1 / 44

CapWeave Status

CapWeave Status. DARPA On-site Meeting 30 Aug. 2012. Program. Policy. CapWeave. Policy Parser. Weaver Generator. Capsicum. Code Generator. Instrumented Program. Privilege-Aware OS’s. OS maintains a privilege for each process

maille
Download Presentation

CapWeave Status

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CapWeave Status DARPA On-site Meeting 30 Aug. 2012

  2. Program Policy CapWeave Policy Parser Weaver Generator Capsicum Code Generator Instrumented Program

  3. Privilege-Aware OS’s • OS maintains a privilege for each process • Process actively manages its privilege byinvoking security system calls (primitives)

  4. Example Privilege-Aware OS’s • Information-flow control • Asbestos [SOSP 2005] • HiStar [OSDI 2006] • Flume [SOSP 2007] • Tagged memory: Wedge [NSDI 2008] • Capabilities: Capsicum [USENIX Sec. 2010]

  5. Running example: gzip compr(in, out) { body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } public_leak.com

  6. An Informal Policy for gzip When gzip executes body,it should only be able to read from inand write to out.

  7. Capsicum: A Privilege-Aware OS • Two levels of privilege: • High Capability (can open files) • Low Capability (cannot open files) • Rules describing privilege: • Process initially executes withcapability of its parent • Process can invoke the cap_entersystem callto take Low Capability

  8. Securing gzip on Capsicum compr(in, out) { cap_enter(); body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } Low Cap. public_leak.com High Cap.

  9. Securing gzip on Capsicum compr(in, out) { cap_enter(); body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } Low Cap. High Cap. High Cap. High Cap. High Cap.

  10. Securing gzip on Capsicum compr(in, out) { cap_enter(); body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } Low Cap. Low Cap. High Cap.

  11. Securing gzip on Capsicum compr(in, out) { cap_enter(); body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } Low Cap. High Cap. High Cap. fork_compr(in, out); High Cap.

  12. Securing gzip on Capsicum compr(in, out) { cap_enter(); body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } Low Cap. High Cap. fork_compr(in, out);

  13. Progrmr. Pol. Wrtr. CapsicumDev. Program Policy Capsicum Capsicum Policy Weaver Weaver Generator Us Capsicum Program

  14. Progrmr. Capscium Dev. Pol. Wrtr. OS Dev. Program Policy OS Capsicum Capsicum Policy Weaver OS Policy Weaver Weaver Generator Us Capsicum Program OS Program

  15. Weaver Generator Features • Designed an automata-theoreticweaver generator • Efficient weaving algorithm using a scaffold-based safety-game solver • Experimentally evaluated: feasible in practice

  16. Progrmr. OS Dev. Pol. Wrtr. Program Policy OS OS Policy Weaver Weaver Generator Weaver Generator Us OS Program

  17. Progrmr. Program: Prog Acts parse_cl Program call compr open body loop ret compr exit

  18. Progrmr. OS Developer Pol. Wrtr. Program Policy OS Weaver Generator Us OS Program

  19. Policy: Prog Acts x Privs Pol. Wrtr. Privs = { High Cap, Low Cap} Policy (open, LowCap) * (body, HighCap)

  20. Progrmr. OS Dev. Pol. Wrtr. Program Policy OS Weaver Generator Us OS Program

  21. OS Dev. OS: Prog ActsPrimsPrivs OS Prims = { cap_enter, fork, join } open / AllowHigh AllowHigh HighCap AllowLow

  22. OS Dev. OS: Prog ActsPrims Privs OS drop AllowHigh AllowLow

  23. OS Dev. OS: Prog Acts Prims Privs OS open / AllowLow AllowLow LowCap

  24. Progrmr. OS Dev. Pol. Wrtr. Program Policy OS Weaver Generator Us OS Program

  25. OS Program parse_cl/ noop Instr: Prog ActsPrims open/ fork call compr/cap_enter loop / noop body / noop ret compr/ join

  26. Progrmr. OS Dev. Pol. Wrtr. Program Policy OS Weaver Generator Us OS Program

  27. a c y x y x d b b d z y e y f

  28. Weaving as a Game

  29. parse_cl a call compr c y noop x y ce noop x ce body d open b b open body d fork z y noop e ret compr join y loop f

  30. parse_cl call compr noop ce noop ce body open open body fork noop ret compr join loop

  31. parse_cl call compr noop ce noop ce body open open body fork noop join ret compr loop

  32. parse_cl call compr parse_cl / call compr / ce noop noop open open / body / body fork noop ret compr / ret compr join loop loop /

  33. The Importance of VPA’s • Accurately approximate the setof program paths • Accurately model relationship betweenOS primitives and privileges • Modular strategies for stack-based games

  34. Experiment Highlights • Instantiated weaver-generator toa policy weaver for Capsicum • Applied Capsicum policy weaver to six UNIXutilities from 8 to 108 kLoC • Found strategies in 0:05 to 2:00

  35. Experiment Data

  36. Policy Program Policy Parser Weaver Generator Capsicum Code Generator Instrumented Program

  37. Old Status: Policies as VPA’s • Can’t be minimized in general • No popular, common notation • Large alphabets

  38. New Status: Policies as Regex’s • Loss: expressiveness • Gains: • Support efficient minimization • Are well-known • Can be extended with “let” bindingsto represent large alphabets succinctly

  39. Policy Program Policy Parser Weaver Generator Capsicum Code Generator Instrumented Program

  40. Role of a Code Generator • Weaver generator outputs a state machinethat decides which primitives should be calledwhen • Still need to rewrite program to invokeprimitives as dictated by the strategy

  41. Current Status: Working Backend • Strategy represented in memory as multi-dimensional array • Automatically generate functions that marshall program data to RPC-compatibledata structures • Transfer data between forked,RPCed processes

  42. Integration with libcapsicum g args ret val f

  43. Integration with libcapsicum g args ret val unmarshall_to_g argsiovec ret iovec libcapsicum RPC argsiovec ret iovec marshall_from_f args ret val f

  44. Policy Program Policy Parser Weaver Generator Capsicum Code Generator Instrumented Program

More Related