connecting the dot dots
play

Connecting the Dot Dots Model Checking Concurrency in Capsicum - PowerPoint PPT Presentation

Aug 30, 2023 •224 likes •548 views

Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M. Watson Jonathan Anderson Introduction UNIX File System (UFS) Capsicum: practical capabilities for UNIX Whoops, a concurrency

  1. Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M. Watson Jonathan Anderson

  2. Introduction • UNIX File System (UFS) • Capsicum: practical capabilities for UNIX • Whoops, a concurrency vulnerability • Model checking file system containment • Conclusions 2

  3. The UNIX File System (UFS) 3

  4. The UNIX file system • Persistent object storage for UNIX • Hierarchical, user-specified name space • Also used for IPC • DAC + MAC ➡ A security API 4

  5. Typical APIs • Open a file for I/O int open(char *path, int flags, ...); • Change directory int chdir(char *path); • Rename a file or directory int rename(char *from, char *to); 5

  6. Looking up a path open("/etc/passwd", O_RDONLY) .. Process root root Root directory etc tmp etc Current working .. .. directory File descriptor array tmp etc etc passwd passwd hard link passwd passwd 6

  7. Capsicum: practical capabilities for UNIX 7

  8. CVEs in Jan-Aug Jan-Aug 2009 Firefox 85 Safari 59 IE 48 Chrome 39 Flash 35 source; Justin Fo n Foster, OWASP 8

  9. Logical applications Kernel Browser process ambient authority UNIX process ambient authority becomes Renderer process Renderer process ... capability mode capability mode Traditional UNIX application Capsicum logical application 9

  10. Hierarchical delegation with capabilities / etc var apache passwd www site1 site2 Apache Apache Apache Worker 1 Worker 2 Logical Application 10

  11. File capabilities .. Process ! root Root directory tmp etc Current working ! .. .. directory File descriptor array tmp etc passwd hard link passwd File capability READ 11

  12. at(2) APIs • Variations accepting directory descriptors: int renameat(int fromfd, char *from, int tofd, char *to); • Avoid intermediate lookup state/costs • Use at(2) calls to delegate directories • Grant rights to objects under capability 12

  13. Directory delegation .. Process ! root Root directory tmp Current working ! .. directory File descriptor array tmp sandbox Directory capability .. ! ATBASE, FCHDIR, sandbox FSTAT, CREATE, foo DELETE, LOOKUP... .. foo bar .. bar 13

  14. Derived capabilities .. Process ! root Root directory tmp Current working ! .. directory File descriptor array tmp sandbox Directory capability .. ! ATBASE, FCHDIR, sandbox FSTAT, CREATE, foo DELETE, LOOKUP... .. ! Directory capability foo ATBASE, FCHDIR, bar FSTAT, CREATE, .. DELETE, LOOKUP... bar 14

  15. Implementing under • Reject at(2) on absolute paths • Reuse existing namei lookup code • Require directory capability argument • If “..” is looked up relative to starting directory, return ENOTCAPABLE 15

  16. A concurrency vulnerability 16

  17. Concurrency • Multiple computational processes execute at the same time and may interact with each other • Concurrency leads to the appearance of non-determinism 17

  18. Concurrency vulnerabilities • When incorrect concurrency management leads to vulnerability • Violation of specifications • Violation of user expectations • Passive - leak information or privilege • Active - allow adversary to extract information, gain privilege, deny service... 18

  19. From concurrency bug to security bug • Vulnerabilities in security-critical interfaces • Races on arguments and interpretation • Atomic “check” and “access” not possible • Data consistency vulnerabilities • Stale or inconsistent security metadata • Security metadata and data inconsistent 19

  20. Concurrency attacks on APIs • System call API bridges “untrusted” userspace and “trusted” kernel • Attacker’s goal to manipulate APIs and trigger security incorrectness in “trusted” implementation • In software, usually done using multiple client threads/processes and system calls, LPCs, or RPCs to a multithreaded server 20

  21. openat(foofd, "bar/../.."); renameat(foofd, "bar", sandboxfd, "bar"); .. Process " root Root directory tmp Current working " .. directory File descriptor array tmp tmp Directory capability .. " ! ATBASE, FCHDIR, sandbox FSTAT, CREATE, DELETE, LOOKUP... " Directory capability foo ATBASE, FCHDIR, bar FSTAT, CREATE, .. DELETE, LOOKUP... bar rename bar .. 21

