CloudABI: Capability based security on Linux/Unix

Video in TIB AV-Portal: CloudABI: Capability based security on Linux/Unix

Formal Metadata

CloudABI: Capability based security on Linux/Unix
Title of Series
Part Number
Number of Parts
CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
Alex Willmer - CloudABI: Capability based security on Linux/Unix Take POSIX, add capability-based security, then remove anything that conflicts. The result is CloudABI, available for BSD, Linux, OSX et al. A CloudABI process is incapable of any action that has a global impact It can only affect the file descriptors you provide. As a result even unknown binaries can safely be executed - without the need for containers, virtual machines, or other sandboxes. This talk will introduce CloudABI, how to use it with Python, the benefits, and the trade-offs. ----- [CloudABI] is a new POSIX based computing environment that brings [capability-based security] to BSD, Linux, OSX et al. Unlike traditional Unix, if a CloudABI process goes rogue it cannot execute random binaries, or read arbitrary files. This is achieved by removing `open()` & any other API able to acquire global resources. Instead a CloudABI process must be granted capabilities to specific resources (e.g. directories, files, sockets) in the form of file descriptors. If a process only has a descriptor for `/var/www` then it's incapable of affecting any file or folder outside that directory. This talk will - Review the security & reusability problems of Linux & Unix processes - Introduce capability-based security - Summarize the design of CloudABI - its benefits & trade-offs - Demonstrate how to write Python software for CloudABI & run it - Point out the pitfalls & gotchas to be aware of - Discuss the current & future status of CloudABI CloudABI began life on FreeBSD. It also runs DragonFly BSD, NetBSD, PC-BSD, Arch Linux, Debian, Ubuntu, & OS X. The API & ABI are kernel agnostic - a CloudABI binary can run on any supported kernel. The design is evolved from [Capsicum], a library that allows processes to drop access to undesired syscalls at runtime. CloudABI applies this at build time to make testing & lock- down easier.
Robotics Content (media) Formal grammar Cycle (graph theory) Line (geometry) Information security Information security
Inheritance (object-oriented programming) Divisor Synchronization Insertion loss Cycle (graph theory) Mereology
Telecommunication Telecommunication Multiplication sign Musical ensemble Incidence algebra Wave packet
Personal digital assistant Kinematics Motion capture Food energy Fiber (mathematics) 2 (number)
Divisor Natural number Multiplication sign Position operator
Existence Charge carrier Software developer Weight Execution unit Motion capture Charge carrier Planning Bell and Howell Rule of inference Communications protocol Physical system
Computer virus Primitive (album) Replication (computing) Field (computer science)
Computer file Decision theory Constructor (object-oriented programming) Mathematical analysis Mathematical analysis Field (computer science) Causality Root Causality Root Order (biology) Procedural programming Buffer overflow Computer architecture
Causality Socket-Schnittstelle Root Mathematical analysis Table (information) Traffic reporting Boiling point
Computer program Default (computer science) Game controller Scaling (geometry) State of matter System administrator Execution unit Zugriffskontrolle Revision control Architecture Integrated development environment Software testing Data structure Operating system Physical system Reverse engineering
Computer program Multiplication Functional (mathematics) Weight Binary code Projective plane Virtual machine Staff (military) Bit Client (computing) System call Human migration Derivation (linguistics) Befehlsprozessor Process (computing) Spherical cap Semiconductor memory Point cloud Energy level Information security Freeware Information security Resultant Operating system
Pseudozufallszahlen Default (computer science) Run time (program lifecycle phase) Process (computing) Computer file Phase transition Projective plane Information security System call Library (computing) Physical system
Standard error Computer program Functional (mathematics) Standard deviation Computer file 1 (number) Sound effect Category of being Exterior algebra Process (computing) Buffer solution Zustandsgröße File system Point cloud Object (grammar) Buffer overflow Operating system
Message passing Process (computing) String (computer science) Point cloud Parameter (computer programming)
Process (computing) Computer file Token ring Network socket Interface (computing) Single-precision floating-point format Computer file Binary code Token ring Point cloud Directory service Cartesian coordinate system
Single-precision floating-point format Mapping Computer file Compiler Token ring Freeware Arithmetic progression Fingerprint Physical system
Point (geometry) Computer program Computer file Source code Mereology Number Different (Kate Ryan album) Single-precision floating-point format String (computer science) Utility software Endliche Modelltheorie Scripting language Standard deviation Content (media) Mathematical analysis Electronic mailing list Directory service System call Message passing Process (computing) Personal digital assistant Read-only memory output Operating system Resultant
Scripting language Computer program Standard error Functional (mathematics) Mapping Computer file Content (media) Electronic mailing list Set (mathematics) Online help Function (mathematics) Open set Sequence Mechanism design Process (computing) Structured programming Network topology Single-precision floating-point format Point cloud output Error message Descriptive statistics Resultant Physical system
Point (geometry) Computer program Server (computing) Computer file Server (computing) Moment (mathematics) Source code Content (media) Online help Streaming media Parameter (computer programming) Web 2.0 Software Network socket Order (biology) Point cloud output Configuration space Arithmetic progression World Wide Web Consortium
Service (economics) Software Computer file Software Point cloud Limit set Operating system Plug-in (computing) Entire function Physical system
Computer program Service (economics) Overhead (computing) Assembly language Virtual machine 3 (number) Cloud computing Cartesian coordinate system Theory Formal language Medical imaging Software Order (biology) Videoconferencing output Resultant Google App Engine Vulnerability (computing) Library (computing) Physical system
Computer program Computer file Multiplication sign Combinational logic Online help Function (mathematics) Client (computing) Subset Revision control Physical system Chi-squared distribution Standard deviation Email Touchscreen Demo (music) Computer file Binary code Moment (mathematics) Content (media) Order (biology) output Point cloud Natural language Right angle Pressure
Installation art Degree (graph theory) Programmable read-only memory Binary code Directory service Letterpress printing Parameter (computer programming) Binary file Ordinary differential equation Arithmetic progression Computer-assisted translation
