Capsicum: Practical Capabilities for             UNIXRobert N. M. Watson, Jonathan Anderson, Ben           Laurie, Kris Ke...
Context●   Multiple processes of an application●   Ambient user privileges●   Full power of the user    ●   Access to all ...
Browser
Browser/home/bob/.browser_settings//home/bob/personal//home/bob/work//bin//proc//dev/         Operating System
Least Privilege
Application Sandboxing(Compartmentalization)
Problem Statement●   How can the OS support application    sandboxing?●   Minimize the effort by the developers?●   Better...
Contribution●   API extensions to break down application code    ●   Run them in sanboxes    ●   Logical application●   Im...
Main Idea●   API extensions●   libcapsicum    ●   Capability mode    ●   Capabilities
Capability Mode●   No access to global namespaces    ●   Process ID, File paths, File systems ID, System        clocks, et...
Capabilities●   Wraps normal file descriptors●   cap_new(FD, mask_of_rights);●   60 possible mask rights    ●   CAP_READ  ...
Implementation●   At kernel services●   namei – path lookups●   fget – File descriptors to struct file refs●   pdfork() – ...
Can we use it?
Debugging●   procstat    ●   State of ruining processes    ●   Shows        –   capability mode        –   Capability righ...
tcpdump●   cap_enter()●   Restricting access to STDIN, STDOUT,     STDERR Using lc_limitfd()●   Problem with lazy DNS reso...
dhclient●   Before : chroot + setuid●   Now : cap_enter()●   Problems    ●   Holds write access to the lease db    ●   Can...
gzip●   Three core functions●   Passed input and output capabilities (FDs)●   CAP_READ, CAP_WRITE, CAP_SEEK●   pdfork() an...
Chromium●   A renderer process per browser tab●   lc_limitfd() to limit access to FDs    ●   pak files    ●   stdio     ● ...
Chromium ComparisonOperating   Model      Line         Descriptionsystem                 countWindows     ACLs          22...
Evaluation
Evaluationvfork() has the least overhead
EvaluationRun time per gzip invocation with random data
Related work●   MAC and DAC●   Micro-kernels
Limitations●   The amount of effort depends strictly on the    design of the application    ●   gzip 409 LOC Vs. Chromium ...
Thank You
CS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIX
Upcoming SlideShare
Loading in...5
×

CS 626 - March : Capsicum: Practical Capabilities for UNIX

731
-1

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
731
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CS 626 - March : Capsicum: Practical Capabilities for UNIX

  1. 1. Capsicum: Practical Capabilities for UNIXRobert N. M. Watson, Jonathan Anderson, Ben Laurie, Kris Kennaway Presented by : Ruchith Fernando CS 626 March 8, 2011
  2. 2. Context● Multiple processes of an application● Ambient user privileges● Full power of the user ● Access to all resources
  3. 3. Browser
  4. 4. Browser/home/bob/.browser_settings//home/bob/personal//home/bob/work//bin//proc//dev/ Operating System
  5. 5. Least Privilege
  6. 6. Application Sandboxing(Compartmentalization)
  7. 7. Problem Statement● How can the OS support application sandboxing?● Minimize the effort by the developers?● Better performance compared to other techniques.
  8. 8. Contribution● API extensions to break down application code ● Run them in sanboxes ● Logical application● Implementation – FreeBSD ● To be included in version 9● Application of the extensions● Performance evaluation
  9. 9. Main Idea● API extensions● libcapsicum ● Capability mode ● Capabilities
  10. 10. Capability Mode● No access to global namespaces ● Process ID, File paths, File systems ID, System clocks, etc.● Restricted access to some syscalls ● sysctl (only 30 params are allowed) ● shm_open ● openat …● No privilege elevation via setuid/setgid
  11. 11. Capabilities● Wraps normal file descriptors● cap_new(FD, mask_of_rights);● 60 possible mask rights ● CAP_READ ● CAP_WRITE ● CAP_SEEK ● ...● Directories
  12. 12. Implementation● At kernel services● namei – path lookups● fget – File descriptors to struct file refs● pdfork() – returns a file descriptor● Runtime ● fexecve()  ● rtld­elf­cap – Capability aware linker ● fdlists – to declare capabilities to be passed in
  13. 13. Can we use it?
  14. 14. Debugging● procstat ● State of ruining processes ● Shows – capability mode – Capability rights masks● Missing dependencies ● ENOTCAPABLE – New errno value● API to check whether sandboxing is enabled
  15. 15. tcpdump● cap_enter()● Restricting access to STDIN, STDOUT,  STDERR Using lc_limitfd()● Problem with lazy DNS resolution ● Need to access /etc/resolv.conf
  16. 16. dhclient● Before : chroot + setuid● Now : cap_enter()● Problems ● Holds write access to the lease db ● Can submit msgs to logs
  17. 17. gzip● Three core functions● Passed input and output capabilities (FDs)● CAP_READ, CAP_WRITE, CAP_SEEK● pdfork() and fexecve()● Changes were small (406 LOC) but non-trivial (16%)
  18. 18. Chromium● A renderer process per browser tab● lc_limitfd() to limit access to FDs ● pak files ● stdio  ● /dev/random ● Font files● cap_enter()
  19. 19. Chromium ComparisonOperating Model Line Descriptionsystem countWindows ACLs 22350 Windows ACLs and SIDsLinux chroot 605 setuid root helper sandboxes rendererMac OS X Seatbelt 560 Path-based MAC sandboxLinux SELinux 200 Restricted sandbox type enforcement domainLinux seccomp 11301 seccomp and userspace syscall wrapperFreeBSD Capsicum 100 Capsicum sandboxing using cap enter
  20. 20. Evaluation
  21. 21. Evaluationvfork() has the least overhead
  22. 22. EvaluationRun time per gzip invocation with random data
  23. 23. Related work● MAC and DAC● Micro-kernels
  24. 24. Limitations● The amount of effort depends strictly on the design of the application ● gzip 409 LOC Vs. Chromium 100● Security Policy embedded in code ● No easy access to policy spec
  25. 25. Thank You

×