connecting the dot dots
play

Connecting the Dot Dots Model Checking Concurrency in Capsicum - PowerPoint PPT Presentation

Aug 30, 2023 •224 likes •548 views

Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M. Watson Jonathan Anderson Introduction UNIX File System (UFS) Capsicum: practical capabilities for UNIX Whoops, a concurrency

  1. Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M. Watson Jonathan Anderson

  2. Introduction • UNIX File System (UFS) • Capsicum: practical capabilities for UNIX • Whoops, a concurrency vulnerability • Model checking file system containment • Conclusions 2

  3. The UNIX File System (UFS) 3

  4. The UNIX file system • Persistent object storage for UNIX • Hierarchical, user-specified name space • Also used for IPC • DAC + MAC ➡ A security API 4

  5. Typical APIs • Open a file for I/O int open(char *path, int flags, ...); • Change directory int chdir(char *path); • Rename a file or directory int rename(char *from, char *to); 5

  6. Looking up a path open("/etc/passwd", O_RDONLY) .. Process root root Root directory etc tmp etc Current working .. .. directory File descriptor array tmp etc etc passwd passwd hard link passwd passwd 6

  7. Capsicum: practical capabilities for UNIX 7

  8. CVEs in Jan-Aug Jan-Aug 2009 Firefox 85 Safari 59 IE 48 Chrome 39 Flash 35 source; Justin Fo n Foster, OWASP 8

  9. Logical applications Kernel Browser process ambient authority UNIX process ambient authority becomes Renderer process Renderer process ... capability mode capability mode Traditional UNIX application Capsicum logical application 9

  10. Hierarchical delegation with capabilities / etc var apache passwd www site1 site2 Apache Apache Apache Worker 1 Worker 2 Logical Application 10

  11. File capabilities .. Process ! root Root directory tmp etc Current working ! .. .. directory File descriptor array tmp etc passwd hard link passwd File capability READ 11

  12. at(2) APIs • Variations accepting directory descriptors: int renameat(int fromfd, char *from, int tofd, char *to); • Avoid intermediate lookup state/costs • Use at(2) calls to delegate directories • Grant rights to objects under capability 12

  13. Directory delegation .. Process ! root Root directory tmp Current working ! .. directory File descriptor array tmp sandbox Directory capability .. ! ATBASE, FCHDIR, sandbox FSTAT, CREATE, foo DELETE, LOOKUP... .. foo bar .. bar 13

  14. Derived capabilities .. Process ! root Root directory tmp Current working ! .. directory File descriptor array tmp sandbox Directory capability .. ! ATBASE, FCHDIR, sandbox FSTAT, CREATE, foo DELETE, LOOKUP... .. ! Directory capability foo ATBASE, FCHDIR, bar FSTAT, CREATE, .. DELETE, LOOKUP... bar 14

  15. Implementing under • Reject at(2) on absolute paths • Reuse existing namei lookup code • Require directory capability argument • If “..” is looked up relative to starting directory, return ENOTCAPABLE 15

  16. A concurrency vulnerability 16

  17. Concurrency • Multiple computational processes execute at the same time and may interact with each other • Concurrency leads to the appearance of non-determinism 17

  18. Concurrency vulnerabilities • When incorrect concurrency management leads to vulnerability • Violation of specifications • Violation of user expectations • Passive - leak information or privilege • Active - allow adversary to extract information, gain privilege, deny service... 18

  19. From concurrency bug to security bug • Vulnerabilities in security-critical interfaces • Races on arguments and interpretation • Atomic “check” and “access” not possible • Data consistency vulnerabilities • Stale or inconsistent security metadata • Security metadata and data inconsistent 19

  20. Concurrency attacks on APIs • System call API bridges “untrusted” userspace and “trusted” kernel • Attacker’s goal to manipulate APIs and trigger security incorrectness in “trusted” implementation • In software, usually done using multiple client threads/processes and system calls, LPCs, or RPCs to a multithreaded server 20

  21. openat(foofd, "bar/../.."); renameat(foofd, "bar", sandboxfd, "bar"); .. Process " root Root directory tmp Current working " .. directory File descriptor array tmp tmp Directory capability .. " ! ATBASE, FCHDIR, sandbox FSTAT, CREATE, DELETE, LOOKUP... " Directory capability foo ATBASE, FCHDIR, bar FSTAT, CREATE, .. DELETE, LOOKUP... bar rename bar .. 21