  22. Concurrency vulnerabilities • Most race conditions are time-of-check-to- time-of-use (TOCTTOU) • This vulnerability is not TOCTTOU • Bisbey 1978 “unexpected concurrency” • Security failure due to programmer not understanding concurrency opportunity 22

  23. The vulnerability • Bypass containment if any writable directory capabilities passed to sandbox • Dual-core notebook required ~100,000 loops to exploit • Exploits non-atomic namespace lookup relative to other operations • A performance feature we can’t remove! 23

  24. Why formal methods? • Serious but subtle concurrency vulnerability with unclear implications • Namespace containment widely used in UNIX; chroot and beyond • Want to show that other combinations of name space calls can’t trigger similar vulnerabilities 24

  25. Model checking • Summary: Clarke, Emerson, Sifakis 2007 Turing Award lecture; Comm ACM 2009 • Finite state machine represents system under analysis • Express safety properties in temporal logic • Exhaustively check model conformance • Common in protocol, hardware verification 25

  26. The goal • Model the relationship between the attacker and the file system implementation • Want to explore all possible interleavings of events the attacker can trigger • Validate critical assertions 26

  27. The model • Selected SPIN model checker • 222-line Promela model of system/attacker • Model a finite set of concurrent processes, each with a limited system call vocabulary • Finite-sized file system (8 nodes); Initial path configuration similar to picture • Assertion: multi-“..” lookups fail 27

  28. Solution space Approach Performance Functionality Security Remove subtree ✔ ✘ ✔ delegation Namespace walk ✘ ✔ ✘ Limit namespace ✔ (NFS: ✘ ) ✘ ✔ concurrency Limit “..” ✔ ✘ ✔ 28

  29. Limitations • Hand-crafted Promela mode - significantly different semantics and implementation from kernel code • Finite process count • Limited system call vocabulary • Limited file system size • Want stronger “can’t name root” assertion 29

  30. Conclusion • Capsicum: practical capabilities for UNIX • Concurrency vulnerability with serious real-world implications for Capsicum • Applied model checking • Improved our confidence in security / performance / functionality trade-off 30

  31. Q&A 31

Recommend

Topic II.2: Connecting the Dots Discrete Topics in Data Mining Universitt des Saarlandes,

Topic II.2: Connecting the Dots Discrete Topics in Data Mining Universitt des Saarlandes,

Topic II.2: Connecting the Dots Discrete Topics in Data Mining Universitt des Saarlandes, Saarbrcken Winter Semester 2012/13 T II.2- 1 T II.2: Connecting the Dots 1. Connecting the Dots 1.1. Intuition & Motivation 1.2. Coherence of

929 views • 41 slides
Connecting the Dots: Connecting the Dots: Black Lives Matter, Connecting the Dots: COVID-19,

Connecting the Dots: Connecting the Dots: Black Lives Matter, Connecting the Dots: COVID-19,

Connecting the Dots: Connecting the Dots: Black Lives Matter, Connecting the Dots: COVID-19, Energy Policy, COVID-19, and COVID-19, Energy Policy, Energy Policy and the Role of States and the Role of States Professor Shalanda H. Baker

497 views • 31 slides
Objectives Mission to Care FHA HIIN 1 Chasing Zero Infections - Connecting the Dots to

Objectives Mission to Care FHA HIIN 1 Chasing Zero Infections - Connecting the Dots to

Chasing Zero Infections - Connecting the Dots to Thursday, May 25, 2017 Reduce Patient Harm: Hot Topics in Infection Prevention and Stewardship HOSPITAL IN ACTION SUCCESSFUL STRATEGIES FOR REDUCING C. DIFF Cathy Jaco, RN, MSN, CPHQ, HACP,

407 views • 12 slides
CONNECTING THE DOTS: Research, Educa7on, Innova7on and

CONNECTING THE DOTS: Research, Educa7on, Innova7on and

CONNECTING THE DOTS: Research, Educa7on, Innova7on and Entrepreneurship Dr. Jan Hamrin 23 rd Na7onal NSF EPSCoR Conference Music City Center Nashville, TN

462 views • 14 slides
4/3/2014 Function, Literacy, and the Common Core Connecting the Dots The dots The Sensory

4/3/2014 Function, Literacy, and the Common Core Connecting the Dots The dots The Sensory

4/3/2014 Function, Literacy, and the Common Core Connecting the Dots The dots The Sensory System The Common Core Curriculum Valuing Literacy The Sensory System Vision Hearing, Vestibular Touch, Proprioception Smell and Taste And THE

269 views • 4 slides
Connecting g the D Dots: Moving B Beyond t the Bru Brushstroke to a a Policy-informed M

