cloudabi safe testable and maintainable software for unix
play

CloudABI: safe, testable and maintainable software for UNIX - PowerPoint PPT Presentation

Nov 03, 2023 •2.33k likes •2.81k views

T-DOSE, Eindhoven 2015-11-2[89] CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview Whats wrong with UNIX? Introducing CloudABI Developing CloudABI software Starting CloudABI

  1. T-DOSE, Eindhoven 2015-11-2[89] CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl

  2. Overview ● What’s wrong with UNIX? ● Introducing CloudABI ● Developing CloudABI software ● Starting CloudABI processes ● Use cases for CloudABI 2

  3. What is wrong with UNIX? UNIX is awesome, but in my opinion: ● it doesn’t stimulate you to run software securely. ● it doesn’t stimulate you to write reusable and testable software. ● system administration doesn’t scale. 3

  4. UNIX security problem #1 A web service only needs to interact with: ● incoming network connections for HTTP requests, ● optional: a directory containing data files, ● optional: database backends. In practice, an attacker can: ● create a tarball of all world-readable data under / , ● register cron jobs, ● spam TTYs using the write tool, ● turn the system into a botnet node. 4

  5. Access controls: AppArmor In my opinion not a real solution to the problem: ● Puts the burden of securing applications on package maintainers and end users. ● Application configuration can easily get out of sync with security policy. ● Common solution if security policy doesn’t work: disable AppArmor. 5

  6. Capabilities: Capsicum Technique available on FreeBSD to sandbox software: 1. Program starts up like a regular UNIX process. 2. Process calls cap_enter() . ○ Process can interact with file descriptors. read() , write() , accept() , openat() , etc. ○ Process can’t interact with global namespaces. open() , etc. will return ENOTCAPABLE . Used by dhclient , hastd , ping , sshd , tcpdump , and various other programs. 6

  7. Experiences using Capsicum ● Capsicum is awesome! It works as advertised. Other systems should also support it. ● Code isn’t designed to have system calls disabled. ○ FreeBSD’s C libraries: timezones, locales unusable. Various libraries: non-random PRNG. ○ ○ Heisenbugs, Mandelbugs and Hindenbugs. ● ‘Capsicum doesn’t scale’. ○ Porting small shell tools to Capsicum is easy. Porting applications that use external libraries becomes ○ exponentially harder. 7

  8. UNIX security problem #2 Untrusted third-party applications: ● Executing them directly: extremely unsafe. ● Using Jails, Docker, etc.: still quite unsafe. ● Inside a VM: safe, but slow. Why can’t UNIX just safely run third-party executables directly? Wasn’t the operating system intended to provide isolation? 8

  9. Reusability and testability Claim: UNIX programs are hard to reuse and test. 9

  10. Reuse and testing in Java #1 class WebServer { private Socket socket; private String root; WebServer() { this.socket = new TCPSocket(80); this.root = “/var/www”; } } 10

  11. Reuse and testing in Java #2 class WebServer { private Socket socket; private String root; WebServer(int port, String root) { this.socket = new TCPSocket(port); this.root = root; } } 11

  12. Reuse and testing in Java #3 class WebServer { private Socket socket; private Filesystem root; WebServer(Socket socket, Filesystem root) { this.socket = socket; this.root = root; } } 12

  13. Reusability and testability UNIX programs are similar to the first two examples: ● Parameters are hardcoded. ● Parameters are specified in configuration files stored at hard to override global locations. ● Resources are acquired on behalf of you, instead of allowing them to be passed in. Dependencies are not injected. A double standard, compared to how we write code. 13

  14. Reusable and testable web server #include <sys/socket.h> #include <unistd.h> int main() { int fd; while ((fd = accept(0, NULL, NULL)) >= 0) { const char buf[] = “HTTP/1.1 200 OK\r\n” “Content-Type: text/plain\r\n\r\n” “Hello, world\n”; write(fd, buf, sizeof(buf) - 1); close(fd); } } 14

  15. Reusable and testable web server Web server is reusable: ● Web server can listen on any address family (IPv4, IPv6), protocol (TCP, SCTP), address and port. ● Spawn more on the same socket for concurrency. Web server is testable: ● It can be spawned with a UNIX socket. Fake requests can be sent programmatically. 15

  16. Overview ● What’s wrong with UNIX? ● Introducing CloudABI ● Developing CloudABI software ● Starting CloudABI processes ● Use cases for CloudABI 16

  17. Introducing CloudABI A new UNIX-like runtime environment that allows you to more easily develop: ● software that is better protected against exploits, ● software that is reusable and testable, ● software that can be deployed at large scale. In a nutshell: POSIX + Capsicum always enabled - conflicting APIs. 17

