Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
capsicum(論文輪講)
Search
bachi/yuzuhara
December 12, 2013
Technology
0
430
capsicum(論文輪講)
bachi/yuzuhara
December 12, 2013
Tweet
Share
More Decks by bachi/yuzuhara
See All by bachi/yuzuhara
セキュリティ・キャンプ2019 Z2. ELFマルウェア検知エンジンの試作 成果報告
yuzuhara
1
870
wrapup_z_2018.pdf
yuzuhara
0
400
セキュリティ・キャンプ2017 集中Zトラック成果報告
yuzuhara
0
1.4k
How to Survey for Research (system/w Security Fields)
yuzuhara
0
380
Linux Mode 2 Seccomp Tutorial
yuzuhara
1
7.1k
Other Decks in Technology
See All in Technology
Adminaで実現するISMS/SOC2運用の効率化 〜 アカウント管理編 〜
shonansurvivors
4
440
ACA でMAGI システムを社内で展開しようとした話
mappie_kochi
1
320
Vibe Coding Year in Review. From Karpathy to Real-World Agents by Niels Rolland, CEO Paatch
vcoisne
0
130
プロダクトのコードから見るGoによるデザインパターンの実践 #go_night_talk
bengo4com
1
2.5k
[Codex Meetup Japan #1] Codex-Powered Mobile Apps Development
korodroid
2
510
リーダーになったら未来を語れるようになろう/Speak the Future
sanogemaru
0
390
プロポーザルのコツ ~ Kaigi on Rails 2025 初参加で3名の登壇を実現 ~
naro143
1
220
Large Vision Language Modelを用いた 文書画像データ化作業自動化の検証、運用 / shibuya_AI
sansan_randd
0
140
M5製品で作るポン置きセルラー対応カメラ
sayacom
0
180
『OCI で学ぶクラウドネイティブ 実践 × 理論ガイド』 書籍概要
oracle4engineer
PRO
3
210
AIAgentの限界を超え、 現場を動かすWorkflowAgentの設計と実践
miyatakoji
1
170
大規模サーバーレスAPIの堅牢性・信頼性設計 〜AWSのベストプラクティスから始まる現実的制約との向き合い方〜
maimyyym
9
4.4k
Featured
See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.5k
Unsuck your backbone
ammeep
671
58k
Scaling GitHub
holman
463
140k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Large-scale JavaScript Application Architecture
addyosmani
514
110k
How GitHub (no longer) Works
holman
315
140k
Making Projects Easy
brettharned
119
6.4k
Thoughts on Productivity
jonyablonski
70
4.9k
Balancing Empowerment & Direction
lara
4
690
Art, The Web, and Tiny UX
lynnandtonic
303
21k
The Art of Programming - Codeland 2020
erikaheidi
56
14k
KATA
mclloyd
32
15k
Transcript
Capsicum : practical capabilities for UNIX จྠߨ @yuzuhara Robert
N. M. Waston University of Cambridge Jonathan Anderson University of Cambridge Ben Laurie Google UK Ltd. Kris Kennaway Google UK Ltd. 19th USENIX Security Symposium (2010)
