Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
capsicum(論文輪講)
Search
bachi/yuzuhara
December 12, 2013
Technology
0
410
capsicum(論文輪講)
bachi/yuzuhara
December 12, 2013
Tweet
Share
More Decks by bachi/yuzuhara
See All by bachi/yuzuhara
セキュリティ・キャンプ2019 Z2. ELFマルウェア検知エンジンの試作 成果報告
yuzuhara
1
860
wrapup_z_2018.pdf
yuzuhara
0
390
セキュリティ・キャンプ2017 集中Zトラック成果報告
yuzuhara
0
1.4k
How to Survey for Research (system/w Security Fields)
yuzuhara
0
370
Linux Mode 2 Seccomp Tutorial
yuzuhara
1
7k
Other Decks in Technology
See All in Technology
セキュリティの民主化は何故必要なのか_AWS WAF 運用の 10 の苦悩から学ぶ
yoh
1
140
変化する開発、進化する体系時代に適応するソフトウェアエンジニアの知識と考え方(JaSST'25 Kansai)
mizunori
1
210
SalesforceArchitectGroupOsaka#20_CNX'25_Report
atomica7sei
0
170
2025-06-26_Lightning_Talk_for_Lightning_Talks
_hashimo2
2
100
Understanding_Thread_Tuning_for_Inference_Servers_of_Deep_Models.pdf
lycorptech_jp
PRO
0
120
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
26k
rubygem開発で鍛える設計力
joker1007
2
200
Welcome to the LLM Club
koic
0
170
生成AI時代 文字コードを学ぶ意義を見出せるか?
hrsued
1
300
エンジニア向け技術スタック情報
kauche
1
250
Observability в PHP без боли. Олег Мифле, тимлид Altenar
lamodatech
0
340
強化されたAmazon Location Serviceによる新機能と開発者体験
dayjournal
2
210
Featured
See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.5k
How to Ace a Technical Interview
jacobian
277
23k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
BBQ
matthewcrist
89
9.7k
Testing 201, or: Great Expectations
jmmastey
42
7.5k
The Art of Programming - Codeland 2020
erikaheidi
54
13k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
46
9.6k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Building Applications with DynamoDB
mza
95
6.5k
Code Review Best Practice
trishagee
68
18k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Transcript
Capsicum : practical capabilities for UNIX จྠߨ @yuzuhara Robert
N. M. Waston University of Cambridge Jonathan Anderson University of Cambridge Ben Laurie Google UK Ltd. Kris Kennaway Google UK Ltd. 19th USENIX Security Symposium (2010)
Background • ϓϩάϥϜʹ੬ऑੑ͕͋ͬͯ߈ܸͷӨڹΛ࠷ খԽ͍ͨ͠ • Privilege Separation Compartmentalization • Open
