()

7. Design

8. • Capability mode ( extend kernel ) • ϓϩηε͕ൃߦ͢ΔγεςϜίʔϧΛ੍ݶ͢Δ •

   ϓϩηεͷܧঝɾ௨৴ʹΑΔέʔύϏϦςΟͷ delegation • Capabilities ( replace API & capabilities ) • ϑΝΠϧσΟεΫϦϓλΛwrap͠ɼ
 Capsicum CapabilityΛؔ࿈෇͚Δ • దٓcapabilityΛ

9. Capability mode • ࢦఆͨ͠ϓϩηεΛsandboxԽ͢Δsyscallͷ௥Ճ • cap_enter()ɹ˞ϑϥάΛཱͯΔ͚ͩ • ϓϩηε͸cap_enter()ޙʹglobal namespace͔Βִ཭ ͞ΕΔ

   • *atܥʢ૬ରύεʹΑΔϑΝΠϧૢ࡞ʣͷΈར༻Մೳ • global namespace = (PID, File paths, NFS file handle, File System ID, Protocol Address, System V IPC, POSIX IPC, Jail... ) ※sysctl͸30ݸexplicitʹڐՄɽ͋ͱ͸denied sysctl, shm_open͸ಗ໊ϝϞϦΦϒδΣΫτ ͷΈ࡞੒Մೳ (Extended kernel)

10. Logical Application Capability Mode (cont.) • ʢྫʣfile paths namespaceͷ৔߹
 ύε໊ϕʔεͰର৅ͱͳΔϑΝΠϧΛࢦఆ

    • Ҿ਺ʹઈରύε΍ɼ”..” ΛؚΉͱ͖͸αϯυϘοΫε ͔Βग़ͳ͍͔νΣοΫ͢Δ • chrootΛൈ͚ΔςΫχοΫͰൈ͚ΒΕͳ͍ͨΊ / etc var apache passwd www site1 site2 worker1 worker2 apache

11. Capabilities • طଘͷϑΝΠϧσΟεΫϦϓλʹಠࣗͷΞΫη εϚεΫΛ૊Έ߹Θ࣮ͤͯݱ • 60छྨͷέʔύϏϦςΟΛར༻Մೳ • ϝοηʔδύογϯάʢsend or receiveͷ2छ͔͠ݖݶ͕ແ

    ͍ʣͱMACʢڧ੍ΞΫηε੍ޚɼ਺ඦͷݖݶ͕͋Δʣͷؒ • sandboxͱϗετ͸IPCΛ࢖ͬͯ௨৴ • ݖݶΛ෇༩͢Δࡍ͸libcapsicumͱ͍͏ϥΠϒϥϦܦ༝
 Ͱߦ͏ • έʔύϏϦςΟͷҕৡ͸fdlistʢϑΝΠϧσΟεΫϦϓ λͷϦετʣͷड͚౉͠Ͱදݱ

12. Capabilities(cont’d) • File DescriptorΛwrap࣮ͯ͠ݱ • capabilityΛ࣋ͬͨΞΫηεʹ
 ಛఆͷσΟεΫϦϓλΛ௨ͨ͡ΞΫηε ... 8 ...

    10 ... 12 struct file struct capability mask = READ | WRITE struct file struct capability mask = READ struct vnode (inode) struct file Process file descriptors

13. Implementation

14. Kernel Changes • ΞΫηεͷݕࠪ͸fget(Χʔωϧ಺)ͷதͰߦ͏ • systemcall͝ͱʹϑοΫΑΓ΋ɼkernel಺ͷfd->fileม׵ ࣌ʹνΣοΫ͢Δํ͕౷ҰతʹݕࠪͰ͖Δ • nameiͰ໊લۭؒΛ۠ըԽ͢Ε͹Α͍ɽ͓खܰ •

    ۠ըԽ͞ΕͨΞϓϦέʔγϣϯͰ͸
 workerͷ؅ཧ౳͕൥ࡶʹͳΔ
 -Implementation-

15. Runtime Environments • ϢʔβϥΠϒϥϦlibcapsicumʹΑΔαϯυϘοΫ εͷ؅ཧ • rtld-elf-capʢϦϯΧʣ • ϦϯΫ࣌ʹڞ༗ϥΠϒϥϦͳͲΛ໊લۭ͔ؒΒ੾Γ཭͢
 ʢfdʹม׵ͯ͠fdͷϦετͰ౉͢ʣ


    • ؅ཧ༻IPCʢhost<->sandboxʣΛࣗಈతʹηοτΞοϓ -Implementation-

16. Runtime Environmentsʢcont’dʣ -Implementation- ϗετϓϩηε͕ αϯυϘοΫεԽ ϦϯΧ͕࡞ΔϥΠϒϥϦ ͷfdϦετΛ༻͍ͯɼ ໊લۭ͔ؒΒ੾Γ཭͢ libcapsicumܦ༝Ͱ ݖݶΛ໰͍߹Θͤ

17. adapting Applications • tcpdump • gzip

18. tcpdump • tcpdump͸ҎԼͷ̏ͭͷػೳΛॱ൪ʹ࣮ߦ͢Δ 1. Barkley Packet FilterͷύλʔϯΛίϯύΠϧ 2. BPFσόΠεʢೖྗʣΛઃఆ 3.

    औಘͨ͠ύέοτΛඪ४ग़ྗʹॻ͖ࠐΉϧʔϓ • 3ɽͰcap_enter()͠ɼαϯυϘοΫεԽ
 ʢ+2ߦͰ࣮ݱʣ ←↑1౓͔࣮͠ߦ͞Εͳ͍

19. tcpdump(cont’d) • sandboxingޙʹ৽ͨʹඞཁʹͳΔͷ͸ҎԼͷࡾͭ • ඪ४ग़ྗ/Τϥʔ΁ͷॻ͖ࠐΈ • ඪ४ೖྗ͔Βͷsignalड͚෇͚

20. gzip • ۠ըԽ͞Ε͍ͯͳ͍ΞϓϦέʔγϣϯ • chroot΍৽نͷUIDͩͱେ͛͞ʢಛݖ͕ඞཁʣ • ·ͣnatural fault linesΛܾΊΔ •

    ίϚϯυҾ਺Λड͚औΔϝΠϯϧʔϓ • Ҿ਺͔ΒϑΝΠϧ౳Λࣝผ͢Δγʔέϯε • ѹॖϧʔνϯ΁ͷΠϯϓοτͱѹॖϑΝΠϧͷΞ΢τ ϓοτʢˡ͜͜Λ۠ըԽʣ

21. gzip • libcapsicumΛ༻͍ͯ۠ըԽ • gz_compressͱgz_uncompress, unbunzip2ͦΕͧΕͷؔ਺ ΛsandboxԽ • ιʔείʔυʹ409ߦͷ௥Ճ •

    σʔλड͚౉͠ͷγϦΞϥΠζ/σγϦΞϥΠζ͕େ ͖͍

22. ·ͱΊ