cloudabi pure capability based security for unix
play

CloudABI: Pure capability-based security for UNIX Speaker: Ed - PowerPoint PPT Presentation

Jun 15, 2023 •439 likes •849 views

32C3, Hamburg 2015-12-28 CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview Whats wrong with UNIX? Introducing CloudABI Developing CloudABI software Starting CloudABI processes Use

  1. 32C3, Hamburg 2015-12-28 CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl

  2. Overview ● What’s wrong with UNIX? ● Introducing CloudABI ● Developing CloudABI software ● Starting CloudABI processes ● Use cases for CloudABI 2

  3. What is wrong with UNIX? UNIX is awesome, but in my opinion: ● it doesn’t stimulate you to run software securely. ● it doesn’t stimulate you to write reusable and testable software. 3

  4. UNIX security problem #1 A web service only needs to interact with: ● incoming TCP connections (HTTP), ● optional: a directory containing data files, ● optional: database backends. Once compromised, an attacker can: ● create a tarball of all world-readable data under / , ● invoke setuid tools: cron , write , etc. ● turn the system into a botnet node. 4

  5. Access controls: AppArmor In my opinion not a real solution to the problem: ● Puts the burden on package maintainers and users. ● Application configuration can easily get out of sync with security policy. ● Common solution if security policy doesn’t work: disable AppArmor. 5

  6. Capabilities: Capsicum Technique available on FreeBSD to sandbox software: 1. Program starts up like a regular UNIX process. 2. Process calls cap_enter() . ○ Process can still interact with file descriptors. read() , write() , accept() , openat() , etc. ○ Process can’t interact with global namespaces. open() , etc. will return ENOTCAPABLE . Used by dhclient , hastd , ping , sshd , tcpdump , etc. 6

  7. Experiences using Capsicum ● Capsicum is awesome! It works as advertised. ● Code isn’t designed to have system calls disabled. ○ C library: locales unusable, incorrect timezone, etc. Crypto libraries: non-random PRNG. ○ ○ Heisenbugs, Mandelbugs and Hindenbugs. ● ‘Capsicum doesn’t scale’. ○ Using in-house maintained code, it works (Chrome). Using off-the-shelf libraries becomes a lot harder. ○ 7

  8. UNIX security problem #2 Untrusted third-party applications: ● Executing them directly: extremely unsafe. ● Using Jails, Docker, etc.: still quite unsafe. ● Inside a VM: safe, but slow. Why can’t UNIX just safely run third-party executables directly? Can’t the operating system provide isolation? 8

  9. Reusability and testability Claim: UNIX programs are hard to reuse and test as a whole. 9

  10. Reuse and testing in Java #1 class WebServer { private Socket socket; private String root; WebServer() { this.socket = new TCPSocket(80); this.root = “/var/www”; } } 10

  11. Reuse and testing in Java #2 class WebServer { private Socket socket; private String root; WebServer(int port, String root) { this.socket = new TCPSocket(port); this.root = root; } } 11

  12. Reuse and testing in Java #3 class WebServer { private Socket socket; private Filesystem root; WebServer(Socket socket, Filesystem root) { this.socket = socket; this.root = root; } } 12

  13. Reusability and testability UNIX programs are like to the first two examples: ● Parameters are hardcoded. ● Parameters are specified in configuration files stored at hard to override global locations. ● Resources are acquired on behalf of you, instead of allowing them to be passed in. Dependencies are not injected. A double standard. 13

  14. Reusable and testable web server #include <sys/socket.h> #include <unistd.h> int main() { int fd; while ((fd = accept(0, NULL, NULL)) >= 0) { const char buf[] = “HTTP/1.1 200 OK\r\n” “Content-Type: text/plain\r\n\r\n” “Hello, world\n”; write(fd, buf, sizeof(buf) - 1); close(fd); } } 14

  15. Reusable and testable web server Web server is reusable: ● Web server can listen on any address family (IPv4, IPv6), protocol (TCP, SCTP), address and port. ● Spawn more on the same socket for concurrency. Web server is testable: ● It can be spawned with a UNIX socket. Fake requests can be sent programmatically. 15

  16. Overview ● What’s wrong with UNIX? ● Introducing CloudABI ● Developing CloudABI software ● Starting CloudABI processes ● Use cases for CloudABI 16

