capsicum
play

Capsicum Capability-Based Sandboxing David Drysdale Google UK - PowerPoint PPT Presentation

Feb 24, 2024 •219 likes •521 views

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the following kernel features to contain processes: Kernel namespaces (ipc, uts, mount, pid, network and user) Apparmor and SELinux profiles

  1. Capsicum Capability-Based Sandboxing David Drysdale Google UK

  4. Features Current LXC uses the following kernel features to contain processes: ● Kernel namespaces (ipc, uts, mount, pid, network and user) ● Apparmor and SELinux profiles ● Seccomp policies ● Chroots (using pivot_root) ● Kernel capabilities ● CGroups (control groups)

  5. Agenda ● Ideas ○ Privilege Separation ○ Capabilities ● Capsicum ○ Hybrid with POSIX ○ Application changes ● Linux container features ● Status/Outlook

  6. Check Your Privileges ● Drop unnecessary privileges ○ Just because a process starts as root , doesn't have to stay that way

  7. Check Your Privileges ● Drop unnecessary privileges ○ Just because a process starts as root , doesn't have to stay that way ● Divide up software according to what privileges are needed ○ E.g. separate media processing from credentials processing

  8. Check Your Privileges ● Drop unnecessary privileges ○ Just because a process starts as root , doesn't have to stay that way ● Divide up software according to what privileges are needed ○ E.g. separate media processing from credentials processing ● Examples: ○ OpenSSH: credential checking process ○ Chrome: renderer processes ● Design impact: ○ Do privileged operations first ○ Pass resources down a privilege gradient

  9. Capability-Based Security ● Make the privileges that a process holds more explicit

  10. Capability-Based Security ● Make the privileges that a process holds more explicit ● Access objects via unforgeable token: the capability ○ Identifies the object ○ Accompanying rights give allowed operations ○ Can only reduce, not increase rights ○ Can pass capabilities around

  11. Capability-Based Security ● Make the privileges that a process holds more explicit ● Access objects via unforgeable token: the capability ○ Identifies the object ○ Accompanying rights give allowed operations ○ Can only reduce, not increase rights ○ Can pass capabilities around ● Remove other ways of accessing objects ○ No access by name, i.e. no global namespaces

  12. Analogy: File Descriptors ● Refers to kernel object (open file, open socket, ...) ● Can only be created by the kernel ● Can be passed between processes (over UNIX domain sockets)

  13. Analogy: File Descriptors ● Refers to kernel object (open file, open socket, ...) ● Can only be created by the kernel ● Can be passed between processes (over UNIX domain sockets) ● ... but no real model of rights ○ O_RDONLY / O_RDWR not good enough

  14. Capsicum: Make the analogy reality ● File descriptors as Capsicum capabilities

  15. Capsicum: Make the analogy reality ● File descriptors as Capsicum capabilities ● Add fine-grained rights, policed by kernel ○ CAP_READ, CAP_WRITE, CAP_LOOKUP, CAP_FCHMOD, ... ○ CAP_BIND, CAP_ACCEPT, CAP_CONNECT, CAP_SETSOCKOPT, ...

  16. Capsicum: Make the analogy reality ● File descriptors as Capsicum capabilities ● Add fine-grained rights, policed by kernel ○ CAP_READ, CAP_WRITE, CAP_LOOKUP, CAP_FCHMOD, ... ○ CAP_BIND, CAP_ACCEPT, CAP_CONNECT, CAP_SETSOCKOPT, ... ● Capability mode ○ Remove access to global namespaces ○ Turn off most ways of minting new (unrestricted) file descriptors ■ openat(dfd, "path"...) allowed ■ accept(socket ...) allowed

  17. Example: strings

  18. Example: strings + cap_rights_t rights; + cap_rights_limit(fileno(stdout), cap_rights_init(&rights, CAP_WRITE, CAP_FSTAT)); + cap_rights_limit(fileno(stderr), cap_rights_init(&rights, CAP_WRITE)); for (ii = 0; ii < num_streams; ++ii) { ...

  19. Example: strings + cap_rights_t rights; + cap_rights_limit(fileno(stdout), cap_rights_init(&rights, CAP_WRITE, CAP_FSTAT)); + cap_rights_limit(fileno(stderr), cap_rights_init(&rights, CAP_WRITE)); + cap_rights_init(&rights, CAP_READ, CAP_SEEK, CAP_FSTAT, CAP_FCNTL); + for (ii = 0; ii < num_streams; ++ii) { + if (streaminfo[ii].stream) + cap_rights_limit(fileno(streaminfo[ii].stream), &rights); + } for (ii = 0; ii < num_streams; ++ii) { ...

  20. Example: strings + cap_rights_t rights; + cap_rights_limit(fileno(stdout), cap_rights_init(&rights, CAP_WRITE, CAP_FSTAT)); + cap_rights_limit(fileno(stderr), cap_rights_init(&rights, CAP_WRITE)); + cap_rights_init(&rights, CAP_READ, CAP_SEEK, CAP_FSTAT, CAP_FCNTL); + for (ii = 0; ii < num_streams; ++ii) { + if (streaminfo[ii].stream) + cap_rights_limit(fileno(streaminfo[ii].stream), &rights); + } + cap_enter(); + for (ii = 0; ii < num_streams; ++ii) { ...

