capsicum
play

Capsicum Capability-Based Sandboxing David Drysdale Google UK - PowerPoint PPT Presentation

Feb 24, 2024 •219 likes •521 views

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the following kernel features to contain processes: Kernel namespaces (ipc, uts, mount, pid, network and user) Apparmor and SELinux profiles

  1. Capsicum Capability-Based Sandboxing David Drysdale Google UK

  4. Features Current LXC uses the following kernel features to contain processes: ● Kernel namespaces (ipc, uts, mount, pid, network and user) ● Apparmor and SELinux profiles ● Seccomp policies ● Chroots (using pivot_root) ● Kernel capabilities ● CGroups (control groups)

  5. Agenda ● Ideas ○ Privilege Separation ○ Capabilities ● Capsicum ○ Hybrid with POSIX ○ Application changes ● Linux container features ● Status/Outlook

  6. Check Your Privileges ● Drop unnecessary privileges ○ Just because a process starts as root , doesn't have to stay that way

  7. Check Your Privileges ● Drop unnecessary privileges ○ Just because a process starts as root , doesn't have to stay that way ● Divide up software according to what privileges are needed ○ E.g. separate media processing from credentials processing

  8. Check Your Privileges ● Drop unnecessary privileges ○ Just because a process starts as root , doesn't have to stay that way ● Divide up software according to what privileges are needed ○ E.g. separate media processing from credentials processing ● Examples: ○ OpenSSH: credential checking process ○ Chrome: renderer processes ● Design impact: ○ Do privileged operations first ○ Pass resources down a privilege gradient

  9. Capability-Based Security ● Make the privileges that a process holds more explicit

  10. Capability-Based Security ● Make the privileges that a process holds more explicit ● Access objects via unforgeable token: the capability ○ Identifies the object ○ Accompanying rights give allowed operations ○ Can only reduce, not increase rights ○ Can pass capabilities around

  11. Capability-Based Security ● Make the privileges that a process holds more explicit ● Access objects via unforgeable token: the capability ○ Identifies the object ○ Accompanying rights give allowed operations ○ Can only reduce, not increase rights ○ Can pass capabilities around ● Remove other ways of accessing objects ○ No access by name, i.e. no global namespaces

  12. Analogy: File Descriptors ● Refers to kernel object (open file, open socket, ...) ● Can only be created by the kernel ● Can be passed between processes (over UNIX domain sockets)

  13. Analogy: File Descriptors ● Refers to kernel object (open file, open socket, ...) ● Can only be created by the kernel ● Can be passed between processes (over UNIX domain sockets) ● ... but no real model of rights ○ O_RDONLY / O_RDWR not good enough

  14. Capsicum: Make the analogy reality ● File descriptors as Capsicum capabilities

  15. Capsicum: Make the analogy reality ● File descriptors as Capsicum capabilities ● Add fine-grained rights, policed by kernel ○ CAP_READ, CAP_WRITE, CAP_LOOKUP, CAP_FCHMOD, ... ○ CAP_BIND, CAP_ACCEPT, CAP_CONNECT, CAP_SETSOCKOPT, ...

  16. Capsicum: Make the analogy reality ● File descriptors as Capsicum capabilities ● Add fine-grained rights, policed by kernel ○ CAP_READ, CAP_WRITE, CAP_LOOKUP, CAP_FCHMOD, ... ○ CAP_BIND, CAP_ACCEPT, CAP_CONNECT, CAP_SETSOCKOPT, ... ● Capability mode ○ Remove access to global namespaces ○ Turn off most ways of minting new (unrestricted) file descriptors ■ openat(dfd, "path"...) allowed ■ accept(socket ...) allowed

  17. Example: strings

  18. Example: strings + cap_rights_t rights; + cap_rights_limit(fileno(stdout), cap_rights_init(&rights, CAP_WRITE, CAP_FSTAT)); + cap_rights_limit(fileno(stderr), cap_rights_init(&rights, CAP_WRITE)); for (ii = 0; ii < num_streams; ++ii) { ...

  19. Example: strings + cap_rights_t rights; + cap_rights_limit(fileno(stdout), cap_rights_init(&rights, CAP_WRITE, CAP_FSTAT)); + cap_rights_limit(fileno(stderr), cap_rights_init(&rights, CAP_WRITE)); + cap_rights_init(&rights, CAP_READ, CAP_SEEK, CAP_FSTAT, CAP_FCNTL); + for (ii = 0; ii < num_streams; ++ii) { + if (streaminfo[ii].stream) + cap_rights_limit(fileno(streaminfo[ii].stream), &rights); + } for (ii = 0; ii < num_streams; ++ii) { ...