Background • ϓϩάϥϜʹ੬ऑੑ͕͋ͬͯ߈ܸͷӨڹΛ࠷ খԽ͍ͨ͠ • Privilege Separation Compartmentalization • Open
SSHಛݖׂ(Privilege Separation) Google ChromiumCompartmentalizationʢִʁʣ • CompartmentalizationOSͷΞΫηε੍ޚΛۦ ࣮ͯ͠ݱ͞ΕΔ͕ɾɾɾ • Programmer͕͕ΜΒͳ͍ͱ͍͚ͳ͍ ˠOS͕ఏڙ͢ΔΞΫηε੍ޚγϯϓϧ͗͢Δ
Problems • Chromiumͷ۠ըԽɽɽɽ • ϓϩηεΛ͚DAC,MACΛۦͯ͠sandboxԽ • 1Process=1Userͩͱbrowser͕ͱͯͭͳ͍ݖݶΛͭ͜ͱ ʹͳΔͨΊʢηΩϡϦςΟ্ͷཧ༝ͰʣϓϩηεΛ͚Δ • ϓϩάϥϚͷෛ୲େ
• sandboxͷͨΊ͚ͩʹC++Ͱ22KLOCʢຊ͔ʁʣ • ͔͠sandboxΛൈ͚ग़͞Εͯ͠·͏͜ͱ • Sec.5Ͱઆ໌
Proposal • ޮΑ۠͘ըԽ͕ग़དྷΔϑϨʔϜϫʔΫΛఏҊ • Χʔωϧ࣮ʢ αϯυϘοΫεͱέʔύϏϦςΟʣ • Ϣʔβʔ࣮ʢAPI, runtimeʣ •
Unix Capability Capsicum Capabilityʹஔ͖͑Δ • طଘͷDAC,MACซ༻͢Δ͕࣮ࡍʹCapsicum͕ಛ ݖΛoverride͢Δ • DAC,MACɼಛݖׂ͢ΔͨΊʹػೳ͕ෆे • ͋͘·ͰγεςϜͷηΩϡϦςΟϙϦγΛద༻͢Δͷ
Capsicum Overview Kernel UNIX process ambient authority Browser process ambient
authority Renderer process capability mode Traditional UNIX application Capsicum logical application becomes
Capability based Access Controls • OS ͕࡞͢Δobjectʹର͢Δૢ࡞ݖݶ • ݖݶΛ͍࣋ͬͯͳ͚ΕobjectʹΞΫηεͰ͖ͳ͍ ProcessA
ProcessB Network Interface $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* ifup() ifup()
Design
• Capability mode ( extend kernel ) • ϓϩηε͕ൃߦ͢ΔγεςϜίʔϧΛ੍ݶ͢Δ •
ϓϩηεͷܧঝɾ௨৴ʹΑΔέʔύϏϦςΟͷ delegation • Capabilities ( replace API & capabilities ) • ϑΝΠϧσΟεΫϦϓλΛwrap͠ɼ Capsicum CapabilityΛؔ࿈͚Δ • దٓcapabilityΛ
Capability mode • ࢦఆͨ͠ϓϩηεΛsandboxԽ͢ΔsyscallͷՃ • cap_enter()ɹ˞ϑϥάΛཱͯΔ͚ͩ • ϓϩηεcap_enter()ޙʹglobal namespace͔Βִ ͞ΕΔ
• *atܥʢ૬ରύεʹΑΔϑΝΠϧૢ࡞ʣͷΈར༻Մೳ • global namespace = (PID, File paths, NFS file handle, File System ID, Protocol Address, System V IPC, POSIX IPC, Jail... ) ※sysctl30ݸexplicitʹڐՄɽ͋ͱdenied sysctl, shm_openಗ໊ϝϞϦΦϒδΣΫτ ͷΈ࡞Մೳ (Extended kernel)
Logical Application Capability Mode (cont.) • ʢྫʣfile paths namespaceͷ߹ ύε໊ϕʔεͰରͱͳΔϑΝΠϧΛࢦఆ
• Ҿʹઈରύεɼ”..” ΛؚΉͱ͖αϯυϘοΫε ͔Βग़ͳ͍͔νΣοΫ͢Δ • chrootΛൈ͚ΔςΫχοΫͰൈ͚ΒΕͳ͍ͨΊ / etc var apache passwd www site1 site2 worker1 worker2 apache
Capabilities • طଘͷϑΝΠϧσΟεΫϦϓλʹಠࣗͷΞΫη εϚεΫΛΈ߹Θ࣮ͤͯݱ • 60छྨͷέʔύϏϦςΟΛར༻Մೳ • ϝοηʔδύογϯάʢsend or receiveͷ2छ͔͠ݖݶ͕ແ
͍ʣͱMACʢڧ੍ΞΫηε੍ޚɼඦͷݖݶ͕͋Δʣͷؒ • sandboxͱϗετIPCΛͬͯ௨৴ • ݖݶΛ༩͢Δࡍlibcapsicumͱ͍͏ϥΠϒϥϦܦ༝ Ͱߦ͏ • έʔύϏϦςΟͷҕৡfdlistʢϑΝΠϧσΟεΫϦϓ λͷϦετʣͷड͚͠Ͱදݱ
Capabilities(cont’d) • File DescriptorΛwrap࣮ͯ͠ݱ • capabilityΛ࣋ͬͨΞΫηεʹ ಛఆͷσΟεΫϦϓλΛ௨ͨ͡ΞΫηε ... 8 ...
