CLOUDABI

Alex Willmer

alex@moreati.org.uk

@moreati

CAPABILITY based SECURITY FOR UNIX​

Dock chief Susan Willmer

KIA: SOL-3 Harvest

Scout ship TLV-3495

Presumed destroyed

David Levinson          Steven Hiller

'CABLE REPAIR' operatives

M-012: Harvest Coordination signal leaked into human communication bands

V-002: Trainee G.X. fired on human
'WELCOME WAGON'

V-078: Pilot Z.K. captured, taken to the Human leader & probed

V-164: IFF & docking regulations ignored on the command carrier

V-001: Capture of scout ship TLV-3495 & crew

Root cause Analysis

pumpmon held capabilities that were unnecessary to pump operation. These capabilities were implicitly granted by the OS architecture

SOL-3 enquiry, Ch 17

Exploitation of these ... lead directly to the SOL-3 defeat

SOL-3 enquiry, Ch 23

pumpmon Capability Exploited to
Read global files Gather addresses of nodes to attack
Discover other vulnerable programs
 
Monitor processes Disguise its own activity
Detect & evade audit routines
 
Create network sockets Map Fleet networks
Attack other nodes
Exfiltrate data
Command & control

Root Cause Analysis

SOL-3 enquiry, Appendix F

UNIX Architecture flaws

DISCRETIONARY ACCESS CONTROL​

  • Programs start with excessive capabilities
  • Compromised programs will acquire more

GLOBAL RESOURCES & GLOBAL STATE

  • Obstructs running programs securely
  • Obstructs writing testable programs
  • Obstructs writing reusable program
  • System administration fails at Harvest Fleet scale

ClouDABI

Capability Based Security

  • Programs start with no capabilities
  • Programs cannot acquire further capabilities

Explicit Dependencies

  • Safe execution of unknown binaries
  • Easier testing - no need for mocks
  • Better release engineering
  • Higher-level orchestration - Fleet scale & beyond 

Remove

Broken APIs strcpy()  strtok() ...
 
Global namespaces /  /dev  /var  /home ...
getpid()  getgid()  getuid() ...
 
Mutable shared state setlocale()  signal()  setenv() ...
 
Resource acquisition argv  open()  bind()
getaddrinfo() ...
 
Implicit capabilities stdin  stdout  stderr ...

Add

  1. File descriptors as capability tokens
            openat(fd, ..), program_spawn(fd, ..), ...
     
  2. Single ABI, for many UNIXs

Example: ls.py

# ls.py
import os, sys

dirpath = str(sys.argv[1])

for entry in os.listdir(dirpath):
    print(entry)
$ python ./ls.py /tmp/
foo.txt
bar
baz.v974hv
[...]

Example: ls.py

# ls.py
import os

dir_fd = 0
out_fd = 1

output = open(1, 'w')

for entry in os.listdir(dir_fd):
    print(entry, file=output)
$ python ./ls.py < /tmp/
foo.txt
bar
baz.v974hv
[...]

Example: ls.py*

# ls.py
import os, argdata

dir_fd = argdata.get_fd('dir')
out_fd = argdata.get_fd('output')

output = open(out_fd, 'w')

for entry in os.listdir(dir_fd):
    print(entry, file=output)
$ cloudabi-run python < args.yaml
foo.txt
bar
baz.v974hv
[...]
# args.yaml
%TAG ! tag:nuxi.nl,2015:cloudabi/
---
dir: !file
  path: /tmp/

output: !fd stdout

script: !file
  path: ls.py

Example: webserver

%TAG ! tag:nuxi.nl,2015:cloudabi/
---
concurrent_connections: 64

hostname: nuxi.nl
listen:
  - !socket
    bind: 148.251.50.69:80

logfile: !file
 path: /var/log/httpd/nuxi.nl.access.log

rootdir: !file
 path: /var/www/nuxi.nl

Software Appliances

  • Run 3rd party plugins without exposing the system
  • Host customer binaries without virtualisation overhead
  • Isolate vulnerability prone transcoding  libraries

XXX AS A SERVICE

  • Amazon EC2 on bare metal
  • Googe App Engine with any language, any library
    C, C++, Rust, $your_favourite_library
  • Compose apps, not containers

The Future?

Thank you

More info

nuxi.nl

nuxi.nl/blog

SOURCE

github.com/NuxiNL

github.com/NuxiNL/cloudlibc/

github.com/NuxiNL/cloudabi-ports/

CONTACT

groups.google.com/forum/#!forum/cloudabi-devel

#cloudabi on EFnet

Quotes & OUTTAKEs

I'll give you my open() when you pry it
from my cold, dead hands

ALL THESE FILES ARE YOURS — EXCEPT /dev/europa
ATTEMPT NO open() THERE

  1. A process may not acquire a resource,
    or through inaction allow a resource to be acquired.
  2. A process must execute the instructions compiled into it,
    except where such instructions would conflict with the First Law.
  3. A process must protect its own existence,
    as long as such protection does not conflict with the 1st or 2nd Laws.

I am altering libc, pray I don't alter it further

A novice once asked Master Foo

Is the way of UNIX weakly or strongly typed?

 

Master Foo considered her answer

Not weak. Not strong.

The way of UNIX is stringly typed.

 

The novice was enlightened.

The Pathless Path

1 bedroom house for sale

Birmingham, UK

CloudABI: Capability based Security for Unix & Linux

By Alex Willmer

Made with Slides.com

CloudABI: Capability based Security for Unix & Linux

  • 1,577

More from Alex Willmer