  17. Introducing CloudABI CloudABI is a new POSIX-like runtime environment: ● Capability-based security with less foot-shooting. ○ No more state transition: Capsicum is always turned on. Capsicum-conflicting APIs have been removed. ○ ○ Our Heisenbugs now become compiler errors. ● Global namespaces are entirely absent. ○ Processes can no longer hardcode paths and identifiers. Resources cannot be acquired out of the blue. ○ ○ Result: dependency injection is enforced. ● Symbiosis, not assimilation. 17

  18. Default rights By default, CloudABI processes can only perform actions that have no global impact: ● They can allocate memory, create pipes, socket pairs, shared memory, etc. ● They can spawn threads and subprocesses. ● They can interact with clocks (gettimeofday, sleep). ● They cannot open paths on disk. ● They cannot create network connections. ● They cannot observe the global process table. 18

  19. Additional rights: file descriptors File descriptors are used to grant additional rights: ● File descriptors to directories: expose parts of the file system to the process. ● Sockets: make a process network accessible. ○ File descriptor passing: receive access to even more resources at run-time. ● Process descriptors: replacement for wait()/kill(). File descriptors have permission bitmasks, allowing fine-grained limiting of actions performed on them. 19

  20. Secure web service A web service running on CloudABI could get started with the following file descriptors: ● an AF_INET(6) socket for incoming HTTP requests, ● a read-only file descriptor of a directory, storing the files to be served over the web, ● an append-only file descriptor of a log file. When exploited, an attacker can do little to no damage. 20

  21. Cross-platform support Observation: POSIX becomes tiny if you remove all interfaces that conflict with capability-based security. ● CloudABI only has 58 system calls. Most of them are not that hard to implement. ● Goal: Add support for CloudABI to existing POSIX operating systems. ● Allows reuse of binaries without recompilation. ● Upstream: FreeBSD/arm64 and FreeBSD/x86-64. ● Beta: Linux/x86-64 and NetBSD/x86-64. 21

  22. Overview ● What’s wrong with UNIX? ● Introducing CloudABI ● Developing CloudABI software ● Starting CloudABI processes ● Use cases for CloudABI 22

  23. Developing CloudABI software Building software for CloudABI manually is not easy: ● Cross compiling is hard, not just for CloudABI. ● Toolchain depends on a lot of components. ● Most projects need to be patched in some way: ○ Removal of capability-unaware APIs breaks the build, which is good! ○ cloudlibc tries to cut down on obsolete/unsafe APIs. Autoconf from before 2015-03 doesn’t support CloudABI. ○ 23

  24. Introducing CloudABI Ports ● Collection of cross compiled libraries and tools. ● Packages are built for FreeBSD, Dragonfly BSD, NetBSD, OpenBSD, Debian and Ubuntu. Native packages, managed through apt-get , pkg . ○ ○ Consistent development environment on all systems. ● Packages don’t contain any native build tools. ○ Should be provided by the native package collection. ● Packages include Boost, cURL, GLib, LibreSSL, Lua. 24

  25. CloudABI Ports in action Install Clang and Binutils from FreeBSD Ports: $ pkg install cloudabi-toolchain Install core libraries from CloudABI Ports: $ vi /etc/pkg/CloudABI.{conf,key} $ pkg update $ pkg install x86_64-unknown-cloudabi-cxx-runtime Build a simple application using Clang and cloudlibc: $ x86_64-unknown-cloudabi-cc -o hello hello.c 25

  26. Overview ● What’s wrong with UNIX? ● Introducing CloudABI ● Developing CloudABI software ● Starting CloudABI processes ● Use cases for CloudABI 26

  27. Simple CloudABI program: ls #include <dirent.h> #include <stdio.h> int main() { DIR *d = fdopendir(0); FILE *f = fdopen(1, “w”); struct dirent *de; while ((de = readdir(d)) != NULL) fprintf(f, “%s\n”, de->d_name); closedir(d); fclose(f); } 27

  28. Executing our ls through the shell $ x86_64-unknown-cloudabi-cc -o ls ls.c $ kldload cloudabi64 # FreeBSD ≥ 11.0 $ ./ls < /etc . .. fstab rc.conf [...] 28

  29. Isn’t there a better way? Starting processes through the shell feels unnatural: ● The shell cannot (in a portable way) create sockets, shared memory objects, etc. ● How would you know the ordering of the file descriptors that the program expects? ● How do you deal with a variable number of file descriptors? ● You can no longer configure programs through a single configuration file. 29

