capsicum
play

CAPSICUM Practical capabilities for UNIX 19 th USENIX Security - PowerPoint PPT Presentation

CAPSICUM Practical capabilities for UNIX 19 th USENIX Security Symposium 11 August 2010 - Washington, DC Robert N. M. Watson Jonathan Anderson Google UK Ltd


  1. CAPSICUM Practical capabilities for UNIX 19 th USENIX Security Symposium 11 August 2010 - Washington, DC Robert N. M. Watson Jonathan Anderson Google UK Ltd Ben Laurie FreeBSD Project Kris Kennaway University of Cambridge

  2. Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isn’t quite what we want Capsicum’s Capability Mode and Capabilities Interactions between applications and sandboxing Building on Capsicum

  3. Paradigm shift ... change is coming here Multi-user machines ! multi-machine users “Applications” frame competing interests Thin client one point of confluence DAC/MAC-centric access control ! sandboxing Application security rather than OS security Primitives for mapping distributed to local security domains

  4. CVEs in Jan an-Aug 2009 Firefox 85 Safari 59 IE 48 Chrome 39 Flash 35 source; Justin F in Foster, OWASP

  5. Microkernels to compartmentalisation OS kernel OS microkernel ... VFS Net 1980’s ... VFS Net bash emacs ... bash emacs

  6. Microkernels to compartmentalisation OS kernel OS microkernel ... VFS Net 1980’s ... VFS Net bash emacs ... bash emacs OS kernel OS kernel 2000’s sshd sshd ... ... crypto/ SSH SSH crypto/ compress session session compress

  7. What about MAC? Type Enforcement What we need (TE) Interests of Administrator User or application Sandbox Administrator modifies On demand without creation global policy using privilege Access control rules in Embedded in Policy source global policy files applications, from UI

  8. What about MAC? Type Enforcement What we need (TE) Interests of Administrator User or application Sandbox Administrator modifies On demand without creation global policy using privilege Access control rules in Embedded in Policy source global policy files applications, from UI

  9. What about MAC? Type Enforcement What we need (TE) Interests of Administrator User or application Sandbox Administrator modifies On demand without creation global policy using privilege Access control rules in Embedded in Policy source global policy files applications, from UI

  10. Application-driven rights delegation / etc var apache passwd www site1 site2 Apache Apache Apache Worker 1 Worker 2 Logical Application

  11. Capability systems A capability is an unforgeable token of authority. Supports delegation-centric access control.

  12. Where to start? Production monolithic systems Research capability systems UNIX, Linux, Windows, Mac OS X EROS (CAPROS), CoyoteOS " Monolithic kernel security model # Least privilege design # Real application stack today " No extant application stack Hybrid approach: immediate security benefits with a long-term capability system vision

  13. Logical applications in Capsicum Kernel Browser process ambient authority UNIX process ambient authority becomes Renderer process Renderer process ... capability mode capability mode Traditional UNIX application Capsicum logical application

  14. Capability mode New system call cap_enter sets inherited credential flag lookup() ! " Global OS name spaces restricted: only delegated " " " " ! rights available f fexecve o t w e e n d p o r a r t x e a e p e n i i e p e n e a e t r c o r a n d p e w v Interface thinning t o e and other constraints on ambient authority capability mode system calls

  15. Capabilities ... 8 struct struct struct capability struct Process file file vnode 10 file descriptors mask = READ struct capability struct 14 file mask = READ | WRITE ... Capabilities refine open flags on file descriptors cap_new on a capability further restricts access; no chains Inherited across fork / exec or passed via sockets Directory capabilities allow subtree delegation

  16. Possible application Setup read user input open files prepare work loop Work do work read/write on files

  17. System call API Setup read user input open files prepare work loop cap_enter Ambient authority Capability mode Work do work read/write on files

  18. Interactive applications Setup read user input open files prepare work loop Work do work read/write on files

  19. libcapsicum API Setup Work read user input read user input open files open files prepare work loop Ambient authority lc_start Capability mode Work do work read/write on files

  20. Adapted applications Program Approach Changes tcpdump Enter for parse/render work loop cap_enter Reinforce existing chroot / setuid dhclient cap_enter privilege separation Open files with ambient authority, gzip libcapsicum pass capabilities to sandbox Sandbox Javascript and HTML Chromium cap_enter processing in renderer processes

