440 likes | 536 Views
CapWeave Status. DARPA On-site Meeting 30 Aug. 2012. Program. Policy. CapWeave. Policy Parser. Weaver Generator. Capsicum. Code Generator. Instrumented Program. Privilege-Aware OS’s. OS maintains a privilege for each process
E N D
CapWeave Status DARPA On-site Meeting 30 Aug. 2012
Program Policy CapWeave Policy Parser Weaver Generator Capsicum Code Generator Instrumented Program
Privilege-Aware OS’s • OS maintains a privilege for each process • Process actively manages its privilege byinvoking security system calls (primitives)
Example Privilege-Aware OS’s • Information-flow control • Asbestos [SOSP 2005] • HiStar [OSDI 2006] • Flume [SOSP 2007] • Tagged memory: Wedge [NSDI 2008] • Capabilities: Capsicum [USENIX Sec. 2010]
Running example: gzip compr(in, out) { body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } public_leak.com
An Informal Policy for gzip When gzip executes body,it should only be able to read from inand write to out.
Capsicum: A Privilege-Aware OS • Two levels of privilege: • High Capability (can open files) • Low Capability (cannot open files) • Rules describing privilege: • Process initially executes withcapability of its parent • Process can invoke the cap_entersystem callto take Low Capability
Securing gzip on Capsicum compr(in, out) { cap_enter(); body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } Low Cap. public_leak.com High Cap.
Securing gzip on Capsicum compr(in, out) { cap_enter(); body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } Low Cap. High Cap. High Cap. High Cap. High Cap.
Securing gzip on Capsicum compr(in, out) { cap_enter(); body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } Low Cap. Low Cap. High Cap.
Securing gzip on Capsicum compr(in, out) { cap_enter(); body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } Low Cap. High Cap. High Cap. fork_compr(in, out); High Cap.
Securing gzip on Capsicum compr(in, out) { cap_enter(); body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } Low Cap. High Cap. fork_compr(in, out);
Progrmr. Pol. Wrtr. CapsicumDev. Program Policy Capsicum Capsicum Policy Weaver Weaver Generator Us Capsicum Program
Progrmr. Capscium Dev. Pol. Wrtr. OS Dev. Program Policy OS Capsicum Capsicum Policy Weaver OS Policy Weaver Weaver Generator Us Capsicum Program OS Program
Weaver Generator Features • Designed an automata-theoreticweaver generator • Efficient weaving algorithm using a scaffold-based safety-game solver • Experimentally evaluated: feasible in practice
Progrmr. OS Dev. Pol. Wrtr. Program Policy OS OS Policy Weaver Weaver Generator Weaver Generator Us OS Program
Progrmr. Program: Prog Acts parse_cl Program call compr open body loop ret compr exit
Progrmr. OS Developer Pol. Wrtr. Program Policy OS Weaver Generator Us OS Program
Policy: Prog Acts x Privs Pol. Wrtr. Privs = { High Cap, Low Cap} Policy (open, LowCap) * (body, HighCap)
Progrmr. OS Dev. Pol. Wrtr. Program Policy OS Weaver Generator Us OS Program
OS Dev. OS: Prog ActsPrimsPrivs OS Prims = { cap_enter, fork, join } open / AllowHigh AllowHigh HighCap AllowLow
OS Dev. OS: Prog ActsPrims Privs OS drop AllowHigh AllowLow
OS Dev. OS: Prog Acts Prims Privs OS open / AllowLow AllowLow LowCap
Progrmr. OS Dev. Pol. Wrtr. Program Policy OS Weaver Generator Us OS Program
OS Program parse_cl/ noop Instr: Prog ActsPrims open/ fork call compr/cap_enter loop / noop body / noop ret compr/ join
Progrmr. OS Dev. Pol. Wrtr. Program Policy OS Weaver Generator Us OS Program
a c y x y x d b b d z y e y f
parse_cl a call compr c y noop x y ce noop x ce body d open b b open body d fork z y noop e ret compr join y loop f
parse_cl call compr noop ce noop ce body open open body fork noop ret compr join loop
parse_cl call compr noop ce noop ce body open open body fork noop join ret compr loop
parse_cl call compr parse_cl / call compr / ce noop noop open open / body / body fork noop ret compr / ret compr join loop loop /
The Importance of VPA’s • Accurately approximate the setof program paths • Accurately model relationship betweenOS primitives and privileges • Modular strategies for stack-based games
Experiment Highlights • Instantiated weaver-generator toa policy weaver for Capsicum • Applied Capsicum policy weaver to six UNIXutilities from 8 to 108 kLoC • Found strategies in 0:05 to 2:00
Policy Program Policy Parser Weaver Generator Capsicum Code Generator Instrumented Program
Old Status: Policies as VPA’s • Can’t be minimized in general • No popular, common notation • Large alphabets
New Status: Policies as Regex’s • Loss: expressiveness • Gains: • Support efficient minimization • Are well-known • Can be extended with “let” bindingsto represent large alphabets succinctly
Policy Program Policy Parser Weaver Generator Capsicum Code Generator Instrumented Program
Role of a Code Generator • Weaver generator outputs a state machinethat decides which primitives should be calledwhen • Still need to rewrite program to invokeprimitives as dictated by the strategy
Current Status: Working Backend • Strategy represented in memory as multi-dimensional array • Automatically generate functions that marshall program data to RPC-compatibledata structures • Transfer data between forked,RPCed processes
Integration with libcapsicum g args ret val f
Integration with libcapsicum g args ret val unmarshall_to_g argsiovec ret iovec libcapsicum RPC argsiovec ret iovec marshall_from_f args ret val f
Policy Program Policy Parser Weaver Generator Capsicum Code Generator Instrumented Program