  20. Example: strings + cap_rights_t rights; + cap_rights_limit(fileno(stdout), cap_rights_init(&rights, CAP_WRITE, CAP_FSTAT)); + cap_rights_limit(fileno(stderr), cap_rights_init(&rights, CAP_WRITE)); + cap_rights_init(&rights, CAP_READ, CAP_SEEK, CAP_FSTAT, CAP_FCNTL); + for (ii = 0; ii < num_streams; ++ii) { + if (streaminfo[ii].stream) + cap_rights_limit(fileno(streaminfo[ii].stream), &rights); + } + cap_enter(); + for (ii = 0; ii < num_streams; ++ii) { ...

  21. Features Current LXC uses the following kernel features to contain processes: ● Kernel namespaces (ipc, uts, mount, pid, network and user) ● Apparmor and SELinux profiles ● Seccomp policies ● Chroots (using pivot_root) ● Kernel capabilities ● CGroups (control groups)

  22. fine grained broad chroot brush simple complex

  23. fine grained kernel capabilities broad chroot brush simple complex

  24. fine grained seccomp cgroups kernel capabilities broad chroot brush simple complex

  25. fine grained seccomp SELinux cgroups kernel capabilities broad chroot brush simple complex

  26. fine grained namespaces seccomp SELinux cgroups kernel capabilities broad chroot brush simple complex

  27. fine Capsicum grained namespaces seccomp SELinux cgroups kernel capabilities broad chroot brush simple complex

  28. Themes ● Involves code changes ● Less flexible in some ways ○ But simple to understand & apply ○ Not specific to root ● More fine-grained in other ways ○ FD-by-FD, not application-wide ● Easy to analyze ● Composes with other features

  29. Status ● OS Support ○ In FreeBSD >= 10.x ○ Out-of-tree patch set for Linux (github.com/google/capsicum-linux) ● Application Support ○ ~20 in-tree FreeBSD applications ○ OpenSSH / tcpdump / xz ○ (Chromium) ● Next ○ More applications (join us!) ○ More debugging facilities

  30. References ● Home page: http://www.cl.cam.ac.uk/research/security/capsicum/ ● Linux home page: http://capsicum-linux.org/ ● Intro article: http://capsicum-linux.blogspot.co.uk/2015/02/an-overview-of-capsicum.html ● Linux source code: https://github.com/google/capsicum-linux ● Test suite: https://github.com/google/capsicum-test ● Projects list: https://github.com/google/capsicum-test/wiki/Projects ● Strings vulnerability: https://lcamtuf.blogspot.co.uk/2014/10/psa-dont-run-strings-on-untrusted- files.html David Drysdale <drysdale@google.com>

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quality &amp; Compliance Regulatory Support your partner RNL Capsicum Background

Quality &amp; Compliance Regulatory Support your partner RNL Capsicum Background

Ransom Naturals Ltd (RNL) Capsicum related extracts an overview Background Our offer Extract type &amp; form Quality &amp; Compliance Regulatory Support your partner RNL Capsicum Background Chilli peppers as

571 views • 5 slides
Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M.

Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M.

Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M. Watson Jonathan Anderson Introduction UNIX File System (UFS) Capsicum: practical capabilities for UNIX Whoops, a concurrency

548 views • 31 slides
in capsicums why we want keep it available Capsicum acreage greenhouses Total New Zealand 55

in capsicums why we want keep it available Capsicum acreage greenhouses Total New Zealand 55

Dichlorvos and methamidophos in capsicums why we want keep it available Capsicum acreage greenhouses Total New Zealand 55 ha Two main growers/exporters, Southern Paprika and NZ Gourmet 41 ha Both companies producing in different

516 views • 14 slides
CAPSICUM Practical capabilities for UNIX 19 th USENIX Security Symposium 11 August 2010 -

CAPSICUM Practical capabilities for UNIX 19 th USENIX Security Symposium 11 August 2010 -

CAPSICUM Practical capabilities for UNIX 19 th USENIX Security Symposium 11 August 2010 - Washington, DC Robert N. M. Watson Jonathan Anderson Google UK Ltd

693 views • 31 slides
Farm Level Traceability for Exports in Spices -Case studies on Capsicum Krishnakumar Menon,

