Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Linux Security and How Web Browser Sandboxes Really Work (Security Researchers Meetup 0x05 2017)

341 views

Published on

The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.

This presentation goes more in depth on some key points from the NDC (2017) presentation.

Published in: Technology
  • Your opinions matter! get paid for them! click here for more info...♥♥♥ http://ishbv.com/surveys6/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Discover a WEIRD trick I use to make over $3500 per month taking paid surveys online. read more... ●●● http://ishbv.com/surveys6/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Linux Security and How Web Browser Sandboxes Really Work (Security Researchers Meetup 0x05 2017)

  1. 1. @pati_gallardo
  2. 2. Linux Security and How Web Browser Sandboxes Really Work Patricia Aas Security Researchers Meetup 2017 @pati_gallardo
  3. 3. Patricia Aas Programmer - mainly in C++ and Java Currently : Vivaldi Technologies Previously : Cisco Systems, Knowit, Opera Software Master in Computer Science Twitter : @pati_gallardo Will put up link to slides on Twitter/LinkedIn
  4. 4. One Binary BROWSER GPUZYGOTE GPUBROKERZYGOTE RENDERER FORKCLONE EXEC EXEC CLONE FORKFORK
  5. 5. The Initial Sandbox @pati_gallardo
  6. 6. Windows of Opportunity BROWSER GPUZYGOTE GPUBROKERZYGOTE RENDERER NO_NEW_PRIVS USER/PID/NET NO_NEW_PRIVS FORKCLONE EXEC EXEC CLONE FORKFORK
  7. 7. Namespaces in use CLONE_NEWUSER No privilege is needed to create a User NS, and in one we can create a PID NS without global privilege. CLONE_NEWPID Same PID number can represent different processes in different PID namespaces. One init (PID 1) process per PID NS CLONE_NEWNET Isolate a process from network@pati_gallardo Zygote + Renderer
  8. 8. At Clone : Create NAmespaces Clone flags define the process* created and will create namespaces (NS) for it 1. Test which NS are available 2. Fail if not sufficient 3. Construct the biggest supported and applicable set Emulates fork with longjmp * Also used to create threads@pati_gallardo Zygote + Renderer
  9. 9. int flags = CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET; jmp_buf env; if (setjmp(env) == 0) { return CloneAndLongjmpInChild(flags, ptid, ctid, &env); } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
  10. 10. pid_t CloneAndLongjmpInChild(unsigned long flags, pid_t* ptid, pid_t* ctid, jmp_buf* env) { char stack_buf[PTHREAD_STACK_MIN]; void* stack = stack_buf + sizeof(stack_buf); return clone(&CloneHelper, stack, flags, env, ptid, nullptr, ctid); } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
  11. 11. int CloneHelper(void* arg) { jmp_buf* env_ptr = reinterpret_cast<jmp_buf*>(arg); longjmp(*env_ptr, 1); // Should not be reached assert(false); return 1; } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
  12. 12. Shrinking the Initial Sandbox @pati_gallardo
  13. 13. Shrinking the Sandbox BROWSER GPU seccomp ZYGOTE USER capset chroot GPUBROKER seccomp ZYGOTE SYS_ADMIN seccomp RENDERER capset rlimit PID NO_NEW_PRIVS USER/PID/NET NO_NEW_PRIVS FORKCLONE EXEC EXEC CLONE FORKFORK Done post-fork
  14. 14. Seccomp BPF Program Program written in an assembly-like language to filter system-calls. Runs in a simple VM in kernel space. All syscalls will be filtered by this program TSYNC : Once a Seccomp Program is installed it applies to all threads in a process @pati_gallardo Renderer + Gpu + Broker
  15. 15. Seccomp : BPF Policies BPF Program defined in a Policy Fundamentally a whitelist, allows a set of syscalls and has custom handling of others An extended Policy is then generally more permissive 1. BaselinePolicy 1.1 GpuProcessPolicy 1.1.1 GpuBrokerProcessPolicy 1.2 RendererProcessPolicy@pati_gallardo Renderer + Gpu + Broker
  16. 16. void StartSandboxWithPolicy(sandbox::bpf_dsl::Policy* policy) { SandboxBPF sandbox(policy); assert(sandbox.StartSandbox()); } bool SandboxBPF::StartSandbox() { InstallFilter(); return true; } @pati_gallardo chromium/content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc Code Simplified To Illustrate
  17. 17. void SandboxBPF::InstallFilter() { CodeGen::Program program = AssembleFilter(); struct sock_filter bpf[program.size()]; const struct sock_fprog prog = { static_cast<unsigned short>(program.size()), bpf }; memcpy(bpf, &program[0], sizeof(bpf)); assert(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0); assert(seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &prog) == 0); } @pati_gallardo chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc Code Simplified To Illustrate
  18. 18. Chroot : Drop Access to FS A chroot is done in a clone(CLONE_FS) child that does chroot(”/proc/self/fdinfo/”) and immediately does a chdir(“/”) and _exit(0) You can see this by looking at ls -l /proc/<pid>/root Of the Zygote or any ancestor Credentials::DropFileSystemAccess @pati_gallardo Zygotes + Renderer
  19. 19. bool ChrootToSafeEmptyDir() { pid_t pid = -1; char stack_buf[PTHREAD_STACK_MIN]; void* stack = stack_buf + sizeof(stack_buf); int clone_flags = CLONE_FS | LINUX_SIGCHLD; pid = clone(ChrootToSelfFdinfo, stack, clone_flags, nullptr); int status = -1; assert(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess; } @pati_gallardo chromium/sandbox/linux/services/credentials.cc Code Simplified To Illustrate
  20. 20. int ChrootToSelfFdinfo(void*) { assert(chroot("/proc/self/fdinfo/") == 0); assert(chdir("/") == 0); _exit(kExitSuccess); } @pati_gallardo chromium/sandbox/linux/services/credentials.cc Code Simplified To Illustrate
  21. 21. Trust is Relative BROWSER GPU seccomp ZYGOTE USER capset chroot GPUBROKER seccomp ZYGOTE SYS_ADMIN seccomp RENDERER capset rlimit PID NO_NEW_PRIVS USER/PID/NET NO_NEW_PRIVS FORKCLONE EXEC EXEC CLONE FORKFORK No access to filesystem Done post-fork
  22. 22. vivaldi://sandbox @pati_gallardo
  23. 23. Sources Michael Kerrisk Book: The Linux Programming Interface Course: Linux Security and Isolation APIs Chromium/Kernel source + Linux Man Pages + lwn.net All Errors Are My Own
  24. 24. Linux Security and How Web Browser Sandboxes Really Work Patricia Aas, Vivaldi Technologies @pati_gallardo Photos from pixabay.com

×