SSHಛݖׂ(Privilege Separation) Google ChromiumCompartmentalizationʢִʁʣ • CompartmentalizationOSͷΞΫηε੍ޚΛۦ ࣮ͯ͠ݱ͞ΕΔ͕ɾɾɾ • Programmer͕͕ΜΒͳ͍ͱ͍͚ͳ͍ ˠOS͕ఏڙ͢ΔΞΫηε੍ޚγϯϓϧ͗͢Δ
Problems • Chromiumͷ۠ըԽɽɽɽ • ϓϩηεΛ͚DAC,MACΛۦͯ͠sandboxԽ • 1Process=1Userͩͱbrowser͕ͱͯͭͳ͍ݖݶΛͭ͜ͱ ʹͳΔͨΊʢηΩϡϦςΟ্ͷཧ༝ͰʣϓϩηεΛ͚Δ • ϓϩάϥϚͷෛ୲େ
• sandboxͷͨΊ͚ͩʹC++Ͱ22KLOCʢຊ͔ʁʣ • ͔͠sandboxΛൈ͚ग़͞Εͯ͠·͏͜ͱ • Sec.5Ͱઆ໌
Proposal • ޮΑ۠͘ըԽ͕ग़དྷΔϑϨʔϜϫʔΫΛఏҊ • Χʔωϧ࣮ʢ αϯυϘοΫεͱέʔύϏϦςΟʣ • Ϣʔβʔ࣮ʢAPI, runtimeʣ •
Unix Capability Capsicum Capabilityʹஔ͖͑Δ • طଘͷDAC,MACซ༻͢Δ͕࣮ࡍʹCapsicum͕ಛ ݖΛoverride͢Δ • DAC,MACɼಛݖׂ͢ΔͨΊʹػೳ͕ෆे • ͋͘·ͰγεςϜͷηΩϡϦςΟϙϦγΛద༻͢Δͷ
Capsicum Overview Kernel UNIX process ambient authority Browser process ambient
authority Renderer process capability mode Traditional UNIX application Capsicum logical application becomes
Capability based Access Controls • OS ͕࡞͢Δobjectʹର͢Δૢ࡞ݖݶ • ݖݶΛ͍࣋ͬͯͳ͚ΕobjectʹΞΫηεͰ͖ͳ͍ ProcessA
ProcessB Network Interface $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* ifup() ifup()
Design
• Capability mode ( extend kernel ) • ϓϩηε͕ൃߦ͢ΔγεςϜίʔϧΛ੍ݶ͢Δ •
ϓϩηεͷܧঝɾ௨৴ʹΑΔέʔύϏϦςΟͷ delegation • Capabilities ( replace API & capabilities ) • ϑΝΠϧσΟεΫϦϓλΛwrap͠ɼ Capsicum CapabilityΛؔ࿈͚Δ • దٓcapabilityΛ
Capability mode • ࢦఆͨ͠ϓϩηεΛsandboxԽ͢ΔsyscallͷՃ • cap_enter()ɹ˞ϑϥάΛཱͯΔ͚ͩ • ϓϩηεcap_enter()ޙʹglobal namespace͔Βִ ͞ΕΔ
• *atܥʢ૬ରύεʹΑΔϑΝΠϧૢ࡞ʣͷΈར༻Մೳ • global namespace = (PID, File paths, NFS file handle, File System ID, Protocol Address, System V IPC, POSIX IPC, Jail... ) ※sysctl30ݸexplicitʹڐՄɽ͋ͱdenied sysctl, shm_openಗ໊ϝϞϦΦϒδΣΫτ ͷΈ࡞Մೳ (Extended kernel)
Logical Application Capability Mode (cont.) • ʢྫʣfile paths namespaceͷ߹ ύε໊ϕʔεͰରͱͳΔϑΝΠϧΛࢦఆ
• Ҿʹઈରύεɼ”..” ΛؚΉͱ͖αϯυϘοΫε ͔Βग़ͳ͍͔νΣοΫ͢Δ • chrootΛൈ͚ΔςΫχοΫͰൈ͚ΒΕͳ͍ͨΊ / etc var apache passwd www site1 site2 worker1 worker2 apache
Capabilities • طଘͷϑΝΠϧσΟεΫϦϓλʹಠࣗͷΞΫη εϚεΫΛΈ߹Θ࣮ͤͯݱ • 60छྨͷέʔύϏϦςΟΛར༻Մೳ • ϝοηʔδύογϯάʢsend or receiveͷ2छ͔͠ݖݶ͕ແ
͍ʣͱMACʢڧ੍ΞΫηε੍ޚɼඦͷݖݶ͕͋Δʣͷؒ • sandboxͱϗετIPCΛͬͯ௨৴ • ݖݶΛ༩͢Δࡍlibcapsicumͱ͍͏ϥΠϒϥϦܦ༝ Ͱߦ͏ • έʔύϏϦςΟͷҕৡfdlistʢϑΝΠϧσΟεΫϦϓ λͷϦετʣͷड͚͠Ͱදݱ
Capabilities(cont’d) • File DescriptorΛwrap࣮ͯ͠ݱ • capabilityΛ࣋ͬͨΞΫηεʹ ಛఆͷσΟεΫϦϓλΛ௨ͨ͡ΞΫηε ... 8 ...