  18. Default rights By default, CloudABI processes can only perform actions that have no global impact: ● They can allocate memory, create pipes, socket pairs, shared memory, etc. ● They can spawn threads and subprocesses. ● They can interact with clocks (gettimeofday, sleep). ● They cannot open paths on disk. ● They cannot create network connections. ● They cannot observe the global process table. 18

  19. Additional rights: file descriptors File descriptors are used to grant additional rights: ● File descriptors to directories: expose parts of the file system to the process. ● Sockets: make a process network accessible. ○ File descriptor passing: receive access to even more resources at run-time. ● Process descriptors: handles to processes. File descriptors have permission bitmasks, allowing fine-grained limiting of actions performed on them. 19

  20. Secure web service Consider a web service running on CloudABI that gets started with the following file descriptors: ● a socket for incoming HTTP requests, ● a read-only file descriptor of a directory, storing the files to be served over the web, ● an append-only file descriptor of a log file. When exploited, an attacker can do little to no damage. 20

  21. Cross-platform support Observation: UNIX ABI becomes tiny if you remove all interfaces that conflict with capability-based security. ● CloudABI only has 58 system calls. Most of them are not that hard to implement. ● Goal: Add support for CloudABI to existing UNIX- like operating systems. ● Allows reuse of binaries without recompilation. ● Mature: FreeBSD and NetBSD, ARM64 and x86-64 ● Experimental: Linux 21

  22. Overview ● What’s wrong with UNIX? ● Introducing CloudABI ● Developing CloudABI software ● Starting CloudABI processes ● Use cases for CloudABI 22

  23. Developing CloudABI software Building software for CloudABI manually is not easy: ● Cross compiling is hard, not just for CloudABI. ● Toolchain depends on a lot of components. ● Most projects need to be patched in some way: ○ Removal of capability-unaware APIs breaks the build, which is good! ○ cloudlibc tries to cut down on obsolete/unsafe APIs. Autoconf from before 2015-03 doesn’t support CloudABI. ○ 23

  24. Introducing CloudABI Ports ● Collection of cross compiled libraries and tools. ● Packages are built for FreeBSD, Dragonfly BSD, NetBSD, OpenBSD, Debian and Ubuntu. Native packages, managed through apt-get , pkg . ○ ○ Contents are identical, except for installation prefix ( /usr vs. /usr/local vs. /usr/pkg ). ○ Consistent development environment on all systems. ● Packages don’t contain any native build tools. ○ Should be provided by the native package collection. ● Packages include Boost, cURL, GLib, LibreSSL, Lua. 24

  25. CloudABI Ports in action Install Clang and Binutils from FreeBSD Ports: $ pkg install cloudabi-toolchain Install core libraries from CloudABI Ports: $ vi /etc/pkg/CloudABI.{conf,key} $ pkg update $ pkg install x86_64-unknown-cloudabi-cxx-runtime Build a simple application using Clang and cloudlibc: $ x86_64-unknown-cloudabi-cc -o hello hello.c 25

  26. Overview ● What’s wrong with UNIX? ● Introducing CloudABI ● Developing CloudABI software ● Starting CloudABI processes ● Use cases for CloudABI 26

  27. Simple CloudABI program: ls #include <dirent.h> #include <stdio.h> int main() { DIR *d = fdopendir(0); FILE *f = fdopen(1, “w”); struct dirent *de; while ((de = readdir(d)) != NULL) fprintf(f, “%s\n”, de->d_name); closedir(d); fclose(f); } 27

  28. Executing our ls through the shell $ x86_64-unknown-cloudabi-cc -o ls ls.c $ kldload cloudabi64 # FreeBSD ≥ 11.0 $ ./ls < /etc . .. fstab rc.conf [...] 28

  29. Isn’t there a better way? Starting processes through the shell feels unnatural: ● The shell cannot (in a portable way) create sockets, shared memory objects, etc. ● How would you know the ordering of the file descriptors that the program expects? ● How do you deal with a variable number of file descriptors? ● You can no longer configure programs through a single configuration file. 29

  30. Introducing cloudabi-run $ cloudabi-run /my/executable < my-config.yaml ● Allows you to start up a CloudABI process with an exact set of file descriptors. ● Merges the concept of program configuration with resource configuration listing. ● Replaces traditional command line arguments by a YAML tree structure. 30

  31. Configuration for a web server hostname: nuxi.nl concurrent_connections: 64 listen: - 148.251.50.69:80 logfile: /var/log/httpd/nuxi.nl.access.log rootdir: /var/www/nuxi.nl 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl

CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl

NLUUG, Bunnik 2015-05-28 CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten, ed@nuxi.nl Programme What is wrong with UNIX? What is CloudABI? Use cases for CloudABI Links 2 What is wrong with UNIX?

