Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
capsicum(論文輪講)
Search
bachi/yuzuhara
December 12, 2013
Technology
0
410
capsicum(論文輪講)
bachi/yuzuhara
December 12, 2013
Tweet
Share
More Decks by bachi/yuzuhara
See All by bachi/yuzuhara
セキュリティ・キャンプ2019 Z2. ELFマルウェア検知エンジンの試作 成果報告
yuzuhara
1
860
wrapup_z_2018.pdf
yuzuhara
0
390
セキュリティ・キャンプ2017 集中Zトラック成果報告
yuzuhara
0
1.4k
How to Survey for Research (system/w Security Fields)
yuzuhara
0
370
Linux Mode 2 Seccomp Tutorial
yuzuhara
1
7k
Other Decks in Technology
See All in Technology
Fabric + Databricks 2025.6 の最新情報ピックアップ
ryomaru0825
1
130
Wasm元年
askua
0
130
Model Mondays S2E02: Model Context Protocol
nitya
0
220
データプラットフォーム技術におけるメダリオンアーキテクチャという考え方/DataPlatformWithMedallionArchitecture
smdmts
5
620
Абьюзим random_bytes(). Фёдор Кулаков, разработчик Lamoda Tech
lamodatech
0
330
Node-RED × MCP 勉強会 vol.1
1ftseabass
PRO
0
140
Uniadex__公開版_20250617-AIxIoTビジネス共創ラボ_ツナガルチカラ_.pdf
iotcomjpadmin
0
160
監視のこれまでとこれから/sakura monitoring seminar 2025
fujiwara3
11
3.8k
第9回情シス転職ミートアップ_テックタッチ株式会社
forester3003
0
220
Microsoft Build 2025 技術/製品動向 for Microsoft Startup Tech Community
torumakabe
2
250
急成長を支える基盤作り〜地道な改善からコツコツと〜 #cre_meetup
stefafafan
0
120
ひとり情シスなCTOがLLMと始めるオペレーション最適化 / CTO's LLM-Powered Ops
yamitzky
0
420
Featured
See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Code Review Best Practice
trishagee
68
18k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Build The Right Thing And Hit Your Dates
maggiecrowley
36
2.8k
The Power of CSS Pseudo Elements
geoffreycrofte
77
5.8k
Balancing Empowerment & Direction
lara
1
360
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Navigating Team Friction
lara
187
15k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.9k
Art, The Web, and Tiny UX
lynnandtonic
299
21k
Optimizing for Happiness
mojombo
379
70k
Transcript
Capsicum : practical capabilities for UNIX จྠߨ @yuzuhara Robert
N. M. Waston University of Cambridge Jonathan Anderson University of Cambridge Ben Laurie Google UK Ltd. Kris Kennaway Google UK Ltd. 19th USENIX Security Symposium (2010)
Background • ϓϩάϥϜʹ੬ऑੑ͕͋ͬͯ߈ܸͷӨڹΛ࠷ খԽ͍ͨ͠ • Privilege Separation Compartmentalization • Open