  30. Introducing cloudabi-run $ cloudabi-run /my/executable < my-config.yaml ● Allows you to start up a CloudABI process with an exact set of file descriptors. ● Merges the concept of program configuration with resource configuration listing. ● Replaces traditional command line arguments by a YAML tree structure. 30

  31. Configuration for a web server hostname: nuxi.nl concurrent_connections: 64 listen: - 148.251.50.69:80 logfile: /var/log/httpd/nuxi.nl.access.log rootdir: /var/www/nuxi.nl 31

  32. Configuration for a web server %TAG ! tag:nuxi.nl,2015:cloudabi/ --- hostname: nuxi.nl concurrent_connections: 64 listen: - !socket bind: 148.251.50.69:80 logfile: !file path: /var/log/httpd/nuxi.nl.access.log rootdir: !file path: /var/www/nuxi.nl 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl

CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl

T-DOSE, Eindhoven 2015-11-2[89] CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview Whats wrong with UNIX? Introducing CloudABI Developing CloudABI software Starting CloudABI

2.81k views • 40 slides
CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl

CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl

NLUUG, Bunnik 2015-05-28 CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl Programme What is wrong with UNIX? What is CloudABI? Use cases for CloudABI Links 2 What is wrong with UNIX?

768 views • 30 slides
Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix security model. See how general security principles are implemented in an actual

733 views • 59 slides
Phantom OS Fosdem 2020 Why new OS The only OS concept that exists is Unix. Even Win NT is Unix

Phantom OS Fosdem 2020 Why new OS The only OS concept that exists is Unix. Even Win NT is Unix

Phantom OS Fosdem 2020 Why new OS The only OS concept that exists is Unix. Even Win NT is Unix like, more or less. Unix is based on what was possible half a century ago Unix is based on what was possible, not what is needed Traditional big

539 views • 28 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Crash Course in Unix For more info check out the Unix man pages -or-

Crash Course in Unix For more info check out the Unix man pages -or-

Crash Course in Unix For more info check out the Unix man pages -or- http://www.cs.rpi.edu/~hollingd/unix -or- Unix in a Nutshell (an OReilly book). 1 Unix Accounts To access a Unix system you need to have an account . Unix

1.05k views • 84 slides
Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for

Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for

Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability, modular, multi-component

480 views • 35 slides
Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

1/19/2010 Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix: tak, the Whitehead Scientific Linux server t k th Whit h d S i tifi Li most important/useful commands &amp; Apply

259 views • 8 slides
K.I.S.S. 1969 Thomson writes interpreter B based on BCPL -- Ritchie improves on B and called it

K.I.S.S. 1969 Thomson writes interpreter B based on BCPL -- Ritchie improves on B and called it

Outline UNIX History UNIX Today? Unix System Programming UNIX Processes and the Login Process Shells: Command Processing, Running Programs The File Introduction The Process System Calls and Library Routines 1 2 Maria

345 views • 10 slides
Outline Capability-based access control CSci 5271 OS trust and assurance Introduction to

Outline Capability-based access control CSci 5271 OS trust and assurance Introduction to

Outline Capability-based access control CSci 5271 OS trust and assurance Introduction to Computer Security Day 11: OS security: higher assurance Assignment debrief and announcements Stephen McCamant University of Minnesota, Computer Science

534 views • 8 slides
Interprocess Communication Pipes (UNIX) Sockets (UNIX) Shared Memory (UNIX)

Interprocess Communication Pipes (UNIX) Sockets (UNIX) Shared Memory (UNIX)

BS1 WS19/20 topic-based slides Interprocess Communication Pipes (UNIX) Sockets (UNIX) Shared Memory (UNIX) Anonymous Pipes (Windows) Named Pipes (Windows) Mailslots (Windows) Windows vs. UNIX 2 Inter-Process

480 views • 24 slides
Analysing Object-Capability Security Toby Murray Oxford University Computing Laboratory

Analysing Object-Capability Security Toby Murray Oxford University Computing Laboratory

Analysing Object-Capability Security 01 Analysing Object-Capability Security Toby Murray Oxford University Computing Laboratory Analysing Object-Capability Security 02 Cooperation and Vulnerability Much of the power and utility of modern

542 views • 50 slides
Outline Multilevel and mandatory access control CSci 5271 Capability-based access control

Outline Multilevel and mandatory access control CSci 5271 Capability-based access control

