landlock lsm toward unprivileged sandboxing
play

Landlock LSM: toward unprivileged sandboxing Micka el Sala un - PowerPoint PPT Presentation

Jan 05, 2023 •175 likes •789 views

Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 / 21 Secure user-space software How to harden an application? secure development follow the least privilege principle compartmentalize

  1. Landlock LSM: toward unprivileged sandboxing Micka¨ el Sala¨ un ANSSI September 14, 2017 1 / 21

  2. Secure user-space software How to harden an application? ◮ secure development ◮ follow the least privilege principle ◮ compartmentalize exposed processes 2 / 21

  3. Secure user-space software How to harden an application? ◮ secure development ◮ follow the least privilege principle ◮ compartmentalize exposed processes Multiple sandbox uses ◮ built-in sandboxing (tailored security policy) ◮ sandbox managers (unprivileged and dynamic compartmentalization) ◮ container managers (hardened containers) 2 / 21

  4. What can provide the needed features? Fine-grained control Embedded policy Unprivileged use SELinux. . . �

  5. What can provide the needed features? Fine-grained control Embedded policy Unprivileged use SELinux. . . � seccomp-bpf � � namespaces � ∼

  6. What can provide the needed features? Fine-grained control Embedded policy Unprivileged use SELinux. . . � seccomp-bpf � � namespaces � ∼ Landlock � � � Tailored access control to match your needs: programmatic access control 3 / 21

  7. What can provide the needed features? Fine-grained control Embedded policy Unprivileged use SELinux. . . � seccomp-bpf � � namespaces � ∼ Landlock � � � Tailored access control to match your needs: programmatic access control Example Run an application allowed to write only on a terminal. 3 / 21

  8. Landlock overview 4 / 21

  9. Landlock: patch v7 ◮ a minimum viable product ◮ a stackable LSM ◮ using eBPF ◮ focused on filesystem access control 5 / 21

  10. The Linux Security Modules framework (LSM) LSM framework ◮ allow or deny user-space actions on kernel objects ◮ policy decision and enforcement points ◮ kernel API: support various security models ◮ 200+ hooks: inode permission , inode unlink , file ioctl . . . 6 / 21

  11. The Linux Security Modules framework (LSM) LSM framework ◮ allow or deny user-space actions on kernel objects ◮ policy decision and enforcement points ◮ kernel API: support various security models ◮ 200+ hooks: inode permission , inode unlink , file ioctl . . . Landlock ◮ rule: control an action on an object ◮ event: use of a kernel object type (e.g. file) ◮ action: read, write, execute, remove, IOCTL. . . 6 / 21

  12. Life cycle of a Landlock rule 7 / 21

  13. Landlock rule example ◮ read-only access to the filesystem... ◮ ...but allowed to write on TTY and pipes ◮ rule enforced on each filesystem access request 8 / 21

  14. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  15. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  16. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  17. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  18. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  19. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  20. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  21. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  22. extended Berkeley Packet Filter In-kernel virtual machine ◮ safely execute code in the kernel at run time ◮ widely used in the kernel: network filtering, seccomp-bpf, tracing. . . ◮ can call dedicated functions ◮ can exchange data through maps between eBPF programs and user-space 9 / 21

  23. extended Berkeley Packet Filter In-kernel virtual machine ◮ safely execute code in the kernel at run time ◮ widely used in the kernel: network filtering, seccomp-bpf, tracing. . . ◮ can call dedicated functions ◮ can exchange data through maps between eBPF programs and user-space Static program verification at load time ◮ memory access checks ◮ register typing and tainting ◮ pointer leak restrictions ◮ execution flow restrictions 9 / 21

  24. Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2 .landlock_rule = { 3 .event = LANDLOCK_EVENT_FS, 4 .ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; union bpf_attr attr = { 7 8 .insns = bytecode_array, 9 .prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10 .prog_subtype = &metadata, 11 // [...] }; 12 int rule_fd = bpf(BPF_PROG_LOAD, &attr, sizeof (attr)); 13 10 / 21

  25. Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2 .landlock_rule = { 3 .event = LANDLOCK_EVENT_FS, 4 .ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; union bpf_attr attr = { 7 8 .insns = bytecode_array, 9 .prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10 .prog_subtype = &metadata, 11 // [...] }; 12 int rule_fd = bpf(BPF_PROG_LOAD, &attr, sizeof (attr)); 13 10 / 21

  26. Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2 .landlock_rule = { 3 .event = LANDLOCK_EVENT_FS, 4 .ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; union bpf_attr attr = { 7 8 .insns = bytecode_array, 9 .prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10 .prog_subtype = &metadata, 11 // [...] }; 12 int rule_fd = bpf(BPF_PROG_LOAD, &attr, sizeof (attr)); 13 10 / 21

