capsicum - university of cambridge · introduction capsicum: hybrid unix/capability operating...
TRANSCRIPT
![Page 1: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/1.jpg)
CAPSICUMPractical capabilities for UNIX
19th USENIX Security Symposium11 August 2010 - Washington, DC
Robert N. M. WatsonJonathan Anderson Google UK LtdBen Laurie FreeBSD ProjectKris Kennaway University of Cambridge
![Page 2: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/2.jpg)
Introduction
Capsicum: hybrid UNIX/capability operating system
Requirements of complex, security-aware applications
Why MAC isn’t quite what we want
Capsicum’s Capability Mode and Capabilities
Interactions between applications and sandboxing
Building on Capsicum
![Page 3: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/3.jpg)
Paradigm shift... change is coming here
Multi-user machines ! multi-machine users
“Applications” frame competing interests
Thin client one point of confluence
DAC/MAC-centric access control ! sandboxing
Application security rather than OS security
Primitives for mapping distributed to local security domains
![Page 4: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/4.jpg)
![Page 5: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/5.jpg)
CVEs in Jan-Aug 2009CVEs in Jan-Aug 2009Firefox 85Safari 59
IE 48Chrome 39
Flash 35source; Justin Foster, OWASPsource; Justin Foster, OWASP
![Page 6: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/6.jpg)
Microkernels to compartmentalisation
OS kernelOS microkernel
bash emacs
VFS
...
Net ...
...bash emacsVFS Net1980’s
![Page 7: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/7.jpg)
Microkernels to compartmentalisation
OS kernelOS microkernel
bash emacs
VFS
...
Net ...
...bash emacsVFS Net1980’s
sshd
crypto/compress
SSHsession
sshd
SSH session
crypto/compress
OS kernel OS kernel
... ...2000’s
![Page 8: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/8.jpg)
Type Enforcement (TE) What we need
Interests of
Sandbox creation
Policy source
Administrator User or application
Administrator modifies global policy
On demand withoutusing privilege
Access control rules in global policy files
Embedded inapplications, from UI
What about MAC?
![Page 9: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/9.jpg)
Type Enforcement (TE) What we need
Interests of
Sandbox creation
Policy source
Administrator User or application
Administrator modifies global policy
On demand withoutusing privilege
Access control rules in global policy files
Embedded inapplications, from UI
What about MAC?
![Page 10: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/10.jpg)
Type Enforcement (TE) What we need
Interests of
Sandbox creation
Policy source
Administrator User or application
Administrator modifies global policy
On demand withoutusing privilege
Access control rules in global policy files
Embedded inapplications, from UI
What about MAC?
![Page 11: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/11.jpg)
Application-driven rights delegation
Apache ApacheWorker 1
ApacheWorker 2
Logical Application
/etc var
apache passwd www
site1 site2
![Page 12: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/12.jpg)
A capability is an unforgeable token of authority.
Supports delegation-centric access control.
Capability systems
![Page 13: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/13.jpg)
Where to start?
Production monolithic systemsUNIX, Linux, Windows, Mac OS X
" Monolithic kernel security model# Real application stack today
Research capability systemsEROS (CAPROS), CoyoteOS
# Least privilege design" No extant application stack
Hybrid approach: immediate security benefits with along-term capability system vision
![Page 14: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/14.jpg)
Logical applicationsin Capsicum
UNIX processambient authority
Browser processambient authority
Renderer processcapability mode
Renderer processcapability mode ...
Kernel
Traditional UNIX application Capsicum logical application
becomes
![Page 15: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/15.jpg)
Capability mode
New system call cap_enter sets inherited credential flag
Global OS name spaces restricted: only delegated rights available
Interface thinning and other constraints on system calls
ambient authority capability mode
read
write
open
openat
fexecve
fexecve
openat
open
write
read
lookup()
!
! "
" " " "
![Page 16: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/16.jpg)
Capabilities
Capabilities refine open flags on file descriptors
cap_new on a capability further restricts access; no chains
Inherited across fork/exec or passed via sockets
Directory capabilities allow subtree delegation
8
10
14...
Process file descriptors
structfile
struct vnode
structfile
struct capability
mask = READ | WRITE
structfile
struct capability
mask = READ
...