Connecting g the D Dots: Moving B Beyond t the Bru Brushstroke to a a Policy-informed M

Connecting g the D Dots: Moving B Beyond t the Bru Brushstroke to a a Policy-informed M Masterpiece Laquore Meadows, Ph.D., Nicole Debose, Deborah Carney Ohio State University Extension How are we positioned? Urban County Extension

879 views • 13 slides
Connecting the Dots of Innovation with Professor Jeff DeGraff

Connecting the Dots of Innovation with Professor Jeff DeGraff

Connecting the Dots of Innovation with Professor Jeff DeGraff When money gets scarce, competition for it increases. Productivity is no longer enough.

552 views • 51 slides
CONNECTING THE DOTS Current Events Forecast Revenue Estimate 1 11/17/2016 CONNECTING THE

CONNECTING THE DOTS Current Events Forecast Revenue Estimate 1 11/17/2016 CONNECTING THE

11/17/2016 ECONOMICS AND REVENUE Connecting the Dots CONNECTING THE DOTS Current Events Forecast Revenue Estimate 1 11/17/2016 CONNECTING THE DOTS Current Events Forecast Revenue Estimate CONNECTING THE DOTS Current Events Forecast

126 views • 12 slides
Connecting the Dots: Major New England Energy Initiatives Katie Dykes Deputy Commissioner for

Connecting the Dots: Major New England Energy Initiatives Katie Dykes Deputy Commissioner for

Connecting the Dots: Major New England Energy Initiatives Katie Dykes Deputy Commissioner for Energy Raab Roundtable September 30, 2016 Connecticut Department of Energy and Environmental Protection 1 A Few of the Dots RGGI 2016

400 views • 11 slides
Track sponsored by AR, VR and Mixed Reality Connecting the Dots Between Retailer and Consumer

Track sponsored by AR, VR and Mixed Reality Connecting the Dots Between Retailer and Consumer

Track sponsored by AR, VR and Mixed Reality Connecting the Dots Between Retailer and Consumer Goals Jeffrey Neville Senior Vice President and Practice Lead, BRP Consulting @BRPConsulting | #BRPCloudXR | @JefNeville XR - What is the difference

456 views • 12 slides
Connecting the Dots with Landmarks : Discriminatively Learning Domain-Invariant Features for

Connecting the Dots with Landmarks : Discriminatively Learning Domain-Invariant Features for

Connecting the Dots with Landmarks : Discriminatively Learning Domain-Invariant Features for Unsupervised Domain Adaptation Boqing Gong University of Southern California Joint work with Kristen Grauman and Fei Sha The perils of mismatched

625 views • 58 slides
Connecting t the he D Dots: Working T Togethe her t to I Improve D Diabetes Manage

Connecting t the he D Dots: Working T Togethe her t to I Improve D Diabetes Manage

Connecting t the he D Dots: Working T Togethe her t to I Improve D Diabetes Manage Manageme ment nt Increasing A Access t to D Diabetes S Self- Management E Education Judith G h Gabriele Diabetes P Prevention a and C

558 views • 12 slides
CONNECTING THE DOTS: MAKING SENSE OF PARANEOPLASTIC SYNDROMES JP MCGHIE, MEDICAL ONCOLOGIST; BC

CONNECTING THE DOTS: MAKING SENSE OF PARANEOPLASTIC SYNDROMES JP MCGHIE, MEDICAL ONCOLOGIST; BC

CONNECTING THE DOTS: MAKING SENSE OF PARANEOPLASTIC SYNDROMES JP MCGHIE, MEDICAL ONCOLOGIST; BC CANCER, VICTORIA DISCLOSURES I have received speakers honoraria from the following companies: Amgen, Astra-Zeneca, Celgene, Eisai, Ipsen, Roche

908 views • 65 slides
Separation, Inverse Optimization, and Decomposition: Connecting the Dots Ted Ralphs 1 Joint work

Separation, Inverse Optimization, and Decomposition: Connecting the Dots Ted Ralphs 1 Joint work

Separation, Inverse Optimization, and Decomposition: Connecting the Dots Ted Ralphs 1 Joint work with Aykut Bulut 2 1 COR@L Lab, Department of Industrial and Systems Engineering, Lehigh University 2 The MathWorks, Natick, MA 23 rd Workshop on

556 views • 42 slides
Connecting the Dots: Enhancing Global Learning and Engagement in Curricular/Co-Curricular Programs

Connecting the Dots: Enhancing Global Learning and Engagement in Curricular/Co-Curricular Programs

