landlock lsm toward unprivileged sandboxing
play

Landlock LSM: toward unprivileged sandboxing Micka el Sala un - PowerPoint PPT Presentation

Jan 05, 2023 •175 likes •789 views

Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 / 21 Secure user-space software How to harden an application? secure development follow the least privilege principle compartmentalize

  1. Landlock LSM: toward unprivileged sandboxing Micka¨ el Sala¨ un ANSSI September 14, 2017 1 / 21

  2. Secure user-space software How to harden an application? ◮ secure development ◮ follow the least privilege principle ◮ compartmentalize exposed processes 2 / 21

  3. Secure user-space software How to harden an application? ◮ secure development ◮ follow the least privilege principle ◮ compartmentalize exposed processes Multiple sandbox uses ◮ built-in sandboxing (tailored security policy) ◮ sandbox managers (unprivileged and dynamic compartmentalization) ◮ container managers (hardened containers) 2 / 21

  4. What can provide the needed features? Fine-grained control Embedded policy Unprivileged use SELinux. . . �

  5. What can provide the needed features? Fine-grained control Embedded policy Unprivileged use SELinux. . . � seccomp-bpf � � namespaces � ∼

  6. What can provide the needed features? Fine-grained control Embedded policy Unprivileged use SELinux. . . � seccomp-bpf � � namespaces � ∼ Landlock � � � Tailored access control to match your needs: programmatic access control 3 / 21

  7. What can provide the needed features? Fine-grained control Embedded policy Unprivileged use SELinux. . . � seccomp-bpf � � namespaces � ∼ Landlock � � � Tailored access control to match your needs: programmatic access control Example Run an application allowed to write only on a terminal. 3 / 21

  8. Landlock overview 4 / 21

  9. Landlock: patch v7 ◮ a minimum viable product ◮ a stackable LSM ◮ using eBPF ◮ focused on filesystem access control 5 / 21

  10. The Linux Security Modules framework (LSM) LSM framework ◮ allow or deny user-space actions on kernel objects ◮ policy decision and enforcement points ◮ kernel API: support various security models ◮ 200+ hooks: inode permission , inode unlink , file ioctl . . . 6 / 21

  11. The Linux Security Modules framework (LSM) LSM framework ◮ allow or deny user-space actions on kernel objects ◮ policy decision and enforcement points ◮ kernel API: support various security models ◮ 200+ hooks: inode permission , inode unlink , file ioctl . . . Landlock ◮ rule: control an action on an object ◮ event: use of a kernel object type (e.g. file) ◮ action: read, write, execute, remove, IOCTL. . . 6 / 21

  12. Life cycle of a Landlock rule 7 / 21

  13. Landlock rule example ◮ read-only access to the filesystem... ◮ ...but allowed to write on TTY and pipes ◮ rule enforced on each filesystem access request 8 / 21

  14. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  15. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  16. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  17. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  18. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  19. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  20. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  21. Landlock rule example SEC("landlock1") 1 2 int landlock_fs_rule1( struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) || S_ISFIFO(mode)) 13 return 0; return 1; 14 15 } 8 / 21

  22. extended Berkeley Packet Filter In-kernel virtual machine ◮ safely execute code in the kernel at run time ◮ widely used in the kernel: network filtering, seccomp-bpf, tracing. . . ◮ can call dedicated functions ◮ can exchange data through maps between eBPF programs and user-space 9 / 21

  23. extended Berkeley Packet Filter In-kernel virtual machine ◮ safely execute code in the kernel at run time ◮ widely used in the kernel: network filtering, seccomp-bpf, tracing. . . ◮ can call dedicated functions ◮ can exchange data through maps between eBPF programs and user-space Static program verification at load time ◮ memory access checks ◮ register typing and tainting ◮ pointer leak restrictions ◮ execution flow restrictions 9 / 21

  24. Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2 .landlock_rule = { 3 .event = LANDLOCK_EVENT_FS, 4 .ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; union bpf_attr attr = { 7 8 .insns = bytecode_array, 9 .prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10 .prog_subtype = &metadata, 11 // [...] }; 12 int rule_fd = bpf(BPF_PROG_LOAD, &attr, sizeof (attr)); 13 10 / 21

  25. Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2 .landlock_rule = { 3 .event = LANDLOCK_EVENT_FS, 4 .ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; union bpf_attr attr = { 7 8 .insns = bytecode_array, 9 .prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10 .prog_subtype = &metadata, 11 // [...] }; 12 int rule_fd = bpf(BPF_PROG_LOAD, &attr, sizeof (attr)); 13 10 / 21

