1 declarative, temporal, and practical programming with capabilities william harris, somesh jha,...
TRANSCRIPT
![Page 1: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/1.jpg)
1
Declarative, Temporal, and Practical
Programming with Capabilities
William Harris, Somesh Jha, Thomas Reps
Jonathan Anderson, Robert Watson
![Page 2: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/2.jpg)
2
Paper in One Slide
•Capsicum supports secure programming,but secure programming is still hard
•CapWeave instruments programsto be secure on Capsicum
![Page 3: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/3.jpg)
3
Talk Outline
1.Why use Capsicum?
2.Why use CapWeave?
3.How does CapWeave work?
4.How well does CapWeave work?
1.Why use Capsicum? (USENIX Security ’10)
A. A Capsicum process can sandbox itself by invoking a few custom system primitives
![Page 4: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/4.jpg)
4
main() { file_nms = parse_cl(); for (f in file_nms):L0: (in, out) = open2(f);
}
gzip
http://evil.com
L1: compress(in, out);
/usr/local
L1: compress(in, out);
![Page 5: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/5.jpg)
5
A simple policygzip
•When gzip calls open2() at L0,it should be able to open descriptors
•When gzip calls compress() at L1,it should not be able to open descriptors
![Page 6: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/6.jpg)
6
A Capsicum process can open descriptorsif and only if it has ambient authority (AMB)
Capsicum’s AMB
![Page 7: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/7.jpg)
7
Capsicum’s AMBRules for
1.When a process is created,it has the AMB value of its parent
2.After a process calls cap_enter(),it never has AMB
![Page 8: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/8.jpg)
8
A simple policy
Capsicum’s AMB•When gzip calls open2() at L0,
it should
•When gzip calls compress() at L1,it should not
gzip using
able to open descriptors
be able to open descriptorshave AMB
have AMB
![Page 9: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/9.jpg)
9
main() { file_nms = parse_cl(); for (f in file_nms):L0: (in, out) = open2(f);L1: compress(in, out);}
Capsicum’s AMBgzip using
L0: AMBL1: no AMB
cap_enter()?
?
![Page 10: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/10.jpg)
10
1.Why use CapWeave?
A. CapWeave bridges Capsicum’s “semantic gap”
Talk Outline
1.Why use Capsicum? (USENIX Security ’10)
2.Why use CapWeave?
3.How does CapWeave work?
4.How well does CapWeave work?
![Page 11: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/11.jpg)
11
Programming Challenges
1.Policies aren’t explicit
2.Primitives have subtle temporal effects
Capsicum
![Page 12: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/12.jpg)
12
Programming Challenges
gzip
main() { file_nms = parse_cl(); for (f in file_nms):L0: (in, out) = open2(f);
L1: compress(in, out);}
AMB
no AMB
AMBAMBno AMBno AMB
L0: AMBL1: no AMB
cap_enter();
![Page 13: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/13.jpg)
13
1.When a process is created,it has the AMB value of its parent
Capsicum Rules forAmbient Authority
1.After a process calls cap_enter(),it never has AMB
![Page 14: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/14.jpg)
14
Instrumenting gzipmain() {
file_nms = parse_cl(); for (f in file_nms):L0: (in, out) = open2(f);
L1: compress(in, out);
}
no AMB
AMBAMBAMBAMBAMB
L0: AMBL1: no AMB
cap_enter();sync_fork();
sync_join();
![Page 15: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/15.jpg)
15
Challenges Not Appearing in this
Talk•Capsicum supports capabilitiesas descriptors with ~60 rights
•Policies may be truly temporal
•Instrumented program may needto maintain extra state
•Instrumented program may needto deal with injected code
![Page 16: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/16.jpg)
16
Instrumenting Programs
1.Programmer writes an explicit policy
2.Compiler instruments program to invoke primitives so that it satisfies the policy
with CapWeave
![Page 17: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/17.jpg)
17
with CapWeavegzipmain() { file_nms = parse_cl(); for (f in file_nms):L0: (in, out) = open2(f);L1: compress(in, out);}
Policy [ ]*
∩ [ ]*
L0: AMB
L1: no AMB
![Page 18: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/18.jpg)
18
main() { file_nms = parse_cl(); for (f in file_nms):L0: (in, out) = open2(f);L1: compress(in, out);}
Policy [ ]*
∩ [ ]*
L0: AMB
L1: no AMB
CapWeave
Instrumented
Program
void main() { L0: open2(...); (AMB) sync_fork(); cap_enter();L1: compress(); (no AMB)sync_join();}
![Page 19: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/19.jpg)
19
1.Why use Capsicum? (USENIX Security ’10)
2.Why use CapWeave?