  22. Concurrency vulnerabilities • Most race conditions are time-of-check-to- time-of-use (TOCTTOU) • This vulnerability is not TOCTTOU • Bisbey 1978 “unexpected concurrency” • Security failure due to programmer not understanding concurrency opportunity 22

  23. The vulnerability • Bypass containment if any writable directory capabilities passed to sandbox • Dual-core notebook required ~100,000 loops to exploit • Exploits non-atomic namespace lookup relative to other operations • A performance feature we can’t remove! 23

  24. Why formal methods? • Serious but subtle concurrency vulnerability with unclear implications • Namespace containment widely used in UNIX; chroot and beyond • Want to show that other combinations of name space calls can’t trigger similar vulnerabilities 24

  25. Model checking • Summary: Clarke, Emerson, Sifakis 2007 Turing Award lecture; Comm ACM 2009 • Finite state machine represents system under analysis • Express safety properties in temporal logic • Exhaustively check model conformance • Common in protocol, hardware verification 25

  26. The goal • Model the relationship between the attacker and the file system implementation • Want to explore all possible interleavings of events the attacker can trigger • Validate critical assertions 26

  27. The model • Selected SPIN model checker • 222-line Promela model of system/attacker • Model a finite set of concurrent processes, each with a limited system call vocabulary • Finite-sized file system (8 nodes); Initial path configuration similar to picture • Assertion: multi-“..” lookups fail 27

  28. Solution space Approach Performance Functionality Security Remove subtree ✔ ✘ ✔ delegation Namespace walk ✘ ✔ ✘ Limit namespace ✔ (NFS: ✘ ) ✘ ✔ concurrency Limit “..” ✔ ✘ ✔ 28

  29. Limitations • Hand-crafted Promela mode - significantly different semantics and implementation from kernel code • Finite process count • Limited system call vocabulary • Limited file system size • Want stronger “can’t name root” assertion 29

  30. Conclusion • Capsicum: practical capabilities for UNIX • Concurrency vulnerability with serious real-world implications for Capsicum • Applied model checking • Improved our confidence in security / performance / functionality trade-off 30

  31. Q&A 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Topic II.2: Connecting the Dots Discrete Topics in Data Mining Universitt des Saarlandes,

Topic II.2: Connecting the Dots Discrete Topics in Data Mining Universitt des Saarlandes,

Topic II.2: Connecting the Dots Discrete Topics in Data Mining Universitt des Saarlandes, Saarbrcken Winter Semester 2012/13 T II.2- 1 T II.2: Connecting the Dots 1. Connecting the Dots 1.1. Intuition & Motivation 1.2. Coherence of

929 views • 41 slides
Connecting the Dots: Connecting the Dots: Black Lives Matter, Connecting the Dots: COVID-19,

Connecting the Dots: Connecting the Dots: Black Lives Matter, Connecting the Dots: COVID-19,

Connecting the Dots: Connecting the Dots: Black Lives Matter, Connecting the Dots: COVID-19, Energy Policy, COVID-19, and COVID-19, Energy Policy, Energy Policy and the Role of States and the Role of States Professor Shalanda H. Baker

497 views • 31 slides
Objectives Mission to Care FHA HIIN 1 Chasing Zero Infections - Connecting the Dots to

Objectives Mission to Care FHA HIIN 1 Chasing Zero Infections - Connecting the Dots to

Chasing Zero Infections - Connecting the Dots to Thursday, May 25, 2017 Reduce Patient Harm: Hot Topics in Infection Prevention and Stewardship HOSPITAL IN ACTION SUCCESSFUL STRATEGIES FOR REDUCING C. DIFF Cathy Jaco, RN, MSN, CPHQ, HACP,

407 views • 12 slides
CONNECTING THE DOTS: Research, Educa7on, Innova7on and

CONNECTING THE DOTS: Research, Educa7on, Innova7on and

CONNECTING THE DOTS: Research, Educa7on, Innova7on and Entrepreneurship Dr. Jan Hamrin 23 rd Na7onal NSF EPSCoR Conference Music City Center Nashville, TN

462 views • 14 slides
4/3/2014 Function, Literacy, and the Common Core Connecting the Dots The dots The Sensory

4/3/2014 Function, Literacy, and the Common Core Connecting the Dots The dots The Sensory