768 views • 30 slides
CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview

CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview

32C3, Hamburg 2015-12-28 CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview Whats wrong with UNIX? Introducing CloudABI Developing CloudABI software Starting CloudABI processes Use

849 views • 40 slides
Maintainable Software Software Engineering Andreas Zeller, Saarland University The Challenge

Maintainable Software Software Engineering Andreas Zeller, Saarland University The Challenge

Maintainable Software Software Engineering Andreas Zeller, Saarland University The Challenge Software may live much longer than expected Software must be continuously adapted to a changing environment Maintenance takes 5080%

1.64k views • 85 slides
How testable is Business Software? Peter Schrammel What is this talk about? Desire for software

How testable is Business Software? Peter Schrammel What is this talk about? Desire for software

How testable is Business Software? Peter Schrammel What is this talk about? Desire for software that has fewer bugs Focus on non-safety-critical software Great techniques developed by formal methods, programming languages and

454 views • 41 slides
the Unix Philosophy still matters Make you think markus schnalke &lt;meillo@marmaro.de&gt;

the Unix Philosophy still matters Make you think markus schnalke &lt;meillo@marmaro.de&gt;

Goals of this talk Introduce the Unix Phil Show that most modern software is crap Explain why the Unix Phil leads to good/better software Why Convince you that good software is of matter the Unix Philosophy still matters

536 views • 9 slides
WRITING MAINTAINABLE AND PERFORMANT JS FOR DRUPAL Who am I? Backend developer in past

WRITING MAINTAINABLE AND PERFORMANT JS FOR DRUPAL Who am I? Backend developer in past

WRITING MAINTAINABLE AND PERFORMANT JS FOR DRUPAL Who am I? Backend developer in past Drupal Frontend developer now Senior Software Engineer at @sergesemashko sergey.semashko What is maintainable JS? Intuitive/Readable

1.11k views • 43 slides
Crash Course in Unix For more info check out the Unix man pages -or-

Crash Course in Unix For more info check out the Unix man pages -or-

Crash Course in Unix For more info check out the Unix man pages -or- http://www.cs.rpi.edu/~hollingd/unix -or- Unix in a Nutshell (an OReilly book). 1 Unix Accounts To access a Unix system you need to have an account . Unix

1.05k views • 84 slides
Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

1/19/2010 Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix: tak, the Whitehead Scientific Linux server t k th Whit h d S i tifi Li most important/useful commands &amp; Apply

259 views • 8 slides
the Unix Philosophy still matters markus schnalke &lt;meillo@marmaro.de&gt; Goals of this talk

the Unix Philosophy still matters markus schnalke &lt;meillo@marmaro.de&gt; Goals of this talk

Why the Unix Philosophy still matters markus schnalke &lt;meillo@marmaro.de&gt; Goals of this talk Introduce the Unix Phil Show that most modern software is crap Explain why the Unix Phil leads to good/better software

520 views • 36 slides
Todays topics Unix history Unix philosophy Unix standards Unix future Future

Todays topics Unix history Unix philosophy Unix standards Unix future Future

Todays topics Unix history Unix philosophy Unix standards Unix future Future classes Unix history The Unix family of operating systems have been in existence since around 1969. Most folks agree the system that Ken

1.13k views • 57 slides
CSE2031 Software Tools - UNIX introduction Pawluk presented by Shakil Khan Summer 2010

CSE2031 Software Tools - UNIX introduction Pawluk presented by Shakil Khan Summer 2010

CSE2031 Software Tools - UNIX introduction Przemyslaw CSE2031 Software Tools - UNIX introduction Pawluk presented by Shakil Khan Summer 2010 Introduction to UNIX UNIX Shells Commands Overview Przemyslaw Pawluk grep family presented

533 views • 36 slides
The Unix Operating System SE 101 Spiros Mancoridis What is an OS? An operating system (OS) is

The Unix Operating System SE 101 Spiros Mancoridis What is an OS? An operating system (OS) is

The Unix Operating System SE 101 Spiros Mancoridis What is an OS? An operating system (OS) is software that manages the resources of a computer Like most managers, the OS aims to manage its resources in a safe and efficient way Examples of

848 views • 50 slides
Quality Attributes (QA) A QA is a measureable or testable property of a system that is used to

Quality Attributes (QA) A QA is a measureable or testable property of a system that is used to