SSHಛݖׂ(Privilege Separation) Google ChromiumCompartmentalizationʢִʁʣ • CompartmentalizationOSͷΞΫηε੍ޚΛۦ ࣮ͯ͠ݱ͞ΕΔ͕ɾɾɾ • Programmer͕͕ΜΒͳ͍ͱ͍͚ͳ͍ ˠOS͕ఏڙ͢ΔΞΫηε੍ޚγϯϓϧ͗͢Δ
Problems • Chromiumͷ۠ըԽɽɽɽ • ϓϩηεΛ͚DAC,MACΛۦͯ͠sandboxԽ • 1Process=1Userͩͱbrowser͕ͱͯͭͳ͍ݖݶΛͭ͜ͱ ʹͳΔͨΊʢηΩϡϦςΟ্ͷཧ༝ͰʣϓϩηεΛ͚Δ • ϓϩάϥϚͷෛ୲େ
• sandboxͷͨΊ͚ͩʹC++Ͱ22KLOCʢຊ͔ʁʣ • ͔͠sandboxΛൈ͚ग़͞Εͯ͠·͏͜ͱ • Sec.5Ͱઆ໌
Proposal • ޮΑ۠͘ըԽ͕ग़དྷΔϑϨʔϜϫʔΫΛఏҊ • Χʔωϧ࣮ʢ αϯυϘοΫεͱέʔύϏϦςΟʣ • Ϣʔβʔ࣮ʢAPI, runtimeʣ •
Unix Capability Capsicum Capabilityʹஔ͖͑Δ • طଘͷDAC,MACซ༻͢Δ͕࣮ࡍʹCapsicum͕ಛ ݖΛoverride͢Δ • DAC,MACɼಛݖׂ͢ΔͨΊʹػೳ͕ෆे • ͋͘·ͰγεςϜͷηΩϡϦςΟϙϦγΛద༻͢Δͷ
Capsicum Overview Kernel UNIX process ambient authority Browser process ambient
authority Renderer process capability mode Traditional UNIX application Capsicum logical application becomes
Capability based Access Controls • OS ͕࡞͢Δobjectʹର͢Δૢ࡞ݖݶ • ݖݶΛ͍࣋ͬͯͳ͚ΕobjectʹΞΫηεͰ͖ͳ͍ ProcessA
ProcessB Network Interface $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* ifup() ifup()
Design
• Capability mode ( extend kernel ) • ϓϩηε͕ൃߦ͢ΔγεςϜίʔϧΛ੍ݶ͢Δ •
ϓϩηεͷܧঝɾ௨৴ʹΑΔέʔύϏϦςΟͷ delegation • Capabilities ( replace API & capabilities ) • ϑΝΠϧσΟεΫϦϓλΛwrap͠ɼ Capsicum CapabilityΛؔ࿈͚Δ • దٓcapabilityΛ
Capability mode • ࢦఆͨ͠ϓϩηεΛsandboxԽ͢ΔsyscallͷՃ • cap_enter()ɹ˞ϑϥάΛཱͯΔ͚ͩ • ϓϩηεcap_enter()ޙʹglobal namespace͔Βִ ͞ΕΔ
• *atܥʢ૬ରύεʹΑΔϑΝΠϧૢ࡞ʣͷΈར༻Մೳ • global namespace = (PID, File paths, NFS file handle, File System ID, Protocol Address, System V IPC, POSIX IPC, Jail... ) ※sysctl30ݸexplicitʹڐՄɽ͋ͱdenied sysctl, shm_openಗ໊ϝϞϦΦϒδΣΫτ ͷΈ࡞Մೳ (Extended kernel)
Logical Application Capability Mode (cont.) • ʢྫʣfile paths namespaceͷ߹ ύε໊ϕʔεͰରͱͳΔϑΝΠϧΛࢦఆ
• Ҿʹઈରύεɼ”..” ΛؚΉͱ͖αϯυϘοΫε ͔Βग़ͳ͍͔νΣοΫ͢Δ • chrootΛൈ͚ΔςΫχοΫͰൈ͚ΒΕͳ͍ͨΊ / etc var apache passwd www site1 site2 worker1 worker2 apache
Capabilities • طଘͷϑΝΠϧσΟεΫϦϓλʹಠࣗͷΞΫη εϚεΫΛΈ߹Θ࣮ͤͯݱ • 60छྨͷέʔύϏϦςΟΛར༻Մೳ • ϝοηʔδύογϯάʢsend or receiveͷ2छ͔͠ݖݶ͕ແ
͍ʣͱMACʢڧ੍ΞΫηε੍ޚɼඦͷݖݶ͕͋Δʣͷؒ • sandboxͱϗετIPCΛͬͯ௨৴ • ݖݶΛ༩͢Δࡍlibcapsicumͱ͍͏ϥΠϒϥϦܦ༝ Ͱߦ͏ • έʔύϏϦςΟͷҕৡfdlistʢϑΝΠϧσΟεΫϦϓ λͷϦετʣͷड͚͠Ͱදݱ
Capabilities(cont’d) • File DescriptorΛwrap࣮ͯ͠ݱ • capabilityΛ࣋ͬͨΞΫηεʹ ಛఆͷσΟεΫϦϓλΛ௨ͨ͡ΞΫηε ... 8 ...