4/3/2014 Function, Literacy, and the Common Core Connecting the Dots The dots The Sensory System The Common Core Curriculum Valuing Literacy The Sensory System Vision Hearing, Vestibular Touch, Proprioception Smell and Taste And THE

269 views • 4 slides
Connecting g the D Dots: Moving B Beyond t the Bru Brushstroke to a a Policy-informed M

Connecting g the D Dots: Moving B Beyond t the Bru Brushstroke to a a Policy-informed M

Connecting g the D Dots: Moving B Beyond t the Bru Brushstroke to a a Policy-informed M Masterpiece Laquore Meadows, Ph.D., Nicole Debose, Deborah Carney Ohio State University Extension How are we positioned? Urban County Extension

879 views • 13 slides
Connecting the Dots of Innovation with Professor Jeff DeGraff

Connecting the Dots of Innovation with Professor Jeff DeGraff

Connecting the Dots of Innovation with Professor Jeff DeGraff When money gets scarce, competition for it increases. Productivity is no longer enough.

552 views • 51 slides
CONNECTING THE DOTS Current Events Forecast Revenue Estimate 1 11/17/2016 CONNECTING THE

CONNECTING THE DOTS Current Events Forecast Revenue Estimate 1 11/17/2016 CONNECTING THE

11/17/2016 ECONOMICS AND REVENUE Connecting the Dots CONNECTING THE DOTS Current Events Forecast Revenue Estimate 1 11/17/2016 CONNECTING THE DOTS Current Events Forecast Revenue Estimate CONNECTING THE DOTS Current Events Forecast

126 views • 12 slides
Connecting the Dots: Major New England Energy Initiatives Katie Dykes Deputy Commissioner for

Connecting the Dots: Major New England Energy Initiatives Katie Dykes Deputy Commissioner for

Connecting the Dots: Major New England Energy Initiatives Katie Dykes Deputy Commissioner for Energy Raab Roundtable September 30, 2016 Connecticut Department of Energy and Environmental Protection 1 A Few of the Dots RGGI 2016

400 views • 11 slides
Track sponsored by AR, VR and Mixed Reality Connecting the Dots Between Retailer and Consumer

Track sponsored by AR, VR and Mixed Reality Connecting the Dots Between Retailer and Consumer

Track sponsored by AR, VR and Mixed Reality Connecting the Dots Between Retailer and Consumer Goals Jeffrey Neville Senior Vice President and Practice Lead, BRP Consulting @BRPConsulting | #BRPCloudXR | @JefNeville XR - What is the difference

456 views • 12 slides
Connecting the Dots with Landmarks : Discriminatively Learning Domain-Invariant Features for

Connecting the Dots with Landmarks : Discriminatively Learning Domain-Invariant Features for

Connecting the Dots with Landmarks : Discriminatively Learning Domain-Invariant Features for Unsupervised Domain Adaptation Boqing Gong University of Southern California Joint work with Kristen Grauman and Fei Sha The perils of mismatched

625 views • 58 slides
Connecting t the he D Dots: Working T Togethe her t to I Improve D Diabetes Manage

Connecting t the he D Dots: Working T Togethe her t to I Improve D Diabetes Manage

Connecting t the he D Dots: Working T Togethe her t to I Improve D Diabetes Manage Manageme ment nt Increasing A Access t to D Diabetes S Self- Management E Education Judith G h Gabriele Diabetes P Prevention a and C

558 views • 12 slides
CONNECTING THE DOTS: MAKING SENSE OF PARANEOPLASTIC SYNDROMES JP MCGHIE, MEDICAL ONCOLOGIST; BC

CONNECTING THE DOTS: MAKING SENSE OF PARANEOPLASTIC SYNDROMES JP MCGHIE, MEDICAL ONCOLOGIST; BC

CONNECTING THE DOTS: MAKING SENSE OF PARANEOPLASTIC SYNDROMES JP MCGHIE, MEDICAL ONCOLOGIST; BC CANCER, VICTORIA DISCLOSURES I have received speakers honoraria from the following companies: Amgen, Astra-Zeneca, Celgene, Eisai, Ipsen, Roche

908 views • 65 slides
Separation, Inverse Optimization, and Decomposition: Connecting the Dots Ted Ralphs 1 Joint work

Separation, Inverse Optimization, and Decomposition: Connecting the Dots Ted Ralphs 1 Joint work

