1 / 40

Declarative, Temporal, and Practical Programming with Capabilities

Declarative, Temporal, and Practical Programming with Capabilities. William Harris , Somesh Jha, Thomas Reps. Jonathan Anderson, Robert Watson. Paper in One Slide. Capsicum supports secure programming, but secure programming is still hard CapWeave instruments programs to be secure on Capsicum.

reyna
Download Presentation

Declarative, Temporal, and Practical Programming with Capabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Declarative, Temporal, and PracticalProgramming with Capabilities • William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson

  2. Paper in One Slide • Capsicum supports secure programming,but secure programming is still hard • CapWeave instruments programsto be secure on Capsicum

  3. Talk Outline • Why use Capsicum? • Why use CapWeave? • How does CapWeave work? • How well does CapWeave work? • Why use Capsicum? (USENIX Security ’10) • A. A Capsicum process can sandbox itself by invoking a few custom system primitives

  4. gzip • main() { • file_nms = parse_cl(); • for (f in file_nms): • L0: (in, out) = open2(f); • } L1: compress(in, out); L1:compress(in, out); /usr/local http://evil.com

  5. A simple policy gzip • When gzip calls open2() at L0,it should be able to open descriptors • When gzip calls compress() at L1,it should not be able to open descriptors

  6. Capsicum’s AMB • A Capsicum process can open descriptorsif and only if it has ambient authority (AMB)

  7. Rules for Capsicum’s AMB • When a process is created,it has the AMB value of its parent • After a process calls cap_enter(),it never has AMB

  8. A simple policy gzip Capsicum’s AMB using • When gzip calls open2() at L0,it should • When gzip calls compress() at L1,it should not be able to open descriptors have AMB have AMB able to open descriptors

  9. Capsicum’s AMB ? L0:AMB L1:no AMB ? using gzip main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } cap_enter()

  10. Talk Outline • Why use Capsicum? (USENIX Security ’10) • Why use CapWeave? • How does CapWeave work? • How well does CapWeave work? • Why use CapWeave? • A. CapWeave bridges Capsicum’s “semantic gap”

  11. Capsicum Programming Challenges • Policies aren’t explicit • Primitives have subtle temporal effects

  12. gzip Programming Challenges main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } AMB no AMB AMB no AMB AMB cap_enter(); no AMB L0:AMB L1:no AMB

  13. Capsicum Rules forAmbient Authority • When a process is created,it has the AMB value of its parent • After a process calls cap_enter(),it never has AMB

  14. Instrumenting gzip AMB AMB AMB • main() { • file_nms = parse_cl(); • for (f in file_nms): • L0: (in, out) = open2(f); • L1: compress(in, out); • } AMB AMB sync_fork(); cap_enter(); no AMB sync_join(); L0:AMB L1:no AMB

  15. Challenges Not Appearing in this Talk • Capsicum supports capabilitiesas descriptors with ~60 rights • Policies may be truly temporal • Instrumented program may needto maintain extra state • Instrumented program may needto deal with injected code

  16. with CapWeave Instrumenting Programs • Programmer writes an explicitpolicy • Compiler instruments program to invoke primitives so that it satisfies the policy

  17. with CapWeave gzip main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } Policy [ ]* ∩ [ ]* L0:AMB L1:no AMB

  18. Policy [ ]* ∩ [ ]* L0:AMB L1:no AMB main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } CapWeave void main() { L0: open2(...); (AMB) sync_fork(); cap_enter(); L1: compress(); (no AMB) sync_join(); } Instrumented Program

  19. Talk Outline • Why use Capsicum? (USENIX Security ’10) • Why use CapWeave? • How does CapWeave work? • How well does CapWeave work? • How does CapWeave work? • A. By reducing instrumentation to a game

  20. Two-Player Safety Games • In an Attacker state,the Attacker chooses the next input • In a Defender state,the Defender chooses the next input • Attacker wants to reach an accepting state

  21. a x y b b w y z c c y x y x d d d d y b

  22. Instrumentation as a Game

  23. gzip Game parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2()

  24. gzip Game parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2()

  25. gzip Game parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2()

  26. Talk Outline • Why use Capsicum? (USENIX Security ’10) • Why use CapWeave? • How does CapWeave work? • How well does CapWeave work? • How well does CapWeave work?

  27. Weaver Performance

  28. Performance onIncluded Tests

  29. Performance onPractical Workloads • Ran woven bzip2, gzip, and wget on 1GB of Capsicum source code • Overhead for each was ≤ 4% over baseline

  30. Current Limitations • Optimal placement of primitives • Diagnosing inconsistent policies

  31. void main(...) { L0: open2(...); L1: compress(...); } [ L0: AMB ]* ∩ [ L1: noAMB ]* [ L0: AMB ]* ∩ [ L0: no AMB ]* Program Policy CapWeave void main() { L0: open2(...); (AMB) sync_fork(); cap_enter(); L1: compress(); (no AMB) sync_join(); } Instrumented Program

  32. Talk Outline • Why use Capsicum? (USENIX ’10) • Why use CapWeave? • How does CapWeave work? • How well does CapWeave work? • How well does CapWeave work?

  33. A big thanks to: Capsicum-dev Pawel Jakub Dawidek Khilan Gudka Ben Laurie Peter Neumann MIT-LL Our shepherd Michael Zhivich Jeffrey Seibert Niels Provos

  34. Questions? main() { L0: open2(...); L1: compress(...); } [ L0: AMB ]* ∩ [ L1: AMB ]* Program Policy CapWeave void main() { L0: open2(...); (AMB) sync_fork(); cap_enter(); L1: compress(...); (no AMB) sync_join(); } Instrumented Program

  35. Extra Slides

  36. L0: for (int i = 0; i < num_urls; i++) { • int svr_sock = open_http(urls[i]); • char* out_path = urls[i]; • if (must_3xx_redirect(svr_sock)) { • L1: out_path = get_outnm(svr_sock); } • read_http(svr_sock); • L2: write_data(out_path); • }

  37. for (int i = 0; i < num_urls; i++) { • fork(); • int svr_sock = open_http(urls[i]); • char* out_path = urls[i]; • bool is_redir = FALSE; • if (must_3xx_redirect(svr_sock)) { • is_redir = TRUE; • out_path = get_outnm(svr_sock); } • read_http(svr_sock); • is_redir ? cap_enter : ; • write_data(urls[i]); • join(); } • }

  38. L0: for (int i = 0; i < num_urls; i++) { • fork(); • int svr_sock = open_http(urls[i]); • char* out_path = urls[i]; • bool is_redir = FALSE; • if (must_3xx_redirect(svr_sock)) { • is_redir = TRUE; • L1: out_path = get_outnm(svr_sock); } • read_http(svr_sock); • L2: write_data(out_path); • join(); • }

  39. A Capsicum policy for wget • When wget calls read_http(), it should be have AMB • When wget calls write_data(), it should have AMB iff it never received a redirect request

  40. CapWeave A Capsicum policy for wget • When wget calls read_http(), it should be have AMB • When wget calls write_data(), it should have AMB iff it never received a redirect request . * [ L0 without AMB ] | . * [ L1 ] [ not L0 ]* [ L2 with AMB ] | .* [ L0 ] [ not L1 ] [ L2 without AMB ]

More Related