10 ... 12 struct file struct capability mask = READ | WRITE struct file struct capability mask = READ struct vnode (inode) struct file Process file descriptors
Implementation
Kernel Changes • ΞΫηεͷݕࠪfget(Χʔωϧ)ͷதͰߦ͏ • systemcall͝ͱʹϑοΫΑΓɼkernelͷfd->fileม ࣌ʹνΣοΫ͢Δํ͕౷ҰతʹݕࠪͰ͖Δ • nameiͰ໊લۭؒΛ۠ըԽ͢ΕΑ͍ɽ͓खܰ •
۠ըԽ͞ΕͨΞϓϦέʔγϣϯͰ workerͷཧ͕ࡶʹͳΔ -Implementation-
Runtime Environments • ϢʔβϥΠϒϥϦlibcapsicumʹΑΔαϯυϘοΫ εͷཧ • rtld-elf-capʢϦϯΧʣ • ϦϯΫ࣌ʹڞ༗ϥΠϒϥϦͳͲΛ໊લۭ͔ؒΒΓ͢ ʢfdʹมͯ͠fdͷϦετͰ͢ʣ
• ཧ༻IPCʢhost<->sandboxʣΛࣗಈతʹηοτΞοϓ -Implementation-
Runtime Environmentsʢcont’dʣ -Implementation- ϗετϓϩηε͕ αϯυϘοΫεԽ ϦϯΧ͕࡞ΔϥΠϒϥϦ ͷfdϦετΛ༻͍ͯɼ ໊લۭ͔ؒΒΓ͢ libcapsicumܦ༝Ͱ ݖݶΛ͍߹Θͤ
adapting Applications • tcpdump • gzip
tcpdump • tcpdumpҎԼͷ̏ͭͷػೳΛॱ൪ʹ࣮ߦ͢Δ 1. Barkley Packet FilterͷύλʔϯΛίϯύΠϧ 2. BPFσόΠεʢೖྗʣΛઃఆ 3.
औಘͨ͠ύέοτΛඪ४ग़ྗʹॻ͖ࠐΉϧʔϓ • 3ɽͰcap_enter()͠ɼαϯυϘοΫεԽ ʢ+2ߦͰ࣮ݱʣ ←↑1͔࣮͠ߦ͞Εͳ͍
tcpdump(cont’d) • sandboxingޙʹ৽ͨʹඞཁʹͳΔͷҎԼͷࡾͭ • ඪ४ग़ྗ/Τϥʔͷॻ͖ࠐΈ • ඪ४ೖྗ͔Βͷsignalड͚͚
gzip • ۠ըԽ͞Ε͍ͯͳ͍ΞϓϦέʔγϣϯ • chroot৽نͷUIDͩͱେ͛͞ʢಛݖ͕ඞཁʣ • ·ͣnatural fault linesΛܾΊΔ •
ίϚϯυҾΛड͚औΔϝΠϯϧʔϓ • Ҿ͔ΒϑΝΠϧΛࣝผ͢Δγʔέϯε • ѹॖϧʔνϯͷΠϯϓοτͱѹॖϑΝΠϧͷΞτ ϓοτʢˡ͜͜Λ۠ըԽʣ
gzip • libcapsicumΛ༻͍ͯ۠ըԽ • gz_compressͱgz_uncompress, unbunzip2ͦΕͧΕͷؔ ΛsandboxԽ • ιʔείʔυʹ409ߦͷՃ •
σʔλड͚͠ͷγϦΞϥΠζ/σγϦΞϥΠζ͕େ ͖͍
·ͱΊ