10 ... 12 struct file struct capability mask = READ | WRITE struct file struct capability mask = READ struct vnode (inode) struct file Process file descriptors
Implementation
Kernel Changes • ΞΫηεͷݕࠪfget(Χʔωϧ)ͷதͰߦ͏ • systemcall͝ͱʹϑοΫΑΓɼkernelͷfd->fileม ࣌ʹνΣοΫ͢Δํ͕౷ҰతʹݕࠪͰ͖Δ • nameiͰ໊લۭؒΛ۠ըԽ͢ΕΑ͍ɽ͓खܰ •
۠ըԽ͞ΕͨΞϓϦέʔγϣϯͰ workerͷཧ͕ࡶʹͳΔ -Implementation-
Runtime Environments • ϢʔβϥΠϒϥϦlibcapsicumʹΑΔαϯυϘοΫ εͷཧ • rtld-elf-capʢϦϯΧʣ • ϦϯΫ࣌ʹڞ༗ϥΠϒϥϦͳͲΛ໊લۭ͔ؒΒΓ͢ ʢfdʹมͯ͠fdͷϦετͰ͢ʣ
• ཧ༻IPCʢhost<->sandboxʣΛࣗಈతʹηοτΞοϓ -Implementation-
Runtime Environmentsʢcont’dʣ -Implementation- ϗετϓϩηε͕ αϯυϘοΫεԽ ϦϯΧ͕࡞ΔϥΠϒϥϦ ͷfdϦετΛ༻͍ͯɼ ໊લۭ͔ؒΒΓ͢ libcapsicumܦ༝Ͱ ݖݶΛ͍߹Θͤ
adapting Applications • tcpdump • gzip
tcpdump • tcpdumpҎԼͷ̏ͭͷػೳΛॱ൪ʹ࣮ߦ͢Δ 1. Barkley Packet FilterͷύλʔϯΛίϯύΠϧ 2. BPFσόΠεʢೖྗʣΛઃఆ 3.
औಘͨ͠ύέοτΛඪ४ग़ྗʹॻ͖ࠐΉϧʔϓ • 3ɽͰcap_enter()͠ɼαϯυϘοΫεԽ ʢ+2ߦͰ࣮ݱʣ ←↑1͔࣮͠ߦ͞Εͳ͍
tcpdump(cont’d) • sandboxingޙʹ৽ͨʹඞཁʹͳΔͷҎԼͷࡾͭ • ඪ४ग़ྗ/Τϥʔͷॻ͖ࠐΈ • ඪ४ೖྗ͔Βͷsignalड͚͚
gzip • ۠ըԽ͞Ε͍ͯͳ͍ΞϓϦέʔγϣϯ • chroot৽نͷUIDͩͱେ͛͞ʢಛݖ͕ඞཁʣ • ·ͣnatural fault linesΛܾΊΔ •
ίϚϯυҾΛड͚औΔϝΠϯϧʔϓ • Ҿ͔ΒϑΝΠϧΛࣝผ͢Δγʔέϯε • ѹॖϧʔνϯͷΠϯϓοτͱѹॖϑΝΠϧͷΞτ ϓοτʢˡ͜͜Λ۠ըԽʣ
gzip • libcapsicumΛ༻͍ͯ۠ըԽ • gz_compressͱgz_uncompress, unbunzip2ͦΕͧΕͷؔ ΛsandboxԽ • ιʔείʔυʹ409ߦͷՃ •
σʔλड͚͠ͷγϦΞϥΠζ/σγϦΞϥΠζ͕େ ͖͍
·ͱΊ