cloudabi safe testable and maintainable software for unix
play

CloudABI: safe, testable and maintainable software for UNIX - PowerPoint PPT Presentation

Nov 03, 2023 •2.33k likes •2.81k views

T-DOSE, Eindhoven 2015-11-2[89] CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview Whats wrong with UNIX? Introducing CloudABI Developing CloudABI software Starting CloudABI

  1. T-DOSE, Eindhoven 2015-11-2[89] CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl

  2. Overview ● What’s wrong with UNIX? ● Introducing CloudABI ● Developing CloudABI software ● Starting CloudABI processes ● Use cases for CloudABI 2

  3. What is wrong with UNIX? UNIX is awesome, but in my opinion: ● it doesn’t stimulate you to run software securely. ● it doesn’t stimulate you to write reusable and testable software. ● system administration doesn’t scale. 3

  4. UNIX security problem #1 A web service only needs to interact with: ● incoming network connections for HTTP requests, ● optional: a directory containing data files, ● optional: database backends. In practice, an attacker can: ● create a tarball of all world-readable data under / , ● register cron jobs, ● spam TTYs using the write tool, ● turn the system into a botnet node. 4

  5. Access controls: AppArmor In my opinion not a real solution to the problem: ● Puts the burden of securing applications on package maintainers and end users. ● Application configuration can easily get out of sync with security policy. ● Common solution if security policy doesn’t work: disable AppArmor. 5

  6. Capabilities: Capsicum Technique available on FreeBSD to sandbox software: 1. Program starts up like a regular UNIX process. 2. Process calls cap_enter() . ○ Process can interact with file descriptors. read() , write() , accept() , openat() , etc. ○ Process can’t interact with global namespaces. open() , etc. will return ENOTCAPABLE . Used by dhclient , hastd , ping , sshd , tcpdump , and various other programs. 6

  7. Experiences using Capsicum ● Capsicum is awesome! It works as advertised. Other systems should also support it. ● Code isn’t designed to have system calls disabled. ○ FreeBSD’s C libraries: timezones, locales unusable. Various libraries: non-random PRNG. ○ ○ Heisenbugs, Mandelbugs and Hindenbugs. ● ‘Capsicum doesn’t scale’. ○ Porting small shell tools to Capsicum is easy. Porting applications that use external libraries becomes ○ exponentially harder. 7

  8. UNIX security problem #2 Untrusted third-party applications: ● Executing them directly: extremely unsafe. ● Using Jails, Docker, etc.: still quite unsafe. ● Inside a VM: safe, but slow. Why can’t UNIX just safely run third-party executables directly? Wasn’t the operating system intended to provide isolation? 8

  9. Reusability and testability Claim: UNIX programs are hard to reuse and test. 9

  10. Reuse and testing in Java #1 class WebServer { private Socket socket; private String root; WebServer() { this.socket = new TCPSocket(80); this.root = “/var/www”; } } 10

  11. Reuse and testing in Java #2 class WebServer { private Socket socket; private String root; WebServer(int port, String root) { this.socket = new TCPSocket(port); this.root = root; } } 11

  12. Reuse and testing in Java #3 class WebServer { private Socket socket; private Filesystem root; WebServer(Socket socket, Filesystem root) { this.socket = socket; this.root = root; } } 12

  13. Reusability and testability UNIX programs are similar to the first two examples: ● Parameters are hardcoded. ● Parameters are specified in configuration files stored at hard to override global locations. ● Resources are acquired on behalf of you, instead of allowing them to be passed in. Dependencies are not injected. A double standard, compared to how we write code. 13

  14. Reusable and testable web server #include <sys/socket.h> #include <unistd.h> int main() { int fd; while ((fd = accept(0, NULL, NULL)) >= 0) { const char buf[] = “HTTP/1.1 200 OK\r\n” “Content-Type: text/plain\r\n\r\n” “Hello, world\n”; write(fd, buf, sizeof(buf) - 1); close(fd); } } 14

  15. Reusable and testable web server Web server is reusable: ● Web server can listen on any address family (IPv4, IPv6), protocol (TCP, SCTP), address and port. ● Spawn more on the same socket for concurrency. Web server is testable: ● It can be spawned with a UNIX socket. Fake requests can be sent programmatically. 15

  16. Overview ● What’s wrong with UNIX? ● Introducing CloudABI ● Developing CloudABI software ● Starting CloudABI processes ● Use cases for CloudABI 16

  17. Introducing CloudABI A new UNIX-like runtime environment that allows you to more easily develop: ● software that is better protected against exploits, ● software that is reusable and testable, ● software that can be deployed at large scale. In a nutshell: POSIX + Capsicum always enabled - conflicting APIs. 17