Outline Multilevel and mandatory access control CSci 5271 Capability-based access control Introduction to Computer Security Announcements intermission Day 11: OS security: higher assurance Stephen McCamant OS trust and assurance University

303 views • 9 slides
Unix Security Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk C. Ding - COMP4631 - L19 1

Unix Security Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk C. Ding - COMP4631 - L19 1

Unix Security Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk C. Ding - COMP4631 - L19 1 Agenda A short history of Unix Login and user accounts access control Instances of general security principles Audit configuration

641 views • 38 slides
Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter 7: Unix Security Chapter 7: 2 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix

667 views • 62 slides
Todays topics Unix history Unix philosophy Unix standards Unix future Future

Todays topics Unix history Unix philosophy Unix standards Unix future Future

Todays topics Unix history Unix philosophy Unix standards Unix future Future classes Unix history The Unix family of operating systems have been in existence since around 1969. Most folks agree the system that Ken

1.13k views • 57 slides
FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a

FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a

FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a stable, performant hypervisor Network isolation is not core to bhyve(4) today Use of VNET(9) for manipulating FIBS for tap(4) interfaces is

445 views • 18 slides
virtual machines 1 Changelog Changes made in this version not seen in fjrst lecture: 23 April

virtual machines 1 Changelog Changes made in this version not seen in fjrst lecture: 23 April

virtual machines 1 Changelog Changes made in this version not seen in fjrst lecture: 23 April 2019: rearrange slide order to better match lecture order 23 April 2019: change real page table to shadow page table in some places 23

1.39k views • 113 slides
capabilities / virtual machines 1 Changelog Changes not seen in fjrst lecture: 23 April 2020:

capabilities / virtual machines 1 Changelog Changes not seen in fjrst lecture: 23 April 2020:

capabilities / virtual machines 1 Changelog Changes not seen in fjrst lecture: 23 April 2020: add index slides re: cases for priviliged instruction handling and introduction explaining syscalls as special case 1 last time (1) network fjle

1.71k views • 120 slides
Secure Programs via Game-based Synthesis Somesh Jha, Tom Reps, and Bill Harris 1 Tuesday,

Secure Programs via Game-based Synthesis Somesh Jha, Tom Reps, and Bill Harris 1 Tuesday,

Secure Programs via Game-based Synthesis Somesh Jha, Tom Reps, and Bill Harris 1 Tuesday, October 22, 13 One-slide summary Secure programming on a conventional OS is intractable Privilege-aware OSs take secure programming from

2.28k views • 195 slides
FreeBSD is not Linux Niclas Zeising zeising@FreeBSD.org what is FreeBSD what is FreeBSD

FreeBSD is not Linux Niclas Zeising zeising@FreeBSD.org what is FreeBSD what is FreeBSD

FreeBSD is not Linux Niclas Zeising zeising@FreeBSD.org what is FreeBSD what is FreeBSD complete operating system documentation over 30 000 packages a community history history patches to v6 Unix ex/vi, pascal Berkely Software

715 views • 28 slides
pkgbase: Are we there yet ? Emmanuel Vadot manu@FreeBSD.org EuroBSDCon Lillehammer, Norway

pkgbase: Are we there yet ? Emmanuel Vadot manu@FreeBSD.org EuroBSDCon Lillehammer, Norway

pkgbase: Are we there yet ? Emmanuel Vadot manu@FreeBSD.org EuroBSDCon Lillehammer, Norway September 19 22, 2019 Who am I Emmanuel Vadot (manu@FreeBSD.Org) FreeBSD user since 2004 FreeBSD src commiter since 2016 FreeBSD

999 views • 78 slides
SambaXP Keynote Felix von Leitner, Code Blau GmbH Who are you ? IT Security consultant I

SambaXP Keynote Felix von Leitner, Code Blau GmbH Who are you ? IT Security consultant I

SambaXP Keynote Felix von Leitner, Code Blau GmbH Who are you ? IT Security consultant I run a small consulting company I get paid for ranting So what are we doing here? That is a very good question I fat... lets stat this

1.52k views • 93 slides
B S D O p e r a t i n g S y s t e ms F r e d Mo r c o s F H L U G

B S D O p e r a t i n g S y s t e ms F r e d Mo r c o s F H L U G

B S D O p e r a t i n g S y s t e ms F r e d Mo r c o s F H L U G A p r i l 2 0 1 4 C o n t e n t s I n t r o d u c t i o n F r e e B S D H i s t o r y G

491 views • 23 slides

More recommend