  27. Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2 .landlock_rule = { 3 .event = LANDLOCK_EVENT_FS, 4 .ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; union bpf_attr attr = { 7 8 .insns = bytecode_array, 9 .prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10 .prog_subtype = &metadata, 11 // [...] }; 12 int rule_fd = bpf(BPF_PROG_LOAD, &attr, sizeof (attr)); 13 10 / 21

  28. Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2 .landlock_rule = { 3 .event = LANDLOCK_EVENT_FS, 4 .ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; union bpf_attr attr = { 7 8 .insns = bytecode_array, 9 .prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10 .prog_subtype = &metadata, 11 // [...] }; 12 int rule_fd = bpf(BPF_PROG_LOAD, &attr, sizeof (attr)); 13 10 / 21

  29. Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2 .landlock_rule = { 3 .event = LANDLOCK_EVENT_FS, 4 .ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; union bpf_attr attr = { 7 8 .insns = bytecode_array, 9 .prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10 .prog_subtype = &metadata, 11 // [...] }; 12 int rule_fd = bpf(BPF_PROG_LOAD, &attr, sizeof (attr)); 13 10 / 21

  30. Loading a rule in the kernel 10 / 21

  31. Applying a rule to a process 1 seccomp(SECCOMP_PREPEND_LANDLOCK_RULE, 0, &rule_fd); 11 / 21

  32. Applying a rule to a process 11 / 21

  33. Applying a rule to a process 11 / 21

Recommend

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing: limiting the privileges of a process Two motivations - Running untrusted code in a restricted environment - Dropping privileges in trusted code so as to

1.09k views • 58 slides
Empowering Brazilian Unprivileged Communities with High Geotechnological Tools Patricia Lustosa

Empowering Brazilian Unprivileged Communities with High Geotechnological Tools Patricia Lustosa

Empowering Brazilian Unprivileged Communities with High Geotechnological Tools Brito, P. L., et al. Empowering Brazilian Unprivileged Communities with High Geotechnological Tools Patricia Lustosa Brito*, Daniel Nadier Cavalcanti Reis*,

347 views • 20 slides
Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz

Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz

Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz http://www.batchgeo.com Remote Sandboxing? Students' interpreters g r a d e . r k t 1 6 0 0 t i m e s ? Students' interpreters g r a d e

446 views • 15 slides
Smart NICs Ian Pratt Smart L2 NIC features Privileged/unprivileged NIC driver model

Smart NICs Ian Pratt Smart L2 NIC features Privileged/unprivileged NIC driver model

TM Smart NICs Ian Pratt Smart L2 NIC features Privileged/unprivileged NIC driver model Free/rx/tx descriptor queues into guest Packet demux and tx enforcement Validation of frag descriptors TX QoS CSUM offload / TSO / LRO

714 views • 7 slides
Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Distributed HPC Applications with Unprivileged Containers Felix Abecassis, Jonathan Calmels GPU

Distributed HPC Applications with Unprivileged Containers Felix Abecassis, Jonathan Calmels GPU

Distributed HPC Applications with Unprivileged Containers Felix Abecassis, Jonathan Calmels GPU Computing NVIDIA Beyond video games AUTONOMOUS MACHINES VIRTUAL REALITY SCIENTIFIC COMPUTING MACHINE LEARNING GPU COMPUTING 2 Infrastructure at

669 views • 28 slides
arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to

arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to

arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to access system memory . Meltdown takes advantage of speculative execution , in particular its ability to meltdown security barrier

369 views • 8 slides
Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane

Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane

Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane Graber Christian Brauner LXD project leader LXD maintainer @stgraber @brau_ner https://stgraber.org https://brauner.io

394 views • 12 slides
Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

515 views • 48 slides
Vx32: Lightweight User-Level Sandboxing on the x86 Bryan Ford and Russ Cox MIT CSAIL Presented

Vx32: Lightweight User-Level Sandboxing on the x86 Bryan Ford and Russ Cox MIT CSAIL Presented

Vx32: Lightweight User-Level Sandboxing on the x86 Bryan Ford and Russ Cox MIT CSAIL Presented by: Ashwin Chaugule 26th Sept 2008 Area Systems security: Application Virtualization USENIX 08 - Best Student Paper Source code:

427 views • 28 slides
Sandboxing & Virtualization: Modern Tools for Combating Malware Anup K. Ghosh, PhD Founder

Sandboxing & Virtualization: Modern Tools for Combating Malware Anup K. Ghosh, PhD Founder

Sandboxing & Virtualization: Modern Tools for Combating Malware Anup K. Ghosh, PhD Founder anup@invincea.com www.invincea.com Research Professor Center for Secure Information Systems George Mason University May 2010 The User IS the