  18. Default rights By default, CloudABI processes can only perform actions that have no global impact: ● They can allocate memory, create pipes, socket pairs, shared memory, etc. ● They can spawn threads and subprocesses. ● They can interact with clocks (gettimeofday, sleep). ● They cannot open paths on disk. ● They cannot create network connections. ● They cannot observe the global process table. 18

  19. Additional rights: file descriptors File descriptors are used to grant additional rights: ● File descriptors to directories: expose parts of the file system to the process. ● Sockets: make a process network accessible. ○ File descriptor passing: receive access to even more resources at run-time. ● Process descriptors: handles to processes. File descriptors have permission bitmasks, allowing fine-grained limiting of actions performed on them. 19

  20. Secure web service Consider a web service running on CloudABI that gets started with the following file descriptors: ● a socket for incoming HTTP requests, ● a read-only file descriptor of a directory, storing the files to be served over the web, ● an append-only file descriptor of a log file. When exploited, an attacker can do little to no damage. 20

  21. Cross-platform support Observation: UNIX ABI becomes tiny if you remove all interfaces that conflict with capability-based security. ● CloudABI only has 58 system calls. Most of them are not that hard to implement. ● Goal: Add support for CloudABI to existing UNIX- like operating systems. ● Allows reuse of binaries without recompilation. ● Mature: FreeBSD and NetBSD, ARM64 and x86-64 ● Experimental: Linux 21

  22. Overview ● What’s wrong with UNIX? ● Introducing CloudABI ● Developing CloudABI software ● Starting CloudABI processes ● Use cases for CloudABI 22

  23. Developing CloudABI software Building software for CloudABI manually is not easy: ● Cross compiling is hard, not just for CloudABI. ● Toolchain depends on a lot of components. ● Most projects need to be patched in some way: ○ Removal of capability-unaware APIs breaks the build, which is good! ○ cloudlibc tries to cut down on obsolete/unsafe APIs. Autoconf from before 2015-03 doesn’t support CloudABI. ○ 23

  24. Introducing CloudABI Ports ● Collection of cross compiled libraries and tools. ● Packages are built for FreeBSD, Dragonfly BSD, NetBSD, OpenBSD, Debian and Ubuntu. Native packages, managed through apt-get , pkg . ○ ○ Contents are identical, except for installation prefix ( /usr vs. /usr/local vs. /usr/pkg ). ○ Consistent development environment on all systems. ● Packages don’t contain any native build tools. ○ Should be provided by the native package collection. ● Packages include Boost, cURL, GLib, LibreSSL, Lua. 24

  25. CloudABI Ports in action Install Clang and Binutils from FreeBSD Ports: $ pkg install cloudabi-toolchain Install core libraries from CloudABI Ports: $ vi /etc/pkg/CloudABI.{conf,key} $ pkg update $ pkg install x86_64-unknown-cloudabi-cxx-runtime Build a simple application using Clang and cloudlibc: $ x86_64-unknown-cloudabi-cc -o hello hello.c 25

  26. Overview ● What’s wrong with UNIX? ● Introducing CloudABI ● Developing CloudABI software ● Starting CloudABI processes ● Use cases for CloudABI 26

  27. Simple CloudABI program: ls #include <dirent.h> #include <stdio.h> int main() { DIR *d = fdopendir(0); FILE *f = fdopen(1, “w”); struct dirent *de; while ((de = readdir(d)) != NULL) fprintf(f, “%s\n”, de->d_name); closedir(d); fclose(f); } 27

  28. Executing our ls through the shell $ x86_64-unknown-cloudabi-cc -o ls ls.c $ kldload cloudabi64 # FreeBSD ≥ 11.0 $ ./ls < /etc . .. fstab rc.conf [...] 28

  29. Isn’t there a better way? Starting processes through the shell feels unnatural: ● The shell cannot (in a portable way) create sockets, shared memory objects, etc. ● How would you know the ordering of the file descriptors that the program expects? ● How do you deal with a variable number of file descriptors? ● You can no longer configure programs through a single configuration file. 29

  30. Introducing cloudabi-run $ cloudabi-run /my/executable < my-config.yaml ● Allows you to start up a CloudABI process with an exact set of file descriptors. ● Merges the concept of program configuration with resource configuration listing. ● Replaces traditional command line arguments by a YAML tree structure. 30

  31. Configuration for a web server hostname: nuxi.nl concurrent_connections: 64 listen: - 148.251.50.69:80 logfile: /var/log/httpd/nuxi.nl.access.log rootdir: /var/www/nuxi.nl 31

Recommend

CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl

CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl

NLUUG, Bunnik 2015-05-28 CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl Programme What is wrong with UNIX? What is CloudABI? Use cases for CloudABI Links 2 What is wrong with UNIX?