  26. Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2 .landlock_rule = { 3 .event = LANDLOCK_EVENT_FS, 4 .ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; union bpf_attr attr = { 7 8 .insns = bytecode_array, 9 .prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10 .prog_subtype = &metadata, 11 // [...] }; 12 int rule_fd = bpf(BPF_PROG_LOAD, &attr, sizeof (attr)); 13 10 / 21

  27. Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2 .landlock_rule = { 3 .event = LANDLOCK_EVENT_FS, 4 .ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; union bpf_attr attr = { 7 8 .insns = bytecode_array, 9 .prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10 .prog_subtype = &metadata, 11 // [...] }; 12 int rule_fd = bpf(BPF_PROG_LOAD, &attr, sizeof (attr)); 13 10 / 21

  28. Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2 .landlock_rule = { 3 .event = LANDLOCK_EVENT_FS, 4 .ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; union bpf_attr attr = { 7 8 .insns = bytecode_array, 9 .prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10 .prog_subtype = &metadata, 11 // [...] }; 12 int rule_fd = bpf(BPF_PROG_LOAD, &attr, sizeof (attr)); 13 10 / 21

  29. Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2 .landlock_rule = { 3 .event = LANDLOCK_EVENT_FS, 4 .ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; union bpf_attr attr = { 7 8 .insns = bytecode_array, 9 .prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10 .prog_subtype = &metadata, 11 // [...] }; 12 int rule_fd = bpf(BPF_PROG_LOAD, &attr, sizeof (attr)); 13 10 / 21

  30. Loading a rule in the kernel 10 / 21

  31. Applying a rule to a process 1 seccomp(SECCOMP_PREPEND_LANDLOCK_RULE, 0, &rule_fd); 11 / 21

  32. Applying a rule to a process 11 / 21

  33. Applying a rule to a process 11 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing: limiting the privileges of a process Two motivations - Running untrusted code in a restricted environment - Dropping privileges in trusted code so as to

1.09k views • 58 slides
Empowering Brazilian Unprivileged Communities with High Geotechnological Tools Patricia Lustosa

Empowering Brazilian Unprivileged Communities with High Geotechnological Tools Patricia Lustosa

Empowering Brazilian Unprivileged Communities with High Geotechnological Tools Brito, P. L., et al. Empowering Brazilian Unprivileged Communities with High Geotechnological Tools Patricia Lustosa Brito*, Daniel Nadier Cavalcanti Reis*,

347 views • 20 slides
Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz

Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz

Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz http://www.batchgeo.com Remote Sandboxing? Students' interpreters g r a d e . r k t 1 6 0 0 t i m e s ? Students' interpreters g r a d e

446 views • 15 slides
Smart NICs Ian Pratt Smart L2 NIC features Privileged/unprivileged NIC driver model

Smart NICs Ian Pratt Smart L2 NIC features Privileged/unprivileged NIC driver model

TM Smart NICs Ian Pratt Smart L2 NIC features Privileged/unprivileged NIC driver model Free/rx/tx descriptor queues into guest Packet demux and tx enforcement Validation of frag descriptors TX QoS CSUM offload / TSO / LRO

714 views • 7 slides
Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Distributed HPC Applications with Unprivileged Containers Felix Abecassis, Jonathan Calmels GPU

Distributed HPC Applications with Unprivileged Containers Felix Abecassis, Jonathan Calmels GPU

Distributed HPC Applications with Unprivileged Containers Felix Abecassis, Jonathan Calmels GPU Computing NVIDIA Beyond video games AUTONOMOUS MACHINES VIRTUAL REALITY SCIENTIFIC COMPUTING MACHINE LEARNING GPU COMPUTING 2 Infrastructure at

669 views • 28 slides
arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to

arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to

arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to access system memory . Meltdown takes advantage of speculative execution , in particular its ability to meltdown security barrier

369 views • 8 slides
Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane

Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane

Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane Graber Christian Brauner LXD project leader LXD maintainer @stgraber @brau_ner https://stgraber.org https://brauner.io

394 views • 12 slides
Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

515 views • 48 slides
Vx32: Lightweight User-Level Sandboxing on the x86 Bryan Ford and Russ Cox MIT CSAIL Presented

Vx32: Lightweight User-Level Sandboxing on the x86 Bryan Ford and Russ Cox MIT CSAIL Presented

Vx32: Lightweight User-Level Sandboxing on the x86 Bryan Ford and Russ Cox MIT CSAIL Presented by: Ashwin Chaugule 26th Sept 2008 Area Systems security: Application Virtualization USENIX 08 - Best Student Paper Source code:

427 views • 28 slides
Sandboxing & Virtualization: Modern Tools for Combating Malware Anup K. Ghosh, PhD Founder

Sandboxing & Virtualization: Modern Tools for Combating Malware Anup K. Ghosh, PhD Founder