3.How does CapWeave work?
4.How well does CapWeave work?
1.How does CapWeave work?
A. By reducing instrumentation to a game
Talk Outline
![Page 20: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/20.jpg)
20
Two-Player Safety Games
•In an Attacker state,the Attacker chooses the next input
•In a Defender state,the Defender chooses the next input
•Attacker wants to reach an accepting state
![Page 21: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/21.jpg)
21
a
xy
bb
d
yz
w
c
y
y
c
d
x
d
y
b
d
x
![Page 22: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/22.jpg)
22
Instrumentation as a GameCapsicum
InstrumentationTwo-player
Games
Program instructions
Attacker actions
Capsicum primitives Defender actions
Policy violations Attacker wins
Satisfyinginstrumentation
WinningDefender strategy
![Page 23: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/23.jpg)
23
parse_cl
cap_enternoop
L0:open2()L0:open2()
L1:compress()
noop
sync_fork()
sync_join()
noop
cap_enter()
noop
noop
L1:compress()
noop
L1:compress()
cap_enter()
L0:open2()
L1:compress()
noop
gzip Game
![Page 24: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/24.jpg)
24
parse_cl
cap_enternoop
L0:open2()L0:open2()
L1:compress()
noop
sync_fork()
sync_join()
noop
cap_enter()
noop
noop
L1:compress()
noop
L1:compress()
cap_enter()
L0:open2()
L1:compress()
noop
gzip Game
![Page 25: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/25.jpg)
25
parse_cl
cap_enternoop
L0:open2()L0:open2()
L1:compress()
noop
sync_fork()
sync_join()
noop
cap_enter()
noop
noop
L1:compress()
noop
L1:compress()
cap_enter()
L0:open2()
L1:compress()
noop
gzip Game
![Page 26: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/26.jpg)
26
1.How well does CapWeave work?
Talk Outline
1.Why use Capsicum? (USENIX Security ’10)
2.Why use CapWeave?
3.How does CapWeave work?
4.How well does CapWeave work?
![Page 27: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/27.jpg)
27
Weaver Performance
NameNamePrograProgra
mmkLoCkLoC
PolicyPolicyLoCLoC
WeavinWeavingg
TimeTimebzip2-1.0.6 8 70 4m57s
gzip-1.2.4 9 68 3m26s
php-cgi-5.3.2 852 114 46m36s
tar-1.25 108 49 0m08s
tcpdump-4.1.1 87 52 0m09s
wget-1.12 64 35 0m10s
![Page 28: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/28.jpg)
28
Performance onIncluded Tests
NameName BaseBaseTime Time
HandHandOverhOverh
dd
capweavcapweavee
OverhdOverhd
Diff.Diff.Overhd Overhd
(%)(%)
bzip2-1.0.60.593
s0.909 1.099 20.90
gzip-1.2.40.036
s1.111 1.278 15.03
php-cgi-5.3.2
0.289s
1.170 1.938 65.64
tar-1.250.156
s13.301 21.917 64.78
tcpdump-4.1.1
1.328s
0.981 1.224 24.77
wget-1.124.539
s1.906 1.106 0.91
![Page 29: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/29.jpg)
29
Performance onPractical
Workloads
•Ran woven bzip2, gzip, and wget on 1GB of Capsicum source code
•Overhead for each was ≤ 4% over baseline
![Page 30: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/30.jpg)
30
Current Limitations
•Optimal placement of primitives
•Diagnosing inconsistent policies
![Page 31: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/31.jpg)
31
void main(...) {L0: open2(...);L1: compress(...);}
[ L0: AMB ]*
∩ [ L1: no AMB ]*
CapWeave
void main() { L0: open2(...); (AMB) sync_fork(); cap_enter();L1: compress(); (no AMB)sync_join();}
Instrumented
Program
Program
Policy [ L0: AMB ]*
∩ [ L0: no AMB ]*
![Page 32: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/32.jpg)
32
1.How well does CapWeave work?
