Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
capsicum(論文輪講)
Search
bachi/yuzuhara
December 12, 2013
Technology
0
430
capsicum(論文輪講)
bachi/yuzuhara
December 12, 2013
Tweet
Share
More Decks by bachi/yuzuhara
See All by bachi/yuzuhara
セキュリティ・キャンプ2019 Z2. ELFマルウェア検知エンジンの試作 成果報告
yuzuhara
1
870
wrapup_z_2018.pdf
yuzuhara
0
400
セキュリティ・キャンプ2017 集中Zトラック成果報告
yuzuhara
0
1.4k
How to Survey for Research (system/w Security Fields)
yuzuhara
0
380
Linux Mode 2 Seccomp Tutorial
yuzuhara
1
7.1k
Other Decks in Technology
See All in Technology
AI時代、“平均値”ではいられない
uhyo
8
2k
OAuthからOIDCへ ― 認可の仕組みが認証に拡張されるまで
yamatai1212
0
160
AI時代におけるデータの重要性 ~データマネジメントの第一歩~
ryoichi_ota
0
710
Bill One 開発エンジニア 紹介資料
sansan33
PRO
4
14k
私のMCPの使い方
tsubakimoto_s
0
120
HonoとJSXを使って管理画面をサクッと型安全に作ろう
diggymo
0
160
ソースを読むプロセスの例
sat
PRO
15
9.7k
もう外には出ない。より快適なフルリモート環境を目指して
mottyzzz
11
8k
Digitization部 紹介資料
sansan33
PRO
1
5.6k
MCP ✖️ Apps SDKを触ってみた
hisuzuya
0
280
データ戦略部門 紹介資料
sansan33
PRO
1
3.8k
AI時代の開発を加速する組織づくり - ブログでは書けなかったリアル
hiro8ma
1
240
Featured
See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Reflections from 52 weeks, 52 projects
jeffersonlam
353
21k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
5.7k
How to train your dragon (web standard)
notwaldorf
97
6.3k
Optimising Largest Contentful Paint
csswizardry
37
3.5k
Learning to Love Humans: Emotional Interface Design
aarron
274
41k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
249
1.3M
Code Review Best Practice
trishagee
72
19k
Intergalactic Javascript Robots from Outer Space
tanoku
273
27k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.5k
Done Done
chrislema
185
16k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
Transcript
Capsicum : practical capabilities for UNIX จྠߨ @yuzuhara Robert
N. M. Waston University of Cambridge Jonathan Anderson University of Cambridge Ben Laurie Google UK Ltd. Kris Kennaway Google UK Ltd. 19th USENIX Security Symposium (2010)
Background • ϓϩάϥϜʹ੬ऑੑ͕͋ͬͯ߈ܸͷӨڹΛ࠷ খԽ͍ͨ͠ • Privilege Separation Compartmentalization • Open