768 views • 30 slides
CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview

CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview

32C3, Hamburg 2015-12-28 CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview Whats wrong with UNIX? Introducing CloudABI Developing CloudABI software Starting CloudABI processes Use

849 views • 40 slides
Maintainable Software Software Engineering Andreas Zeller, Saarland University The Challenge

Maintainable Software Software Engineering Andreas Zeller, Saarland University The Challenge

Maintainable Software Software Engineering Andreas Zeller, Saarland University The Challenge Software may live much longer than expected Software must be continuously adapted to a changing environment Maintenance takes 5080%

1.64k views • 85 slides
How testable is Business Software? Peter Schrammel What is this talk about? Desire for software

How testable is Business Software? Peter Schrammel What is this talk about? Desire for software

How testable is Business Software? Peter Schrammel What is this talk about? Desire for software that has fewer bugs Focus on non-safety-critical software Great techniques developed by formal methods, programming languages and

454 views • 41 slides
the Unix Philosophy still matters Make you think markus schnalke &lt;meillo@marmaro.de&gt;

the Unix Philosophy still matters Make you think markus schnalke &lt;meillo@marmaro.de&gt;

Goals of this talk Introduce the Unix Phil Show that most modern software is crap Explain why the Unix Phil leads to good/better software Why Convince you that good software is of matter the Unix Philosophy still matters

536 views • 9 slides
WRITING MAINTAINABLE AND PERFORMANT JS FOR DRUPAL Who am I? Backend developer in past

WRITING MAINTAINABLE AND PERFORMANT JS FOR DRUPAL Who am I? Backend developer in past

WRITING MAINTAINABLE AND PERFORMANT JS FOR DRUPAL Who am I? Backend developer in past Drupal Frontend developer now Senior Software Engineer at @sergesemashko sergey.semashko What is maintainable JS? Intuitive/Readable

1.11k views • 43 slides
Crash Course in Unix For more info check out the Unix man pages -or-

Crash Course in Unix For more info check out the Unix man pages -or-

Crash Course in Unix For more info check out the Unix man pages -or- http://www.cs.rpi.edu/~hollingd/unix -or- Unix in a Nutshell (an OReilly book). 1 Unix Accounts To access a Unix system you need to have an account . Unix

1.05k views • 84 slides
Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

1/19/2010 Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix: tak, the Whitehead Scientific Linux server t k th Whit h d S i tifi Li most important/useful commands &amp; Apply

259 views • 8 slides
the Unix Philosophy still matters markus schnalke &lt;meillo@marmaro.de&gt; Goals of this talk

the Unix Philosophy still matters markus schnalke &lt;meillo@marmaro.de&gt; Goals of this talk

Why the Unix Philosophy still matters markus schnalke &lt;meillo@marmaro.de&gt; Goals of this talk Introduce the Unix Phil Show that most modern software is crap Explain why the Unix Phil leads to good/better software

520 views • 36 slides
Todays topics Unix history Unix philosophy Unix standards Unix future Future

Todays topics Unix history Unix philosophy Unix standards Unix future Future

Todays topics Unix history Unix philosophy Unix standards Unix future Future classes Unix history The Unix family of operating systems have been in existence since around 1969. Most folks agree the system that Ken

1.13k views • 57 slides
CSE2031 Software Tools - UNIX introduction Pawluk presented by Shakil Khan Summer 2010

CSE2031 Software Tools - UNIX introduction Pawluk presented by Shakil Khan Summer 2010

CSE2031 Software Tools - UNIX introduction Przemyslaw CSE2031 Software Tools - UNIX introduction Pawluk presented by Shakil Khan Summer 2010 Introduction to UNIX UNIX Shells Commands Overview Przemyslaw Pawluk grep family presented

533 views • 36 slides
The Unix Operating System SE 101 Spiros Mancoridis What is an OS? An operating system (OS) is

The Unix Operating System SE 101 Spiros Mancoridis What is an OS? An operating system (OS) is

The Unix Operating System SE 101 Spiros Mancoridis What is an OS? An operating system (OS) is software that manages the resources of a computer Like most managers, the OS aims to manage its resources in a safe and efficient way Examples of

848 views • 50 slides
Quality Attributes (QA) A QA is a measureable or testable property of a system that is used to

Quality Attributes (QA) A QA is a measureable or testable property of a system that is used to

Quality Attributes (QA) A QA is a measureable or testable property of a system that is used to indicate how well the system satisfies the needs of its stakeholders. (SAiP p.63) Some material in these slides is adapted from Software