Connecting the Dots: Enhancing Global Learning and Engagement in Curricular/Co-Curricular Programs Dr. Jiangyuan (JY) Zhou , Internationalization Specialist Dr. Kaite Yang Assistant Professor of Psychology with Daniel Tom Director of

335 views • 17 slides
Tools, Technology, Transition Making it Happen Connecting the dots There is an opportunity here

Tools, Technology, Transition Making it Happen Connecting the dots There is an opportunity here

Tools, Technology, Transition Making it Happen Connecting the dots There is an opportunity here for industry to work with CREDC to accomplish technical goals, and have DOE pay for CREDCs effort What goes into a industry/academic partnership

162 views • 5 slides
Connecting The Dots Promoting Breastfeeding Friendly Prescribing in a Baby Friendly Health

Connecting The Dots Promoting Breastfeeding Friendly Prescribing in a Baby Friendly Health

Connecting The Dots Promoting Breastfeeding Friendly Prescribing in a Baby Friendly Health Initiative Accredited Hospital Renee Dimond and Eleanor van Dyk Pharmacy Department, Ballarat Health Services Case Study JH 27-year-old

589 views • 19 slides
Connecting the dots: factors influencing poor child nutrition after floods in Orissa, India

Connecting the dots: factors influencing poor child nutrition after floods in Orissa, India

Connecting the dots: factors influencing poor child nutrition after floods in Orissa, India *Irvine, Laura **Dash, Shisir **Kanungo, Itishree *Rodriguez, Jose and *Guha-Sapir, Debarati *Centre for Research on the Epidemiology of Disasters

406 views • 17 slides
Connecting the dots with common sense and linear models L eon Bottou NEC Labs America COS

Connecting the dots with common sense and linear models L eon Bottou NEC Labs America COS

Connecting the dots with common sense and linear models L eon Bottou NEC Labs America COS 424 2/4/2010 Introduction Useful things: understanding probabilities, understanding statistical learning theory, knowing countless

892 views • 45 slides
Innovations and Motivations: Why Connecting Dots with Data Matters Jo Zimmer, MPAE Rural

Innovations and Motivations: Why Connecting Dots with Data Matters Jo Zimmer, MPAE Rural

Innovations and Motivations: Why Connecting Dots with Data Matters Jo Zimmer, MPAE Rural Oregon Continuum of Care David Mulig Presenter Oregon Housing and Community Services Opening Jo Zimmer Overview of Session Who's in the

436 views • 11 slides
Tableau Dashboards: Connecting the Dots to Student Success Sarah Flores, College of the Mainland

Tableau Dashboards: Connecting the Dots to Student Success Sarah Flores, College of the Mainland

Tableau Dashboards: Connecting the Dots to Student Success Sarah Flores, College of the Mainland Aaron Thomason, ZogoTech The Main Goal Useful, functional, automated dashboards that Our customers can use to get usable and up-to-date

656 views • 21 slides
CONNECTING THE DATA DOTS TO IDENTIFY RESEARCH EXPERTISE IN LARGE UNIVERSITIES Jens Locher, Kyle

CONNECTING THE DATA DOTS TO IDENTIFY RESEARCH EXPERTISE IN LARGE UNIVERSITIES Jens Locher, Kyle

CONNECTING THE DATA DOTS TO IDENTIFY RESEARCH EXPERTISE IN LARGE UNIVERSITIES Jens Locher, Kyle Demes, Eugene Barsky CONTEXT Why was this application developed in the Graduate School? Membership - Supervision Find a supervisor

291 views • 27 slides
Applied Geomatics--connecting the pp g dots between grapevine physiology, terroir and remote

Applied Geomatics--connecting the pp g dots between grapevine physiology, terroir and remote

Applied Geomatics--connecting the pp g dots between grapevine physiology, terroir and remote sensing terroir, and remote sensing Andrew Reynolds, Brock University Ralph Brown, University of Guelph Matthieu Marciniak; David Ledderhoff; Jim

1k views • 58 slides
Pre-Employment to Competitive: Connecting the Dots to a Job with MRS Presenters: Tracey House,

Pre-Employment to Competitive: Connecting the Dots to a Job with MRS Presenters: Tracey House,

Pre-Employment to Competitive: Connecting the Dots to a Job with MRS Presenters: Tracey House, LLMSW & Stephanie May, LLMSW Objectives Key Differences between Pre-Employment to Competitive Levels of MRS Service Making Pre-Employment

616 views • 26 slides

More recommend