10 ... 12 struct file struct capability mask = READ | WRITE struct file struct capability mask = READ struct vnode (inode) struct file Process file descriptors
Implementation
Kernel Changes • ΞΫηεͷݕࠪfget(Χʔωϧ)ͷதͰߦ͏ • systemcall͝ͱʹϑοΫΑΓɼkernelͷfd->fileม ࣌ʹνΣοΫ͢Δํ͕౷ҰతʹݕࠪͰ͖Δ • nameiͰ໊લۭؒΛ۠ըԽ͢ΕΑ͍ɽ͓खܰ •
۠ըԽ͞ΕͨΞϓϦέʔγϣϯͰ workerͷཧ͕ࡶʹͳΔ -Implementation-
Runtime Environments • ϢʔβϥΠϒϥϦlibcapsicumʹΑΔαϯυϘοΫ εͷཧ • rtld-elf-capʢϦϯΧʣ • ϦϯΫ࣌ʹڞ༗ϥΠϒϥϦͳͲΛ໊લۭ͔ؒΒΓ͢ ʢfdʹมͯ͠fdͷϦετͰ͢ʣ
• ཧ༻IPCʢhost<->sandboxʣΛࣗಈతʹηοτΞοϓ -Implementation-
Runtime Environmentsʢcont’dʣ -Implementation- ϗετϓϩηε͕ αϯυϘοΫεԽ ϦϯΧ͕࡞ΔϥΠϒϥϦ ͷfdϦετΛ༻͍ͯɼ ໊લۭ͔ؒΒΓ͢ libcapsicumܦ༝Ͱ ݖݶΛ͍߹Θͤ
adapting Applications • tcpdump • gzip
tcpdump • tcpdumpҎԼͷ̏ͭͷػೳΛॱ൪ʹ࣮ߦ͢Δ 1. Barkley Packet FilterͷύλʔϯΛίϯύΠϧ 2. BPFσόΠεʢೖྗʣΛઃఆ 3.
औಘͨ͠ύέοτΛඪ४ग़ྗʹॻ͖ࠐΉϧʔϓ • 3ɽͰcap_enter()͠ɼαϯυϘοΫεԽ ʢ+2ߦͰ࣮ݱʣ ←↑1͔࣮͠ߦ͞Εͳ͍
tcpdump(cont’d) • sandboxingޙʹ৽ͨʹඞཁʹͳΔͷҎԼͷࡾͭ • ඪ४ग़ྗ/Τϥʔͷॻ͖ࠐΈ • ඪ४ೖྗ͔Βͷsignalड͚͚
gzip • ۠ըԽ͞Ε͍ͯͳ͍ΞϓϦέʔγϣϯ • chroot৽نͷUIDͩͱେ͛͞ʢಛݖ͕ඞཁʣ • ·ͣnatural fault linesΛܾΊΔ •
ίϚϯυҾΛड͚औΔϝΠϯϧʔϓ • Ҿ͔ΒϑΝΠϧΛࣝผ͢Δγʔέϯε • ѹॖϧʔνϯͷΠϯϓοτͱѹॖϑΝΠϧͷΞτ ϓοτʢˡ͜͜Λ۠ըԽʣ
gzip • libcapsicumΛ༻͍ͯ۠ըԽ • gz_compressͱgz_uncompress, unbunzip2ͦΕͧΕͷؔ ΛsandboxԽ • ιʔείʔυʹ409ߦͷՃ •
σʔλड͚͠ͷγϦΞϥΠζ/σγϦΞϥΠζ͕େ ͖͍
·ͱΊ