479 views • 20 slides
Sandboxing 1 logistics CHALLENGE assignment take-home portion of the fjnal next class

Sandboxing 1 logistics CHALLENGE assignment take-home portion of the fjnal next class

Sandboxing 1 logistics CHALLENGE assignment take-home portion of the fjnal next class fjnal exam review 2 CHALLENGE (1) expect to release before Saturday; due by written fjnal probably complete all but two fjve of seven or four of

848 views • 66 slides
Border Control: Sandboxing Accelerators L. E. Olson, Jason Power, Mark. D. Hill and David A.Wood

Border Control: Sandboxing Accelerators L. E. Olson, Jason Power, Mark. D. Hill and David A.Wood

Border Control: Sandboxing Accelerators L. E. Olson, Jason Power, Mark. D. Hill and David A.Wood University of Wisconsin-Madison Presented by : Yash Bhalgat, Arun Subramaniyan Key Id Ideas and goals Sharing memory between host and

596 views • 21 slides
Rootless Kubernetes Running Kubernetes and CRI/OCI Runtimes as an unprivileged user Akihiro Suda

Rootless Kubernetes Running Kubernetes and CRI/OCI Runtimes as an unprivileged user Akihiro Suda

FOSDEM (Feb 3, 2019) Rootless Kubernetes Running Kubernetes and CRI/OCI Runtimes as an unprivileged user Akihiro Suda / NTT (@_AkihiroSuda_) Giuseppe Scrivano / Red Hat (@gscrivano) 1 Who are we? Akihiro Suda Giuseppe Scrivano Software

552 views • 23 slides
Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the following kernel features to contain processes: Kernel namespaces (ipc, uts, mount, pid, network and user) Apparmor and SELinux profiles

521 views • 30 slides
Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda

Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda

Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda Reverse Engineering Primer Approaches to Dynamic Analysis Inline Hooks Advantages Over Other Techniques Usages 2 Reverse Engineering

379 views • 19 slides
Minijail: Sandboxing software running on Linux kernels Jorge Lucangeli Obes jorgelo@google.com

Minijail: Sandboxing software running on Linux kernels Jorge Lucangeli Obes jorgelo@google.com

Minijail: Sandboxing software running on Linux kernels Jorge Lucangeli Obes jorgelo@google.com $ ps -eo pid,user,comm 1 root /sbin/init 2 root [kthreadd] ... 1468 message+ dbus-daemon --system --fork 1749 root

725 views • 38 slides
ADsafety Type-based Verification of JavaScript Sandboxing Joe Gibbs Politz Spiridon Aristides

ADsafety Type-based Verification of JavaScript Sandboxing Joe Gibbs Politz Spiridon Aristides

ADsafety Type-based Verification of JavaScript Sandboxing Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi 1 2 3 third-party ad third-party ad 4 Who is running code in your browser? 5 Who is running

1.26k views • 95 slides
Application-level sandboxing Erik Poll 1 Overview 1. Compartmentalisation 2. Classic OS access

Application-level sandboxing Erik Poll 1 Overview 1. Compartmentalisation 2. Classic OS access

Software Security Application-level sandboxing Erik Poll 1 Overview 1. Compartmentalisation 2. Classic OS access control compartmentalisation between processes Chapter 2 of lecture notes 3. Language-level access control

909 views • 69 slides
Sandboxing Controllers for Stochastic Cyber-Physical Systems Bingzhuo Zhong, Technical University

Sandboxing Controllers for Stochastic Cyber-Physical Systems Bingzhuo Zhong, Technical University

FORMATS 2019 Sandboxing Controllers for Stochastic Cyber-Physical Systems Bingzhuo Zhong, Technical University of Munich, Germany Majid Zamani, CU Boulder, USA & Ludwig Maximilian University of Munich, Germany Marco Caccamo, Technical

924 views • 23 slides
virtual machine (pt 2) / microkernels 1 last time (1) sandboxing fjlter system calls guest

virtual machine (pt 2) / microkernels 1 last time (1) sandboxing fjlter system calls guest

virtual machine (pt 2) / microkernels 1 last time (1) sandboxing fjlter system calls guest OS running in hypervisor on host OS hypervisor tracks virtual machine state does guest OS think its in kernel mode? does guest OS think

947 views • 71 slides
Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles

Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles

CSE 127: Computer Security Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles for building secure systems Understand mechanisms used to build secure systems Principles of secure design

1.1k views • 64 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

H ERE Claudio nex Guarnieri @botherder Security Researcher at Rapid7 Labs Core member of The Shadowserver Foundation Core member of The Honeynet Project Creator of Cuckoo Sandbox Founder of Malwr.com H ERE Mark

1.02k views • 89 slides

More recommend