Separation, Inverse Optimization, and Decomposition: Connecting the Dots Ted Ralphs 1 Joint work with Aykut Bulut 2 1 COR@L Lab, Department of Industrial and Systems Engineering, Lehigh University 2 The MathWorks, Natick, MA 23 rd Workshop on

556 views • 42 slides
Connecting the Dots: Enhancing Global Learning and Engagement in Curricular/Co-Curricular Programs

Connecting the Dots: Enhancing Global Learning and Engagement in Curricular/Co-Curricular Programs

Connecting the Dots: Enhancing Global Learning and Engagement in Curricular/Co-Curricular Programs Dr. Jiangyuan (JY) Zhou , Internationalization Specialist Dr. Kaite Yang Assistant Professor of Psychology with Daniel Tom Director of

335 views • 17 slides
Tools, Technology, Transition Making it Happen Connecting the dots There is an opportunity here

Tools, Technology, Transition Making it Happen Connecting the dots There is an opportunity here

Tools, Technology, Transition Making it Happen Connecting the dots There is an opportunity here for industry to work with CREDC to accomplish technical goals, and have DOE pay for CREDCs effort What goes into a industry/academic partnership

162 views • 5 slides
Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the following kernel features to contain processes: Kernel namespaces (ipc, uts, mount, pid, network and user) Apparmor and SELinux profiles

521 views • 30 slides
Synthesis of Esters of 6-(2,5-Dioxopyrrolidin-1-yl)-2- (morpholin-4-yl)hexanoic Acid as

Synthesis of Esters of 6-(2,5-Dioxopyrrolidin-1-yl)-2- (morpholin-4-yl)hexanoic Acid as

[c010] Synthesis of Esters of 6-(2,5-Dioxopyrrolidin-1-yl)-2- (morpholin-4-yl)hexanoic Acid as Potential Transdermal Penetration Enhancers Katerina Brychtova 1 *, Sylva Dittrichova 1 , Barbora Slaba 1,2 , Lukas Placek 1,2 , Radka

210 views • 6 slides
Microwave assisted synthesis of tripodal triazines from 1,3,5-tris(2-

Microwave assisted synthesis of tripodal triazines from 1,3,5-tris(2-

[E006] Microwave assisted synthesis of tripodal triazines from 1,3,5-tris(2- hydroxyethyl)-1,3,5-triazinane-2,4,6-trione and fatty acids Jos Crecente-Campo, Silvia Fernndez-Snchez, Julio A. Seijas,* M. Pilar Vzquez- Tato* Departamento

162 views • 5 slides
Progressing through and reaching beyond boundaries in entrepreneurship education Research

Progressing through and reaching beyond boundaries in entrepreneurship education Research

Progressing through and reaching beyond boundaries in entrepreneurship education Research workshop on Entrepreneurship Education 27 November, 1200-1600 Speakers Professor David Rae, Director, CEI Dr Elena Ruskovaara, Director of

928 views • 53 slides
Secure Programs via Game-based Synthesis Somesh Jha, Tom Reps, and Bill Harris 1 Tuesday,

Secure Programs via Game-based Synthesis Somesh Jha, Tom Reps, and Bill Harris 1 Tuesday,

Secure Programs via Game-based Synthesis Somesh Jha, Tom Reps, and Bill Harris 1 Tuesday, October 22, 13 One-slide summary Secure programming on a conventional OS is intractable Privilege-aware OSs take secure programming from

2.28k views • 195 slides
capabilities / virtual machines 1 Changelog Changes not seen in fjrst lecture: 23 April 2020:

capabilities / virtual machines 1 Changelog Changes not seen in fjrst lecture: 23 April 2020:

capabilities / virtual machines 1 Changelog Changes not seen in fjrst lecture: 23 April 2020: add index slides re: cases for priviliged instruction handling and introduction explaining syscalls as special case 1 last time (1) network fjle

1.71k views • 120 slides
virtual machines 1 Changelog Changes made in this version not seen in fjrst lecture: 23 April

virtual machines 1 Changelog Changes made in this version not seen in fjrst lecture: 23 April

virtual machines 1 Changelog Changes made in this version not seen in fjrst lecture: 23 April 2019: rearrange slide order to better match lecture order 23 April 2019: change real page table to shadow page table in some places 23

1.39k views • 113 slides
FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a

FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a

FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a stable, performant hypervisor Network isolation is not core to bhyve(4) today Use of VNET(9) for manipulating FIBS for tap(4) interfaces is

445 views • 18 slides

More recommend