378 views • 10 slides
Outline Access control: mechanism and policy Unix filesystem concepts CSci 4271W Development of

Outline Access control: mechanism and policy Unix filesystem concepts CSci 4271W Development of

Outline Access control: mechanism and policy Unix filesystem concepts CSci 4271W Development of Secure Software Systems Project 1 expectations Day 8: Unix Access Control Unix permissions basics Stephen McCamant Exercise: using Unix

874 views • 6 slides
Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory Implementation The starting (root) directory of each filesystem is created by formatting . A UNIX directory is a file : it has an owner, group

502 views • 12 slides
Safe Automotive soFtware architEcture (SAFE) Co-summit 2015, 10-11 March 2015, Berlin - Germany

Safe Automotive soFtware architEcture (SAFE) Co-summit 2015, 10-11 March 2015, Berlin - Germany

Safe Automotive soFtware architEcture (SAFE) Co-summit 2015, 10-11 March 2015, Berlin - Germany Dr. Stefan Voget Agenda SAFE Motivation makes Functional safety safe SAFE in SAFE and the project standardization landscape 2 SAFE

569 views • 20 slides
UNIX Programming: A brief introduction to UNIX history and most useful commands. Toni Hermoso

UNIX Programming: A brief introduction to UNIX history and most useful commands. Toni Hermoso

UNIX Programming: A brief introduction to UNIX history and most useful commands. Toni Hermoso Pulido Bioinformatics Core Facilty UNIX History (I) UNIX is a computer operating system originally developed in 1969 by a group of AT&amp;T

336 views • 30 slides
Advanced UNIX CIS 218 Advanced UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to

Advanced UNIX CIS 218 Advanced UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to

Advanced UNIX CIS 218 Advanced UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to supplement the Introduction to UNIX slides with extra information on files 1 CIS 218 Advanced UNIX Overview 1 . Access Permissions 2 . Links 2

358 views • 22 slides
Advanced UNIX CIS 118 Intro to UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to

Advanced UNIX CIS 118 Intro to UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to

Advanced UNIX CIS 118 Intro to UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to supplement the Introduction to UNIX slides with extra information on files 1 CIS 118 Intro to UNIX Overview 1 . Access Permissions 2 . Links 2

266 views • 22 slides
Lecture 02: Unix Filesystem APIs Software layered over hardware, filesystem API calls

Lecture 02: Unix Filesystem APIs Software layered over hardware, filesystem API calls

Lecture 02: Unix Filesystem APIs Software layered over hardware, filesystem API calls First off, we'll take a first pass at understanding how the physical hardware of a disk drive can be made to look like software to store traditional

517 views • 19 slides
What is Unix? Unix: explained markus schnalke &lt;meillo@marmaro.de&gt; Unix Operating

What is Unix? Unix: explained markus schnalke &lt;meillo@marmaro.de&gt; Unix Operating

What is Unix? Unix: explained markus schnalke &lt;meillo@marmaro.de&gt; Unix Operating system Kernel (Systemcalls) Userland Filesystem Background and History Philosophy Historical background Timeline The late 60s and early 70s

579 views • 9 slides
Introduction to Linux Justin W. Flory CC-BY-SA 4.0 UNIX 101 To understand Linux, you need to

Introduction to Linux Justin W. Flory CC-BY-SA 4.0 UNIX 101 To understand Linux, you need to

Introduction to Linux Justin W. Flory CC-BY-SA 4.0 UNIX 101 To understand Linux, you need to understand what UNIX is, 30 years ago 1969 : Team of Bell Labs developers begin working on solution to address software problems with

500 views • 17 slides
Go based content filtering software on FreeBSD Ganbold Tsagaankhuu, Mongolian Unix User Group

Go based content filtering software on FreeBSD Ganbold Tsagaankhuu, Mongolian Unix User Group

Go based content filtering software on FreeBSD Ganbold Tsagaankhuu, Mongolian Unix User Group Esbold Unurkhaan, Mongolian University of Science and Technology Erdenebat Gantumur, Mongolian Unix User Group AsiaBSDCon Tokyo, 2015 Content

1.04k views • 42 slides
Interprocess Communication Pipes (UNIX) Sockets (UNIX) Shared Memory (UNIX)

Interprocess Communication Pipes (UNIX) Sockets (UNIX) Shared Memory (UNIX)

BS1 WS19/20 topic-based slides Interprocess Communication Pipes (UNIX) Sockets (UNIX) Shared Memory (UNIX) Anonymous Pipes (Windows) Named Pipes (Windows) Mailslots (Windows) Windows vs. UNIX 2 Inter-Process

480 views • 24 slides

More recommend