  21. Features Current LXC uses the following kernel features to contain processes: ● Kernel namespaces (ipc, uts, mount, pid, network and user) ● Apparmor and SELinux profiles ● Seccomp policies ● Chroots (using pivot_root) ● Kernel capabilities ● CGroups (control groups)

  22. fine grained broad chroot brush simple complex

  23. fine grained kernel capabilities broad chroot brush simple complex

  24. fine grained seccomp cgroups kernel capabilities broad chroot brush simple complex

  25. fine grained seccomp SELinux cgroups kernel capabilities broad chroot brush simple complex

  26. fine grained namespaces seccomp SELinux cgroups kernel capabilities broad chroot brush simple complex

  27. fine Capsicum grained namespaces seccomp SELinux cgroups kernel capabilities broad chroot brush simple complex

  28. Themes ● Involves code changes ● Less flexible in some ways ○ But simple to understand & apply ○ Not specific to root ● More fine-grained in other ways ○ FD-by-FD, not application-wide ● Easy to analyze ● Composes with other features

  29. Status ● OS Support ○ In FreeBSD >= 10.x ○ Out-of-tree patch set for Linux (github.com/google/capsicum-linux) ● Application Support ○ ~20 in-tree FreeBSD applications ○ OpenSSH / tcpdump / xz ○ (Chromium) ● Next ○ More applications (join us!) ○ More debugging facilities

  30. References ● Home page: http://www.cl.cam.ac.uk/research/security/capsicum/ ● Linux home page: http://capsicum-linux.org/ ● Intro article: http://capsicum-linux.blogspot.co.uk/2015/02/an-overview-of-capsicum.html ● Linux source code: https://github.com/google/capsicum-linux ● Test suite: https://github.com/google/capsicum-test ● Projects list: https://github.com/google/capsicum-test/wiki/Projects ● Strings vulnerability: https://lcamtuf.blogspot.co.uk/2014/10/psa-dont-run-strings-on-untrusted- files.html David Drysdale <drysdale@google.com>

Recommend

Quality &amp; Compliance Regulatory Support your partner RNL Capsicum Background

Quality &amp; Compliance Regulatory Support your partner RNL Capsicum Background

Ransom Naturals Ltd (RNL) Capsicum related extracts an overview Background Our offer Extract type &amp; form Quality &amp; Compliance Regulatory Support your partner RNL Capsicum Background Chilli peppers as

571 views • 5 slides
Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M.

Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M.

Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M. Watson Jonathan Anderson Introduction UNIX File System (UFS) Capsicum: practical capabilities for UNIX Whoops, a concurrency

548 views • 31 slides
in capsicums why we want keep it available Capsicum acreage greenhouses Total New Zealand 55

in capsicums why we want keep it available Capsicum acreage greenhouses Total New Zealand 55

Dichlorvos and methamidophos in capsicums why we want keep it available Capsicum acreage greenhouses Total New Zealand 55 ha Two main growers/exporters, Southern Paprika and NZ Gourmet 41 ha Both companies producing in different

516 views • 14 slides
CAPSICUM Practical capabilities for UNIX 19 th USENIX Security Symposium 11 August 2010 -

CAPSICUM Practical capabilities for UNIX 19 th USENIX Security Symposium 11 August 2010 -

CAPSICUM Practical capabilities for UNIX 19 th USENIX Security Symposium 11 August 2010 - Washington, DC Robert N. M. Watson Jonathan Anderson Google UK Ltd

693 views • 31 slides
Farm Level Traceability for Exports in Spices -Case studies on Capsicum Krishnakumar Menon,

Farm Level Traceability for Exports in Spices -Case studies on Capsicum Krishnakumar Menon,

Practical approach to Farm Level Traceability for Exports in Spices -Case studies on Capsicum Krishnakumar Menon, Head Sourcing Operations, Griffith Laboratories Pvt. Ltd. 3 rd December, 2014. Griffith Laboratories An Introduction

319 views • 30 slides
Influence of Salicylic Acid applica2on on Oxida2ve and Molecular

Influence of Salicylic Acid applica2on on Oxida2ve and Molecular

Influence of Salicylic Acid applica2on on Oxida2ve and Molecular Responses and func2onal proper2es of Capsicum annuum L. cul2vated in greenhouse condi2ons

499 views • 20 slides
plants Swati Rawat ESE PhD Student Gardea Group, University of Texas at El Paso Sustainable

plants Swati Rawat ESE PhD Student Gardea Group, University of Texas at El Paso Sustainable

Phyto-toxicological Effects of Copper Nanoparticles in Bell Pepper ( Capsicum annum ) plants Swati Rawat ESE PhD Student Gardea Group, University of Texas at El Paso Sustainable Nanotechnology Organization Orlando, FL, November, 2016 1

417 views • 31 slides

More recommend