Quality Attributes (QA) A QA is a measureable or testable property of a system that is used to indicate how well the system satisfies the needs of its stakeholders. (SAiP p.63) Some material in these slides is adapted from Software

378 views • 10 slides
Outline Access control: mechanism and policy Unix filesystem concepts CSci 4271W Development of

Outline Access control: mechanism and policy Unix filesystem concepts CSci 4271W Development of

Outline Access control: mechanism and policy Unix filesystem concepts CSci 4271W Development of Secure Software Systems Project 1 expectations Day 8: Unix Access Control Unix permissions basics Stephen McCamant Exercise: using Unix

874 views • 6 slides
Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory Implementation The starting (root) directory of each filesystem is created by formatting . A UNIX directory is a file : it has an owner, group

502 views • 12 slides
Safe Automotive soFtware architEcture (SAFE) Co-summit 2015, 10-11 March 2015, Berlin - Germany

Safe Automotive soFtware architEcture (SAFE) Co-summit 2015, 10-11 March 2015, Berlin - Germany

Safe Automotive soFtware architEcture (SAFE) Co-summit 2015, 10-11 March 2015, Berlin - Germany Dr. Stefan Voget Agenda SAFE Motivation makes Functional safety safe SAFE in SAFE and the project standardization landscape 2 SAFE

569 views • 20 slides
Unix Network Programming The socket struct and data handling System calls Based on Beej's Guide

Unix Network Programming The socket struct and data handling System calls Based on Beej's Guide

Introduction to Computer Networks Polly Huang EE NTU Unix Network Programming The socket struct and data handling System calls Based on Beej's Guide to Network Programming 1 The Unix Socket A file descriptor really The Unix fact

575 views • 18 slides
Operating System Labs Yuanbin Wu cs@ecnu Announcement Project 0 due 21:00, Sep. 27

Operating System Labs Yuanbin Wu cs@ecnu Announcement Project 0 due 21:00, Sep. 27

Operating System Labs Yuanbin Wu cs@ecnu Announcement Project 0 due 21:00, Sep. 27 Operating System Labs Introduction of I/O operations Project 0b Sorting Operating System Labs Manipulate I/O System call File

804 views • 41 slides
Evaluating storage APIs for QEMU Anthony Liguori aliguori@us.ibm.com Open Virtualization

Evaluating storage APIs for QEMU Anthony Liguori aliguori@us.ibm.com Open Virtualization

Evaluating storage APIs for QEMU Anthony Liguori aliguori@us.ibm.com Open Virtualization IBM Linux Technology Center Linux Plumbers Conference 2009 Linux is a registered trademark of Linus Torvalds. The V-Word QEMU is used by Xen and

777 views • 52 slides
System-Level I/O Today Working with Unix files Standard I/O Conclusions Chris Riesbeck, Fall

System-Level I/O Today Working with Unix files Standard I/O Conclusions Chris Riesbeck, Fall

System-Level I/O Today Working with Unix files Standard I/O Conclusions Chris Riesbeck, Fall 2011 Original: Fabian Bustamante Sunday, November 20, 2011 A typical hardware system CPU chip register file ALU system bus memory bus main

501 views • 34 slides
kill Run default signal handler! Process Process A B kill signal(SIGINT, func) Process

kill Run default signal handler! Process Process A B kill signal(SIGINT, func) Process

Process Process A B kill Run default signal handler! Process Process A B kill signal(SIGINT, func) Process Process A B signal(SIGINT, func) Process Process A B kill Run fun signal handler! Terminate process Generate Core

506 views • 23 slides
Files and Streams File Directories File Directory A set of files and other (sub)directories

Files and Streams File Directories File Directory A set of files and other (sub)directories

Files and Streams File Directories File Directory A set of files and other (sub)directories Principle function: help people find their way around data on a system Implementation Directories are stored as additional files OS maintains a file

486 views • 9 slides
IT 1100 : Introduction to Operating Systems Chapter 12 Text Editors There are two types of text

IT 1100 : Introduction to Operating Systems Chapter 12 Text Editors There are two types of text

IT 1100 : Introduction to Operating Systems Chapter 12 Text Editors There are two types of text editors: GUI based and Text based. GUI based editors only work on GUI based systems. Text based editors work on both GUI and CLI systems. Text

484 views • 3 slides
TAGSPACES Free your health data from the tracking apps and devices! (or how to use your files

TAGSPACES Free your health data from the tracking apps and devices! (or how to use your files

TAGSPACES Free your health data from the tracking apps and devices! (or how to use your files system as a database) by Ilian Sapundshiev @ilianste Munich QS Meetup at [20140320] TABLE OF CONTENT Motivation Envisioned Solution

654 views • 29 slides

More recommend