Upgrade to Pro — share decks privately, control downloads, hide ads and more …

capsicum(論文輪講)

 capsicum(論文輪講)

bachi/yuzuhara

December 12, 2013
Tweet

More Decks by bachi/yuzuhara

Other Decks in Technology

Transcript

  1. Capsicum :  practical capabilities for UNIX ࿦จྠߨ @yuzuhara Robert

    N. M. Waston University of Cambridge Jonathan Anderson University of Cambridge Ben Laurie Google UK Ltd. Kris Kennaway Google UK Ltd. 19th USENIX Security Symposium (2010)
  2. Background • ϓϩάϥϜʹ੬ऑੑ͕͋ͬͯ΋߈ܸͷӨڹΛ࠷ খԽ͍ͨ͠ • Privilege Separation ΍Compartmentalization • Open

    SSH͸ಛݖ෼ׂ(Privilege Separation)
 Google Chromium͸Compartmentalizationʢִ཭ʁʣ • Compartmentalization͸OSͷΞΫηε੍ޚΛۦ࢖ ࣮ͯ͠ݱ͞ΕΔ͕ɾɾɾ • Programmer͕͕Μ͹Βͳ͍ͱ͍͚ͳ͍
 ˠOS͕ఏڙ͢ΔΞΫηε੍ޚ͸γϯϓϧ͗͢Δ
  3. Proposal • ޮ཰Α۠͘ըԽ͕ग़དྷΔϑϨʔϜϫʔΫΛఏҊ • Χʔωϧ࣮૷ʢ αϯυϘοΫεͱέʔύϏϦςΟʣ • Ϣʔβʔ࣮૷ʢAPI, runtimeʣ •

    Unix Capability ͸Capsicum Capabilityʹஔ͖׵͑Δ • طଘͷDAC,MAC͸ซ༻͢Δ͕࣮ࡍʹ͸Capsicum͕ಛ ݖΛoverride͢Δ • DAC,MAC͸ɼಛݖ෼ׂ͢ΔͨΊʹ͸ػೳ͕ෆे෼ • ͋͘·ͰγεςϜͷηΩϡϦςΟϙϦγΛద༻͢Δ΋ͷ
  4. Capsicum Overview Kernel UNIX process ambient authority Browser process ambient

    authority Renderer process capability mode Traditional UNIX application Capsicum logical application becomes
  5. Capability based Access Controls • OS ͕࡞੒͢Δobjectʹର͢Δૢ࡞ݖݶ • ݖݶΛ͍࣋ͬͯͳ͚Ε͹objectʹΞΫηεͰ͖ͳ͍ ProcessA

    ProcessB Network Interface $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.*    ifup() ifup()
  6. • Capability mode ( extend kernel ) • ϓϩηε͕ൃߦ͢ΔγεςϜίʔϧΛ੍ݶ͢Δ •

    ϓϩηεͷܧঝɾ௨৴ʹΑΔέʔύϏϦςΟͷ delegation • Capabilities ( replace API & capabilities ) • ϑΝΠϧσΟεΫϦϓλΛwrap͠ɼ
 Capsicum CapabilityΛؔ࿈෇͚Δ • దٓcapabilityΛ
  7. Capability mode • ࢦఆͨ͠ϓϩηεΛsandboxԽ͢Δsyscallͷ௥Ճ • cap_enter()ɹ˞ϑϥάΛཱͯΔ͚ͩ • ϓϩηε͸cap_enter()ޙʹglobal namespace͔Βִ཭ ͞ΕΔ

    • *atܥʢ૬ରύεʹΑΔϑΝΠϧૢ࡞ʣͷΈར༻Մೳ • global namespace = (PID, File paths, NFS file handle, File System ID, Protocol Address, System V IPC, POSIX IPC, Jail... ) ※sysctl͸30ݸexplicitʹڐՄɽ͋ͱ͸denied sysctl, shm_open͸ಗ໊ϝϞϦΦϒδΣΫτ ͷΈ࡞੒Մೳ (Extended kernel)
  8. Logical Application Capability Mode (cont.) • ʢྫʣfile paths namespaceͷ৔߹
 ύε໊ϕʔεͰର৅ͱͳΔϑΝΠϧΛࢦఆ

    • Ҿ਺ʹઈରύε΍ɼ”..” ΛؚΉͱ͖͸αϯυϘοΫε ͔Βग़ͳ͍͔νΣοΫ͢Δ • chrootΛൈ͚ΔςΫχοΫͰൈ͚ΒΕͳ͍ͨΊ / etc var apache passwd www site1 site2 worker1 worker2 apache
  9. Capabilities • طଘͷϑΝΠϧσΟεΫϦϓλʹಠࣗͷΞΫη εϚεΫΛ૊Έ߹Θ࣮ͤͯݱ • 60छྨͷέʔύϏϦςΟΛར༻Մೳ • ϝοηʔδύογϯάʢsend or receiveͷ2छ͔͠ݖݶ͕ແ

    ͍ʣͱMACʢڧ੍ΞΫηε੍ޚɼ਺ඦͷݖݶ͕͋Δʣͷؒ • sandboxͱϗετ͸IPCΛ࢖ͬͯ௨৴ • ݖݶΛ෇༩͢Δࡍ͸libcapsicumͱ͍͏ϥΠϒϥϦܦ༝
 Ͱߦ͏ • έʔύϏϦςΟͷҕৡ͸fdlistʢϑΝΠϧσΟεΫϦϓ λͷϦετʣͷड͚౉͠Ͱදݱ
  10. Capabilities(cont’d) • File DescriptorΛwrap࣮ͯ͠ݱ • capabilityΛ࣋ͬͨΞΫηεʹ
 ಛఆͷσΟεΫϦϓλΛ௨ͨ͡ΞΫηε ... 8 ...

    10 ... 12 struct file struct capability mask = READ | WRITE struct file struct capability mask = READ struct vnode (inode) struct file Process file descriptors
  11. tcpdump • tcpdump͸ҎԼͷ̏ͭͷػೳΛॱ൪ʹ࣮ߦ͢Δ 1. Barkley Packet FilterͷύλʔϯΛίϯύΠϧ 2. BPFσόΠεʢೖྗʣΛઃఆ 3.

    औಘͨ͠ύέοτΛඪ४ग़ྗʹॻ͖ࠐΉϧʔϓ • 3ɽͰcap_enter()͠ɼαϯυϘοΫεԽ
 ʢ+2ߦͰ࣮ݱʣ ←↑1౓͔࣮͠ߦ͞Εͳ͍
  12. gzip • ۠ըԽ͞Ε͍ͯͳ͍ΞϓϦέʔγϣϯ • chroot΍৽نͷUIDͩͱେ͛͞ʢಛݖ͕ඞཁʣ • ·ͣnatural fault linesΛܾΊΔ •

    ίϚϯυҾ਺Λड͚औΔϝΠϯϧʔϓ • Ҿ਺͔ΒϑΝΠϧ౳Λࣝผ͢Δγʔέϯε • ѹॖϧʔνϯ΁ͷΠϯϓοτͱѹॖϑΝΠϧͷΞ΢τ ϓοτʢˡ͜͜Λ۠ըԽʣ