Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Linux Mode 2 Seccomp Tutorial

Linux Mode 2 Seccomp Tutorial

The presentation introduces Linux mode 2 secccomp.

F84f8fb6188c67bd9bd9477f546a8347?s=128

bachi/yuzuhara

December 12, 2013
Tweet

Transcript

  1. H25.08.11 ஧ു ༸ี Linux Seccomp Tutorial ηΩϡϦςΟΩϟϯϓ2013 γεςϜιϑτ΢ΣΞθϛิॿࢿྉ 1 13೥8݄12೔݄༵೔

  2. Seccompͱ͸ • ਖ਼ࣜʹ͸Secure computing mode ͱ͍͏ɺϓϩηεͷα ϯυϘοΫεԽΛࢧԉ͢ΔΧʔωϧͷ࢓૊Έ • ϓϩηε͕ࣗൃతʹγεςϜίʔϧͷൃߦݖݶΛ์غ ͢Δ

    • Ͳ͏͍͏ͱ͖ʹ࢖͏ͷ͔ʁ • ͜ͷϓϩηε͸͜Ε͔Βո͍͠σʔλΛѻ͍·͢Αɺͱ͍ ͏ͱ͖ʹઃఆ͢Δ • ͦͷޙɺϓϩηε͕ൃߦͰ͖ΔγεςϜίʔϧ͕ஶ੍͘͠ ݶ͞ΕΔͨΊɺϓϩηε͕৐ͬऔΒΕͯ΋΄ͱΜͲԿ΋Ͱ ͖ͳ͘ͳΔ 2 13೥8݄12೔݄༵೔
  3. Mode 1 Seccomp • Linux kernel 2.6.12͔ΒϚʔδ͞ΕͨɺγεςϜίʔϧͷ ϑΟϧλ • ϓϩηε͕prctl_set_seccomp()ΛݺͿͱɺ͔ͦ͜ΒҎԼͷγ

    εςϜίʔϧ͔͠ൃߦͰ͖ͳ͘ͳΔ • read,() write(), exit(), sigreturn() • fork()ͱ͔execve()͕࢖͑ͳ͍→߈ܸ͞Εͨͱ͖ɺ΄ͱΜͲԿ ΋ग़དྷͳ͍ʂ process secure computing mode fork() read() 3 13೥8݄12೔݄༵೔
  4. Mode 2 Seccomp • Linux Kernel 3.5͔ΒϚʔδ͞ΕͨɺMode 2 seccompΛஔ ͖׵͑Δ࢓૊Έ

    • Mode 1ͱҧ͍ɺ೚ҙͷγεςϜίʔϧΛڐՄ͢Δ͜ͱ ͕Ͱ͖Δ • Berkley Packet FilterΛϕʔεʹɺߴ଎ʹγεςϜίʔϧ ΛϑΟϧλϦϯά͢Δ͜ͱ͕ग़དྷΔ • ͜ͷͨΊɺseccomp-bpfͱݺ͹ΕΔ͜ͱ͕ଟ͍ • ͪͳΈʹFedoraͰ͸syscall filterͱݺͿ • seccomp 2ͱ͔seccomp mode 2ͱ͔දه༳Ε͕ଟ͍ ( ꒪⌓꒪) 4 13೥8݄12೔݄༵೔
  5. Berkley Packet Filter(bpf)Λϕʔεʹɾɾɾ • bpfͷྺ࢙΍࢓૊Έ͸লུ • ಛ௃ • ύέοτΛޮ཰Α͘ϑΟϧλϦϯά͢ΔͨΊɺϑΟϧλϦ ϯάϧʔϧʹಛԽͨ͠ॲཧܥ͕ಈ͍ͯΔʢVMͱ͍͍͍ͬͯ

    Ϩϕϧʣ • ڪΔ΂͖͸ɺJITΛαϙʔτ͍ͯ͠ΔʢΧʔωϧ಺Ͱʂʣ • ͜ͷͨΊɺ͔ͳΓෳࡶ mode 2 seccomp͸͜ͷbpfΛ࢖ͬͯγεςϜί ʔϧΛϑΟϧλϦϯά͍ͯ͠ΔͨΊɺbpfͷ஌ ͕ࣝແ͍ͱ࢖͑ͳ͍ 5 13೥8݄12೔݄༵೔
  6. Mode 2 seccompͷԠ༻ྫ • Google Chromium • Ubuntu 12.04͔Βར༻ՄೳʢKernel͸3.2͕ͩɺbackport͞Ε ͍ͯΔʣ