![Page 17: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/17.jpg)
Possible application
Setup
read user inputopen filesprepare work loop
Work
do workread/write on files
![Page 18: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/18.jpg)
System call API
Setup
read user inputopen filesprepare work loop
Work
do workread/write on files
Ambient authority
Capability mode
cap_enter
![Page 19: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/19.jpg)
Interactive applications
Setup
read user inputopen filesprepare work loop
Work
do workread/write on files
![Page 20: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/20.jpg)
libcapsicum API
Setup
read user inputopen filesprepare work loop
Ambient authority
Capability mode Work
Work
read user inputopen files
do workread/write on files
lc_start
![Page 21: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/21.jpg)
Adapted applications
Program Approach Changes
tcpdump cap_enter Enter for parse/render work loop
dhclient cap_enterReinforce existing chroot/setuid privilege separation
gzip libcapsicumOpen files with ambient authority, pass capabilities to sandbox
Chromium cap_enterSandbox Javascript and HTML processing in renderer processes
![Page 22: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/22.jpg)
tcpdump
@@ -1197,6 +1199,14 @@ (void)fflush(stderr); } #endif /* WIN32 */+ if (lc_limitfd(STDIN_FILENO, CAP_FSTAT) < 0)+ error("lc_limitfd: unable to limit STDIN_FILENO");+ if (lc_limitfd(STDOUT_FILENO, CAP_FSTAT | CAP_SEEK | CAP_WRITE) < 0)+ error("lc_limitfd: unable to limit STDIN_FILENO");+ if (lc_limitfd(STDERR_FILENO, CAP_FSTAT | CAP_SEEK | CAP_WRITE) < 0)+ error("lc_limitfd: unable to limit STDERR_FILENO");+ if (cap_enter() < 0)+ error("cap_enter: %s", pcap_strerror(errno)); status = pcap_loop(pd, cnt, callback, pcap_userdata); if (WFileName == NULL) {
![Page 23: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/23.jpg)
Chromium sandboxing
OS Sandbox LoC FS IPC NET S!S" Priv
DACDAC
MACMAC
CapCap
Windows DAC ACLs 22,350 ⚠ ⚠ ! ! "
Linux chroot() 600 " ! ! " !
Mac OS X Sandbox 560 " ⚠ " " "
Linux SELinux 200 " ⚠ " ! !
Linux seccomp 11,300 ⚠ " " " "
FreeBSD Capsicum 100 " " " " "
![Page 24: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/24.jpg)
Chromium sandboxing
OS Sandbox LoC FS IPC NET S!S" Priv
DACDAC
MACMAC
CapCap
Windows DAC ACLs 22,350 ⚠ ⚠ ! ! "
Linux chroot() 600 " ! ! " !
Mac OS X Sandbox 560 " ⚠ " " "
Linux SELinux 200 " ⚠ " ! !
Linux seccomp 11,300 ⚠ " " " "
FreeBSD Capsicum 100 " " " " "
![Page 25: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/25.jpg)
Chromium sandboxing
OS Sandbox LoC FS IPC NET S!S" Priv
DACDAC
MACMAC
CapCap
Windows DAC ACLs 22,350 ⚠ ⚠ ! ! "
Linux chroot() 600 " ! ! " !
Mac OS X Sandbox 560 " ⚠ " " "
Linux SELinux 200 " ⚠ " ! !
Linux seccomp 11,300 ⚠ " " " "
FreeBSD Capsicum 100 " " " " "
![Page 26: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/26.jpg)
Chromium sandboxing
OS Sandbox LoC FS IPC NET S!S" Priv
DACDAC
MACMAC
CapCap
Windows DAC ACLs 22,350 ⚠ ⚠ ! ! "
Linux chroot() 600 " ! ! " !
Mac OS X Sandbox 560 " ⚠ " " "
Linux SELinux 200 " ⚠ " ! !
Linux seccomp 11,300 ⚠ " " " "
FreeBSD Capsicum 100 " " " " "
![Page 27: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/27.jpg)
Chromium sandboxing
OS Sandbox LoC FS IPC NET S!S" Priv
DACDAC
MACMAC
CapCap
Windows DAC ACLs 22,350 ⚠ ⚠ ! ! "
Linux chroot() 600 " ! ! " !
Mac OS X Sandbox 560 " ⚠ " " "
Linux SELinux 200 " ⚠ " ! !
Linux seccomp 11,300 ⚠ " " " "
FreeBSD Capsicum 100 " " " " "
![Page 28: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/28.jpg)
Chromium sandboxing
OS Sandbox LoC FS IPC NET S!S" Priv
DACDAC
MACMAC
CapCap
Windows DAC ACLs 22,350 ⚠ ⚠ ! ! "
Linux chroot() 600 " ! ! " !
Mac OS X Sandbox 560 " ⚠ " " "
Linux SELinux 200 " ⚠ " ! !
Linux seccomp 11,300 ⚠ " " " "
FreeBSD Capsicum 100 " " " " "
![Page 29: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/29.jpg)
Building on Capsicum
Assisted compartmentalisation (static, dynamic analysis)
Critical network services: routing daemon, etc.
Monolithic applications: OpenOffice.org, KDE..
Distributed domains ! local domains: browsers, databases...
Gesture-Based Access Control (GBAC)
Power boxes, “Drag and drop” ! assign capabilities
![Page 30: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/30.jpg)
Conclusion
Multi-user security ! compartmentalised applications
Capsicum APIs faster, cleaner, and more secure
Delegation-centric approach to granular policy
Avoid policy dual-coding, no privilege requirement
Supplement rather than replace DAC and MAC
API/semantics + prototype on FreeBSD 9.x, 8.x backport
Linux/ChromeOS port in progress at Google
![Page 31: CAPSICUM - University of Cambridge · Introduction Capsicum: hybrid UNIX/capability operating system Requirements of complex, security-aware applications Why MAC isnÕt quite what](https://reader030.vdocuments.net/reader030/viewer/2022021511/5ac34a127f8b9a12608bba19/html5/thumbnails/31.jpg)
Questions?
* http://www.cl.cam.ac.uk/research/security/capsicum/