Farm Level Traceability for Exports in Spices -Case studies on Capsicum Krishnakumar Menon,

Practical approach to Farm Level Traceability for Exports in Spices -Case studies on Capsicum Krishnakumar Menon, Head Sourcing Operations, Griffith Laboratories Pvt. Ltd. 3 rd December, 2014. Griffith Laboratories An Introduction

319 views • 30 slides
Influence of Salicylic Acid applica2on on Oxida2ve and Molecular

Influence of Salicylic Acid applica2on on Oxida2ve and Molecular

Influence of Salicylic Acid applica2on on Oxida2ve and Molecular Responses and func2onal proper2es of Capsicum annuum L. cul2vated in greenhouse condi2ons

499 views • 20 slides
plants Swati Rawat ESE PhD Student Gardea Group, University of Texas at El Paso Sustainable

plants Swati Rawat ESE PhD Student Gardea Group, University of Texas at El Paso Sustainable

Phyto-toxicological Effects of Copper Nanoparticles in Bell Pepper ( Capsicum annum ) plants Swati Rawat ESE PhD Student Gardea Group, University of Texas at El Paso Sustainable Nanotechnology Organization Orlando, FL, November, 2016 1

417 views • 31 slides
Synthesis of Esters of 6-(2,5-Dioxopyrrolidin-1-yl)-2- (morpholin-4-yl)hexanoic Acid as

Synthesis of Esters of 6-(2,5-Dioxopyrrolidin-1-yl)-2- (morpholin-4-yl)hexanoic Acid as

[c010] Synthesis of Esters of 6-(2,5-Dioxopyrrolidin-1-yl)-2- (morpholin-4-yl)hexanoic Acid as Potential Transdermal Penetration Enhancers Katerina Brychtova 1 *, Sylva Dittrichova 1 , Barbora Slaba 1,2 , Lukas Placek 1,2 , Radka

210 views • 6 slides
Microwave assisted synthesis of tripodal triazines from 1,3,5-tris(2-

Microwave assisted synthesis of tripodal triazines from 1,3,5-tris(2-

[E006] Microwave assisted synthesis of tripodal triazines from 1,3,5-tris(2- hydroxyethyl)-1,3,5-triazinane-2,4,6-trione and fatty acids Jos Crecente-Campo, Silvia Fernndez-Snchez, Julio A. Seijas,* M. Pilar Vzquez- Tato* Departamento

162 views • 5 slides
Progressing through and reaching beyond boundaries in entrepreneurship education Research

Progressing through and reaching beyond boundaries in entrepreneurship education Research

Progressing through and reaching beyond boundaries in entrepreneurship education Research workshop on Entrepreneurship Education 27 November, 1200-1600 Speakers Professor David Rae, Director, CEI Dr Elena Ruskovaara, Director of

928 views • 53 slides
Porting Cordova on Tizen 2.0 Paul Plaquette Senior Software Engineer Intel Open Source

Porting Cordova on Tizen 2.0 Paul Plaquette Senior Software Engineer Intel Open Source

Porting Cordova on Tizen 2.0 Paul Plaquette Senior Software Engineer Intel Open Source Technology Center France, Montpellier paul.plaquette@intel.com Summary About Me Cordova Why? Going on Tizen Q&amp;A 2 About Me

598 views • 37 slides
Secure Programs via Game-based Synthesis Somesh Jha, Tom Reps, and Bill Harris 1 Tuesday,

Secure Programs via Game-based Synthesis Somesh Jha, Tom Reps, and Bill Harris 1 Tuesday,

Secure Programs via Game-based Synthesis Somesh Jha, Tom Reps, and Bill Harris 1 Tuesday, October 22, 13 One-slide summary Secure programming on a conventional OS is intractable Privilege-aware OSs take secure programming from

2.28k views • 195 slides
capabilities / virtual machines 1 Changelog Changes not seen in fjrst lecture: 23 April 2020:

capabilities / virtual machines 1 Changelog Changes not seen in fjrst lecture: 23 April 2020:

capabilities / virtual machines 1 Changelog Changes not seen in fjrst lecture: 23 April 2020: add index slides re: cases for priviliged instruction handling and introduction explaining syscalls as special case 1 last time (1) network fjle