    • vsftpd3.0.0͔ΒMode 2 seccompΛ࢖͍ͬͯΔΒ͍͠ ※ͲͪΒ΋ϓϩηεΛαϯυϘοΫεԽ͢ΔͨΊɺ ݩʑ໾ׂ΍ϢʔβʔʹΑͬͯϓϩηε෼ׂ͞Ε͍ͯΔ 6 13೥8݄12೔݄༵೔
  7. ϓϩηε෼ׂ ʴ mode 2 seccomp = ࠷ڧʂ 7 13೥8݄12೔݄༵೔

  8. Using simple seccomp filters • ͔͠͠ɺݱঢ়͸͔ͳΓ࢖͍͜ͳ͢ͷ͕೉͍͠ • bpfΛ൒͹ڧҾʹୟ͍͍ͯΔͨΊ • ґଘؔ܎͕ෳࡶɺݩʑbpf͸͜Μͳ༻్૝ఆͯ͠ͳ͍

    • ԼهURLΛࢀরɻʢશવsimple͡Όͳ͍ɾɾʣ http://outflux.net/teach-seccomp/ 8 13೥8݄12೔݄༵೔
  9. libseccomp Tutorial 9 13೥8݄12೔݄༵೔

  10. αϯυϘοΫεԽͷ४උ • ո͍͠σʔλ΍εΫϦϓτΛ”࣮ߦ”ͨ͠Γ”ղऍ”͢Δ ෦෼͕Ұ൪੬ऑ • σʔλΛόΠτྻͱͯ͠ಡΈऔΔ͚ͩͳΒͦΜͳʹةݥ͡ Όͳ͍ • ͜ͷ෦෼Λ্ख͘αϯυϘοΫεԽ͢ΔΑ͏ʹϓϩάϥϜ Λઃܭ

    10 13೥8݄12೔݄༵೔
  11. Main mission: Securing mruby • mrubyΛηΩϡΞʹ࣮ߦͰ͖ΔϑϨʔϜϫʔΫΛ࡞ͬͯ ΈΑ͏ • ͜ͷϑϨʔϜϫʔΫΛ࢖ͬͯɺ”۠ըԽ”ͨ͠΄͏͕ྑ͞ ͦ͏ͳΦϦδφϧΞϓϦέʔγϣϯΛઃܭɺ࣮૷͠Α͏

    Master process mruby process IPC Sandboxing by Mode 2 seccomp mruby code(string) result(char[]) 11 13೥8݄12೔݄༵೔
  12. ϓϩηε෼ׂ • σʔλͷ΍ΓऔΓ͸pipeΛ࢖͏ • mruby࣮ߦ෦෼Λfork()͢Δ • ͜ΕͰͻͱ·ͣɺmruby͕๫૸ͯ͠΋େৎ෉✌('ω'✌ )ࡾ ✌('ω')✌ࡾ( ✌'ω')✌

    • ࢠϓϩηε͕๫૸ͨ͠Γམͪͯ΋ɺ਌͸ੜ͖࢒Δ 12 13೥8݄12೔݄༵೔
  13. αϯυϘοΫεԽ • fork() ͨ͠ޙʹɺࣗ෼ࣗ਎ΛαϯυϘοΫεԽ͢Δ • seccomp_init(SCMP_ACT_KILL);ͰॳظԽ • seccomp_rule_add();ͰڐՄ͢ΔγεςϜίʔϧΛࢦఆ͍ͯ͠ ͘ •

    seccomp_load();Ͱ४උ׬ྃ • seccomp_release();ͰෆཁͳݖݶΛશ෦ख์͢→αϯυϘο ΫεԽʂ 13 13೥8݄12೔݄༵೔
  14. sample • seccamp2013_sandbox/samples/libseccomp_base.c • γεςϜίʔϧ͕ݺ΂ͳ͘ͳΔྫ • seccamp2013_sandbox/ samples/ libseccomp_sample.c •

    ͍͔ͭ͘ͷγεςϜίʔϧΛڐՄͨ͠ྫ • read, write͸file descriptorΛࢦఆͯ͠ڐՄ͢Δ ͜ͱ΋Մೳ 14 13೥8݄12೔݄༵೔
  15. ͓ΘΓ • αϯυϘοΫεপʹΑ͏ͦ͜ʂ 15 13೥8݄12೔݄༵೔