Talk Outline
1.Why use Capsicum? (USENIX ’10)
2.Why use CapWeave?
3.How does CapWeave work?
4.How well does CapWeave work?
![Page 33: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/33.jpg)
33
A big thanks to:Capsicum-dev
MIT-LL Our shepherd
QuickTime™ and aPhoto - JPEG decompressor
are needed to see this picture.
Jeffrey Seibert Michael Zhivich
Pawel Jakub Dawidek Khilan Gudka Ben Laurie Peter Neumann
Niels Provos
![Page 34: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/34.jpg)
34
[ L0: AMB ]*
∩ [ L1: AMB ]*
CapWeave
void main() { L0: open2(...); (AMB) sync_fork(); cap_enter();L1: compress(...); (no AMB)sync_join();}
Instrumented
Program
Policy
Questions?main() {
L0: open2(...);L1: compress(...);}
Program
![Page 35: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/35.jpg)
35
Extra Slides
![Page 36: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/36.jpg)
36
L0: for (int i = 0; i < num_urls; i++) {
int svr_sock = open_http(urls[i]);
char* out_path = urls[i];
if (must_3xx_redirect(svr_sock)) {
L1: out_path = get_outnm(svr_sock); }
read_http(svr_sock);
L2: write_data(out_path);
}
![Page 37: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/37.jpg)
37
for (int i = 0; i < num_urls; i++) {
fork();
int svr_sock = open_http(urls[i]);
char* out_path = urls[i];
bool is_redir = FALSE;
if (must_3xx_redirect(svr_sock)) {
is_redir = TRUE;
out_path = get_outnm(svr_sock); }
read_http(svr_sock);
is_redir ? cap_enter : ;
write_data(urls[i]);
join(); }
}
![Page 38: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/38.jpg)
38
L0: for (int i = 0; i < num_urls; i++) {
fork();
int svr_sock = open_http(urls[i]);
char* out_path = urls[i];
bool is_redir = FALSE;
if (must_3xx_redirect(svr_sock)) {
is_redir = TRUE;
L1: out_path = get_outnm(svr_sock); }
read_http(svr_sock);
L2: write_data(out_path);
join();
}
![Page 39: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/39.jpg)
39
A Capsicum policy for wget
•When wget calls read_http(), it should be have AMB
•When wget calls write_data(), it should have AMB iff it never received a redirect request
![Page 40: 1 Declarative, Temporal, and Practical Programming with Capabilities William Harris, Somesh Jha, Thomas Reps Jonathan Anderson, Robert Watson](https://reader035.vdocuments.us/reader035/viewer/2022062807/5697bffa1a28abf838cc05e6/html5/thumbnails/40.jpg)
40
•When wget calls read_http(), it should be have AMB
•When wget calls write_data(), it should have AMB iff it never received a redirect request
. * [ L0 without AMB ]
| . * [ L1 ] [ not L0 ]* [ L2 with AMB ]
| .* [ L0 ] [ not L1 ] [ L2 without AMB ]
A Capsicum policy for wget
CapWeave