Sandboxing & Virtualization: Modern Tools for Combating Malware Anup K. Ghosh, PhD Founder anup@invincea.com www.invincea.com Research Professor Center for Secure Information Systems George Mason University May 2010 The User IS the

479 views • 20 slides
Sandboxing 1 logistics CHALLENGE assignment take-home portion of the fjnal next class

Sandboxing 1 logistics CHALLENGE assignment take-home portion of the fjnal next class

Sandboxing 1 logistics CHALLENGE assignment take-home portion of the fjnal next class fjnal exam review 2 CHALLENGE (1) expect to release before Saturday; due by written fjnal probably complete all but two fjve of seven or four of

848 views • 66 slides
Border Control: Sandboxing Accelerators L. E. Olson, Jason Power, Mark. D. Hill and David A.Wood

Border Control: Sandboxing Accelerators L. E. Olson, Jason Power, Mark. D. Hill and David A.Wood

Border Control: Sandboxing Accelerators L. E. Olson, Jason Power, Mark. D. Hill and David A.Wood University of Wisconsin-Madison Presented by : Yash Bhalgat, Arun Subramaniyan Key Id Ideas and goals Sharing memory between host and

596 views • 21 slides
Rootless Kubernetes Running Kubernetes and CRI/OCI Runtimes as an unprivileged user Akihiro Suda

Rootless Kubernetes Running Kubernetes and CRI/OCI Runtimes as an unprivileged user Akihiro Suda

FOSDEM (Feb 3, 2019) Rootless Kubernetes Running Kubernetes and CRI/OCI Runtimes as an unprivileged user Akihiro Suda / NTT (@_AkihiroSuda_) Giuseppe Scrivano / Red Hat (@gscrivano) 1 Who are we? Akihiro Suda Giuseppe Scrivano Software

552 views • 23 slides
Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the following kernel features to contain processes: Kernel namespaces (ipc, uts, mount, pid, network and user) Apparmor and SELinux profiles

521 views • 30 slides
Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda

Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda

Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda Reverse Engineering Primer Approaches to Dynamic Analysis Inline Hooks Advantages Over Other Techniques Usages 2 Reverse Engineering

379 views • 19 slides
Advanced Security Automation Made Simple Mark Nunnikhoven Vice President, Cloud Research at

Advanced Security Automation Made Simple Mark Nunnikhoven Vice President, Cloud Research at

Advanced Security Automation Made Simple Mark Nunnikhoven Vice President, Cloud Research at Trend Micro @marknca The goal of cybersecurity Make sure that systems work as intended The goal of cybersecurity Make sure that systems work as

824 views • 45 slides
SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON MOBILE DEVICES Key Questions 1. How are Web

SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON MOBILE DEVICES Key Questions 1. How are Web

Anil Dhawan, Program Manager Rich Internet Applications Windows Mobile [anild@microsoft.com] Geir Olsen, Program Manager Security for Windows Mobile [geiro@microsoft.com] Microsoft Corp SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON

454 views • 6 slides
Application access to directories opening Pandoras box Victoriano Giralt Central Computing

Application access to directories opening Pandoras box Victoriano Giralt Central Computing

The problem The cure The solution Application access to directories opening Pandoras box Victoriano Giralt Central Computing Facility University of Mlaga A November 5th, 2008 Victoriano Giralt Application access to

1.11k views • 78 slides
Design and Architectural Principles Internet Security [1] VU Engin Kirda

Design and Architectural Principles Internet Security [1] VU Engin Kirda

Design and Architectural Principles Internet Security [1] VU Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel chris@auto.tuwien.ac.at News from the Lab Challenge 4 will be announced today (16:00) after the lecture E-Mail

384 views • 34 slides
Risk Management Who I Am B.S. Business Administration MIS Master of Business

Risk Management Who I Am B.S. Business Administration MIS Master of Business

Risk Management Who I Am B.S. Business Administration MIS Master of Business Administration (MBA) Information Assurance Consulting SFS Scholar School of Nursing Graduate Assistant Security Development

446 views • 27 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
Cloud Security An IAM GAME Nathaniel Beckstead whoami I am here because I love to give

Cloud Security An IAM GAME Nathaniel Beckstead whoami I am here because I love to give

Cloud Security An IAM GAME Nathaniel Beckstead whoami I am here because I love to give presentations. @scriptingislife https:/ /scriptingis.life https:/ /glimpseid.com 2 What is the cloud? 3 What is the cloud? 4 What is the cloud? 5

1.12k views • 32 slides
Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Class Notes 1.

Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Class Notes 1.

Introduction to Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Class Notes 1. Homework 1 is due next Wednesday! Remember that Monday is a holiday, so no office hours 2. Remember to start forming final project

877 views • 48 slides

More recommend