SSHಛݖׂ(Privilege Separation) Google ChromiumCompartmentalizationʢִʁʣ • CompartmentalizationOSͷΞΫηε੍ޚΛۦ ࣮ͯ͠ݱ͞ΕΔ͕ɾɾɾ • Programmer͕͕ΜΒͳ͍ͱ͍͚ͳ͍ ˠOS͕ఏڙ͢ΔΞΫηε੍ޚγϯϓϧ͗͢Δ
Problems • Chromiumͷ۠ըԽɽɽɽ • ϓϩηεΛ͚DAC,MACΛۦͯ͠sandboxԽ • 1Process=1Userͩͱbrowser͕ͱͯͭͳ͍ݖݶΛͭ͜ͱ ʹͳΔͨΊʢηΩϡϦςΟ্ͷཧ༝ͰʣϓϩηεΛ͚Δ • ϓϩάϥϚͷෛ୲େ
• sandboxͷͨΊ͚ͩʹC++Ͱ22KLOCʢຊ͔ʁʣ • ͔͠sandboxΛൈ͚ग़͞Εͯ͠·͏͜ͱ • Sec.5Ͱઆ໌
Proposal • ޮΑ۠͘ըԽ͕ग़དྷΔϑϨʔϜϫʔΫΛఏҊ • Χʔωϧ࣮ʢ αϯυϘοΫεͱέʔύϏϦςΟʣ • Ϣʔβʔ࣮ʢAPI, runtimeʣ •
Unix Capability Capsicum Capabilityʹஔ͖͑Δ • طଘͷDAC,MACซ༻͢Δ͕࣮ࡍʹCapsicum͕ಛ ݖΛoverride͢Δ • DAC,MACɼಛݖׂ͢ΔͨΊʹػೳ͕ෆे • ͋͘·ͰγεςϜͷηΩϡϦςΟϙϦγΛద༻͢Δͷ
Capsicum Overview Kernel UNIX process ambient authority Browser process ambient
authority Renderer process capability mode Traditional UNIX application Capsicum logical application becomes
Capability based Access Controls • OS ͕࡞͢Δobjectʹର͢Δૢ࡞ݖݶ • ݖݶΛ͍࣋ͬͯͳ͚ΕobjectʹΞΫηεͰ͖ͳ͍ ProcessA
ProcessB Network Interface $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* $"1@/&5@"%.* ifup() ifup()
Design
• Capability mode ( extend kernel ) • ϓϩηε͕ൃߦ͢ΔγεςϜίʔϧΛ੍ݶ͢Δ •
ϓϩηεͷܧঝɾ௨৴ʹΑΔέʔύϏϦςΟͷ delegation • Capabilities ( replace API & capabilities ) • ϑΝΠϧσΟεΫϦϓλΛwrap͠ɼ Capsicum CapabilityΛؔ࿈͚Δ • దٓcapabilityΛ
Capability mode • ࢦఆͨ͠ϓϩηεΛsandboxԽ͢ΔsyscallͷՃ • cap_enter()ɹ˞ϑϥάΛཱͯΔ͚ͩ • ϓϩηεcap_enter()ޙʹglobal namespace͔Βִ ͞ΕΔ
• *atܥʢ૬ରύεʹΑΔϑΝΠϧૢ࡞ʣͷΈར༻Մೳ • global namespace = (PID, File paths, NFS file handle, File System ID, Protocol Address, System V IPC, POSIX IPC, Jail... ) ※sysctl30ݸexplicitʹڐՄɽ͋ͱdenied sysctl, shm_openಗ໊ϝϞϦΦϒδΣΫτ ͷΈ࡞Մೳ (Extended kernel)
Logical Application Capability Mode (cont.) • ʢྫʣfile paths namespaceͷ߹ ύε໊ϕʔεͰରͱͳΔϑΝΠϧΛࢦఆ
• Ҿʹઈରύεɼ”..” ΛؚΉͱ͖αϯυϘοΫε ͔Βग़ͳ͍͔νΣοΫ͢Δ • chrootΛൈ͚ΔςΫχοΫͰൈ͚ΒΕͳ͍ͨΊ / etc var apache passwd www site1 site2 worker1 worker2 apache
Capabilities • طଘͷϑΝΠϧσΟεΫϦϓλʹಠࣗͷΞΫη εϚεΫΛΈ߹Θ࣮ͤͯݱ • 60छྨͷέʔύϏϦςΟΛར༻Մೳ • ϝοηʔδύογϯάʢsend or receiveͷ2छ͔͠ݖݶ͕ແ
͍ʣͱMACʢڧ੍ΞΫηε੍ޚɼඦͷݖݶ͕͋Δʣͷؒ • sandboxͱϗετIPCΛͬͯ௨৴ • ݖݶΛ༩͢Δࡍlibcapsicumͱ͍͏ϥΠϒϥϦܦ༝ Ͱߦ͏ • έʔύϏϦςΟͷҕৡfdlistʢϑΝΠϧσΟεΫϦϓ λͷϦετʣͷड͚͠Ͱදݱ
Capabilities(cont’d) • File DescriptorΛwrap࣮ͯ͠ݱ • capabilityΛ࣋ͬͨΞΫηεʹ ಛఆͷσΟεΫϦϓλΛ௨ͨ͡ΞΫηε ... 8 ...
