Your SlideShare is downloading. ×
CS 626 - March : Capsicum: Practical Capabilities for UNIX
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CS 626 - March : Capsicum: Practical Capabilities for UNIX

679

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
679
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Capsicum: Practical Capabilities for UNIXRobert N. M. Watson, Jonathan Anderson, Ben Laurie, Kris Kennaway Presented by : Ruchith Fernando CS 626 March 8, 2011
  • 2. Context● Multiple processes of an application● Ambient user privileges● Full power of the user ● Access to all resources
  • 3. Browser
  • 4. Browser/home/bob/.browser_settings//home/bob/personal//home/bob/work//bin//proc//dev/ Operating System
  • 5. Least Privilege
  • 6. Application Sandboxing(Compartmentalization)
  • 7. Problem Statement● How can the OS support application sandboxing?● Minimize the effort by the developers?● Better performance compared to other techniques.
  • 8. Contribution● API extensions to break down application code ● Run them in sanboxes ● Logical application● Implementation – FreeBSD ● To be included in version 9● Application of the extensions● Performance evaluation
  • 9. Main Idea● API extensions● libcapsicum ● Capability mode ● Capabilities
  • 10. Capability Mode● No access to global namespaces ● Process ID, File paths, File systems ID, System clocks, etc.● Restricted access to some syscalls ● sysctl (only 30 params are allowed) ● shm_open ● openat …● No privilege elevation via setuid/setgid
  • 11. Capabilities● Wraps normal file descriptors● cap_new(FD, mask_of_rights);● 60 possible mask rights ● CAP_READ ● CAP_WRITE ● CAP_SEEK ● ...● Directories
  • 12. Implementation● At kernel services● namei – path lookups● fget – File descriptors to struct file refs● pdfork() – returns a file descriptor● Runtime ● fexecve()  ● rtld­elf­cap – Capability aware linker ● fdlists – to declare capabilities to be passed in
  • 13. Can we use it?
  • 14. Debugging● procstat ● State of ruining processes ● Shows – capability mode – Capability rights masks● Missing dependencies ● ENOTCAPABLE – New errno value● API to check whether sandboxing is enabled
  • 15. tcpdump● cap_enter()● Restricting access to STDIN, STDOUT,  STDERR Using lc_limitfd()● Problem with lazy DNS resolution ● Need to access /etc/resolv.conf
  • 16. dhclient● Before : chroot + setuid● Now : cap_enter()● Problems ● Holds write access to the lease db ● Can submit msgs to logs
  • 17. gzip● Three core functions● Passed input and output capabilities (FDs)● CAP_READ, CAP_WRITE, CAP_SEEK● pdfork() and fexecve()● Changes were small (406 LOC) but non-trivial (16%)
  • 18. Chromium● A renderer process per browser tab● lc_limitfd() to limit access to FDs ● pak files ● stdio  ● /dev/random ● Font files● cap_enter()
  • 19. Chromium ComparisonOperating Model Line Descriptionsystem countWindows ACLs 22350 Windows ACLs and SIDsLinux chroot 605 setuid root helper sandboxes rendererMac OS X Seatbelt 560 Path-based MAC sandboxLinux SELinux 200 Restricted sandbox type enforcement domainLinux seccomp 11301 seccomp and userspace syscall wrapperFreeBSD Capsicum 100 Capsicum sandboxing using cap enter
  • 20. Evaluation
  • 21. Evaluationvfork() has the least overhead
  • 22. EvaluationRun time per gzip invocation with random data
  • 23. Related work● MAC and DAC● Micro-kernels
  • 24. Limitations● The amount of effort depends strictly on the design of the application ● gzip 409 LOC Vs. Chromium 100● Security Policy embedded in code ● No easy access to policy spec
  • 25. Thank You

×