1.71k views • 120 slides
virtual machines 1 Changelog Changes made in this version not seen in fjrst lecture: 23 April

virtual machines 1 Changelog Changes made in this version not seen in fjrst lecture: 23 April

virtual machines 1 Changelog Changes made in this version not seen in fjrst lecture: 23 April 2019: rearrange slide order to better match lecture order 23 April 2019: change real page table to shadow page table in some places 23

1.39k views • 113 slides
FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a

FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a

FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a stable, performant hypervisor Network isolation is not core to bhyve(4) today Use of VNET(9) for manipulating FIBS for tap(4) interfaces is

445 views • 18 slides
CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview

CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview

32C3, Hamburg 2015-12-28 CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview Whats wrong with UNIX? Introducing CloudABI Developing CloudABI software Starting CloudABI processes Use

849 views • 40 slides
FreeBSD is not Linux Niclas Zeising zeising@FreeBSD.org what is FreeBSD what is FreeBSD

FreeBSD is not Linux Niclas Zeising zeising@FreeBSD.org what is FreeBSD what is FreeBSD

FreeBSD is not Linux Niclas Zeising zeising@FreeBSD.org what is FreeBSD what is FreeBSD complete operating system documentation over 30 000 packages a community history history patches to v6 Unix ex/vi, pascal Berkely Software

715 views • 28 slides
pkgbase: Are we there yet ? Emmanuel Vadot manu@FreeBSD.org EuroBSDCon Lillehammer, Norway

pkgbase: Are we there yet ? Emmanuel Vadot manu@FreeBSD.org EuroBSDCon Lillehammer, Norway

pkgbase: Are we there yet ? Emmanuel Vadot manu@FreeBSD.org EuroBSDCon Lillehammer, Norway September 19 22, 2019 Who am I Emmanuel Vadot (manu@FreeBSD.Org) FreeBSD user since 2004 FreeBSD src commiter since 2016 FreeBSD

999 views • 78 slides
SambaXP Keynote Felix von Leitner, Code Blau GmbH Who are you ? IT Security consultant I

SambaXP Keynote Felix von Leitner, Code Blau GmbH Who are you ? IT Security consultant I

SambaXP Keynote Felix von Leitner, Code Blau GmbH Who are you ? IT Security consultant I run a small consulting company I get paid for ranting So what are we doing here? That is a very good question I fat... lets stat this

1.52k views • 93 slides
B S D O p e r a t i n g S y s t e ms F r e d Mo r c o s F H L U G

B S D O p e r a t i n g S y s t e ms F r e d Mo r c o s F H L U G

B S D O p e r a t i n g S y s t e ms F r e d Mo r c o s F H L U G A p r i l 2 0 1 4 C o n t e n t s I n t r o d u c t i o n F r e e B S D H i s t o r y G

491 views • 23 slides
Supply of Quality and Safe Tropical Fruits Through Efficient Supply Chain TFNet Azizi Meor Ngah

Supply of Quality and Safe Tropical Fruits Through Efficient Supply Chain TFNet Azizi Meor Ngah

Supply of Quality and Safe Tropical Fruits Through Efficient Supply Chain TFNet Azizi Meor Ngah Chief Executive Officer Malaysian Agrifood Corporation (MAFC), Malaysia 1 Global trends Push from EU Market liberalization Freshness

431 views • 18 slides
CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl

CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl

NLUUG, Bunnik 2015-05-28 CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl Programme What is wrong with UNIX? What is CloudABI? Use cases for CloudABI Links 2 What is wrong with UNIX?

768 views • 30 slides
GARDE NI NG HAS NOT BE E N CANCE L E D. C a the rine Wissne r Unive rsity o f Wyo m

GARDE NI NG HAS NOT BE E N CANCE L E D. C a the rine Wissne r Unive rsity o f Wyo m

GARDE NI NG HAS NOT BE E N CANCE L E D. C a the rine Wissne r Unive rsity o f Wyo m ing La ra m ie C o unty Exte nsio n , C he ye nne Wha t the se e d pa c ke t ha s to sa y Pho to s b y Ca the rine Wissne r Pla nting a t wha t

233 views • 6 slides
Swapping and embedded: compression relieves the pressure? Vitaly Wool Embedded Linux

Swapping and embedded: compression relieves the pressure? Vitaly Wool Embedded Linux

Swapping and embedded: compression relieves the pressure? Vitaly Wool Embedded Linux Conference 2016 Intro&gt; Swapping (Paging) Paging: [OS capability of] using a secondary storage to store and retrieve data With RAM being primary

692 views • 32 slides

More recommend