  21. tcpdump @@ -1197,6 +1199,14 @@ (void)fflush(stderr); } #endif /* WIN32 */ + if (lc_limitfd(STDIN_FILENO, CAP_FSTAT) < 0) + error("lc_limitfd: unable to limit STDIN_FILENO"); + if (lc_limitfd(STDOUT_FILENO, CAP_FSTAT | CAP_SEEK | CAP_WRITE) < 0) + error("lc_limitfd: unable to limit STDIN_FILENO"); + if (lc_limitfd(STDERR_FILENO, CAP_FSTAT | CAP_SEEK | CAP_WRITE) < 0) + error("lc_limitfd: unable to limit STDERR_FILENO"); + if (cap_enter() < 0) + error("cap_enter: %s", pcap_strerror(errno)); status = pcap_loop(pd, cnt, callback, pcap_userdata); if (WFileName == NULL) {

  22. ⚠ ⚠ ⚠ ⚠ Chromium sandboxing OS Sandbox LoC FS IPC NET S ! S " Priv Windows DAC ACLs 22,350 ⚠ ! ! " DAC DAC Linux chroot() 600 ! " ! " ! Mac OS X Sandbox 560 " " " " MAC MAC Linux SELinux 200 " " ! ! Linux seccomp 11,300 " " " " Cap Cap FreeBSD Capsicum 100 " " " " "

  23. ⚠ ⚠ ⚠ ⚠ Chromium sandboxing OS Sandbox LoC FS IPC NET S ! S " Priv Windows DAC ACLs 22,350 ⚠ ! ! " DAC DAC Linux chroot() 600 ! " ! " ! Mac OS X Sandbox 560 " " " " MAC MAC Linux SELinux 200 " " ! ! Linux seccomp 11,300 " " " " Cap Cap FreeBSD Capsicum 100 " " " " "

  24. ⚠ ⚠ ⚠ ⚠ Chromium sandboxing OS Sandbox LoC FS IPC NET S ! S " Priv Windows DAC ACLs 22,350 ⚠ ! ! " DAC DAC Linux chroot() 600 ! " ! " ! Mac OS X Sandbox 560 " " " " MAC MAC Linux SELinux 200 " " ! ! Linux seccomp 11,300 " " " " Cap Cap FreeBSD Capsicum 100 " " " " "

  25. ⚠ ⚠ ⚠ ⚠ Chromium sandboxing OS Sandbox LoC FS IPC NET S ! S " Priv Windows DAC ACLs 22,350 ⚠ ! ! " DAC DAC Linux chroot() 600 ! " ! " ! Mac OS X Sandbox 560 " " " " MAC MAC Linux SELinux 200 " " ! ! Linux seccomp 11,300 " " " " Cap Cap FreeBSD Capsicum 100 " " " " "

  26. ⚠ ⚠ ⚠ ⚠ Chromium sandboxing OS Sandbox LoC FS IPC NET S ! S " Priv Windows DAC ACLs 22,350 ⚠ ! ! " DAC DAC Linux chroot() 600 ! " ! " ! Mac OS X Sandbox 560 " " " " MAC MAC Linux SELinux 200 " " ! ! Linux seccomp 11,300 " " " " Cap Cap FreeBSD Capsicum 100 " " " " "

  27. ⚠ ⚠ ⚠ ⚠ Chromium sandboxing OS Sandbox LoC FS IPC NET S ! S " Priv Windows DAC ACLs 22,350 ⚠ ! ! " DAC DAC Linux chroot() 600 ! " ! " ! Mac OS X Sandbox 560 " " " " MAC MAC Linux SELinux 200 " " ! ! Linux seccomp 11,300 " " " " Cap Cap FreeBSD Capsicum 100 " " " " "

  28. Building on Capsicum Assisted compartmentalisation (static, dynamic analysis) Critical network services: routing daemon, etc. Monolithic applications: OpenOffice.org, KDE.. Distributed domains ! local domains: browsers, databases... Gesture-Based Access Control (GBAC) Power boxes, “Drag and drop” ! assign capabilities

  29. Conclusion Multi-user security ! compartmentalised applications Capsicum APIs faster , cleaner , and more secure Delegation-centric approach to granular policy Avoid policy dual-coding, no privilege requirement Supplement rather than replace DAC and MAC API/semantics + prototype on FreeBSD 9.x, 8.x backport Linux/ChromeOS port in progress at Google

  30. Questions? * http://www.cl.cam.ac.uk/research/security/capsicum/

Recommend


More recommend