10 ... 12 struct file struct capability mask = READ | WRITE struct file struct capability mask = READ struct vnode (inode) struct file Process file descriptors
Implementation
Kernel Changes • ΞΫηεͷݕࠪfget(Χʔωϧ)ͷதͰߦ͏ • systemcall͝ͱʹϑοΫΑΓɼkernelͷfd->fileม ࣌ʹνΣοΫ͢Δํ͕౷ҰతʹݕࠪͰ͖Δ • nameiͰ໊લۭؒΛ۠ըԽ͢ΕΑ͍ɽ͓खܰ •
۠ըԽ͞ΕͨΞϓϦέʔγϣϯͰ workerͷཧ͕ࡶʹͳΔ -Implementation-
Runtime Environments • ϢʔβϥΠϒϥϦlibcapsicumʹΑΔαϯυϘοΫ εͷཧ • rtld-elf-capʢϦϯΧʣ • ϦϯΫ࣌ʹڞ༗ϥΠϒϥϦͳͲΛ໊લۭ͔ؒΒΓ͢ ʢfdʹมͯ͠fdͷϦετͰ͢ʣ
• ཧ༻IPCʢhost<->sandboxʣΛࣗಈతʹηοτΞοϓ -Implementation-
Runtime Environmentsʢcont’dʣ -Implementation- ϗετϓϩηε͕ αϯυϘοΫεԽ ϦϯΧ͕࡞ΔϥΠϒϥϦ ͷfdϦετΛ༻͍ͯɼ ໊લۭ͔ؒΒΓ͢ libcapsicumܦ༝Ͱ ݖݶΛ͍߹Θͤ
adapting Applications • tcpdump • gzip
tcpdump • tcpdumpҎԼͷ̏ͭͷػೳΛॱ൪ʹ࣮ߦ͢Δ 1. Barkley Packet FilterͷύλʔϯΛίϯύΠϧ 2. BPFσόΠεʢೖྗʣΛઃఆ 3.
औಘͨ͠ύέοτΛඪ४ग़ྗʹॻ͖ࠐΉϧʔϓ • 3ɽͰcap_enter()͠ɼαϯυϘοΫεԽ ʢ+2ߦͰ࣮ݱʣ ←↑1͔࣮͠ߦ͞Εͳ͍
tcpdump(cont’d) • sandboxingޙʹ৽ͨʹඞཁʹͳΔͷҎԼͷࡾͭ • ඪ४ग़ྗ/Τϥʔͷॻ͖ࠐΈ • ඪ४ೖྗ͔Βͷsignalड͚͚
gzip • ۠ըԽ͞Ε͍ͯͳ͍ΞϓϦέʔγϣϯ • chroot৽نͷUIDͩͱେ͛͞ʢಛݖ͕ඞཁʣ • ·ͣnatural fault linesΛܾΊΔ •
ίϚϯυҾΛड͚औΔϝΠϯϧʔϓ • Ҿ͔ΒϑΝΠϧΛࣝผ͢Δγʔέϯε • ѹॖϧʔνϯͷΠϯϓοτͱѹॖϑΝΠϧͷΞτ ϓοτʢˡ͜͜Λ۠ըԽʣ
gzip • libcapsicumΛ༻͍ͯ۠ըԽ • gz_compressͱgz_uncompress, unbunzip2ͦΕͧΕͷؔ ΛsandboxԽ • ιʔείʔυʹ409ߦͷՃ •
σʔλड͚͠ͷγϦΞϥΠζ/σγϦΞϥΠζ͕େ ͖͍
·ͱΊ