Scripting language Standard error Standard deviation Information Binary code Content (media) Process (computing) Befehlsprozessor Personal digital assistant Read-only memory Order (biology) Right angle Arc (geometry) Library (computing) Resultant Computer-assisted translation Physical system Library (computing)
Computer program Overhead (computing) INTEGRAL System administrator Multiplication sign Tap (transformer) Execution unit Mereology Computer Number Product (business) Element (mathematics) Frequency Synchronization Information security Address space Physical system Source code Multiplication Distribution (mathematics) Inheritance (object-oriented programming) Software developer Moment (mathematics) Binary code Shared memory Process (computing) Software Universe (mathematics) Configuration space Pattern language Cycle (graph theory) Resultant Library (computing)
Sequel Weight Run time (program lifecycle phase) Branch (computer science) Maxima and minima Lace Grand Unified Theory Special unitary group Arm CAN bus Degree (graph theory) Software Repository (publishing) Graph (mathematics) Ring (mathematics) Revision control Cuboid Endliche Modelltheorie Pulse (signal processing) Scalable Coherent Interface
Process (computing) Computer file Link (knot theory) Order (biology) Binary code Interactive television Gastropod shell Point cloud
this valley B I thought of just make sure you right points but yeah so we have built warmer of speaking to us about the new security from if and greetings everyone thank you for coming to this briefing on the inquiry into the soul reading 20 cycles go contents of this briefing and classified Duchess robot line anybody who does not have a classification must leave the room now the guy with the formalities of we can begin my name is Alex well my mother and Susan Wilma she was chief of docking
during soul 3 harvest 20 cycles to go it was her that allowed that fateful ship to dock scholarship Tilbury 3 95 the 1 we presume destroyed a owns a golf this was the ship that was carrying to human cable repair engineers those cable repair engineers were carrying the Jolly Roger super way that led to the destruction of the entire fleet and the loss of the soul 3 harvests along with nearly a billion minds I'm being part of a team for the last 15 cycles investigating the reasons for for this defeat there were many
contributing factors Our synchronization signal impinged on human
communication that their own to detect it and from this calculate the time of harvest this resulted in their human leaders surviving the initial is the initial harvest attack there are also numerous there numerous smaller incidents such as training gx finally human welcome
wagon with the industry we've seen such attack we've seen such attempts to communicate before the of course never been successful but in this case critical
seconds were lost in confusing the humans and they were able to escape the initial fibers another example I would like to highlight following the initial counterattack by humans which of which was of course futile that kinetic weapons that missiles could not penetrate our energy base she but in 1 case a down did lead to the capture of the pilots the
pilot was taken to the human leadership where pilot was tortured interrogated mind
grown during this time did reveal are negotiating position a hobbyist tactics and I general disposition this resulted in counter-attacks by
humans all of thermonuclear nature Of course this was a still futilely but they were contributing factors finally
there was 1 more about highlight the captured craft was not challenged was not questioned when it approach chief thought Our main harvest chips this rule this allowed it to gain access to command carrier is allowed humans to gather Intel on our initial invasion plans None of all of these pale in all of these pale in significance to the principal reason solve 3 defeat capturing sketchy From this capture the humans learned of our existence the learned about biology the learned about technology critically they learned of our unix operating system From this unit from our technology the humans went on
to develop various things human codewords include Roswell Area 51 unix Bell Labs often at AOL you know all of these pale imitations to or consensus net but they gave humans critical foothold into talk protocols and systems that allows them to upload the
virus to reclamation on 3 6 9 2 8 2 that replication comes then communicated on consensus now spread send commands fleet-wide yeah resulting in the disabling of all protection fields From this the humans were then able to use 1 of the primitive thermonuclear devices accuracy of thoughts of course go families of
so across 15 years we have been carrying out investigations there are
numerous lessons that have been made in procedure and at command decisions this briefing will concentrate on some of the technological implications we find the root cause analysis from running on that problem was vulnerable to human stack that is how they got there for all that is how they were able to construct whole defense fields to switch-off without that their attack would have
been useless the problem with pump was not a simple buffer overflow or stack smashing attack the problem was more architecture come all have numerous capabilities that it did not need in order to fill the role of monitoring that come it could read global file it could
monitor processes it could create network sockets to other places on consensus now all of these were unnecessary and all of these are exploited by human trafficking the table you see is a quote from the report please refer to that of the need the full details so the
architectural falls all Unix boil down to discretionary access
control that is access control is not enforced by default there are things that are open that do not need authenticated access this means that programs on Unix systems start with excessive capabilities and once compromised programs can act can acquire further capabilities simply by opening them their global resources and global versus global states throughout the Unix system this obstructs running programs securely it structure right and testable programs because tests have to to try and inject these normally global resources inside a restricted test environment it it's structure writing reusable programs because these programs assume a full Unix operating system and it is very
difficult to ordered them to say what do they actually use system administration just does not work encompassed scale beyond a million nodes we just do not know what the systems are doing our team would like to propose a human technology that is actually being adapted from their reverse engineered version of our units assuming technology is called Cloud API is a relatively recent invention for
human approximately 2 years old on the client API program staff with the ability only to spawn threats and to allocate memory unless they are provided with still more if it unless they are provided with access to external resources they cannot access the cannot client-server ability they cannot require further access to external resources they can only do that the capabilities provided to them when they started the implications of this are that it is safe to run an unknown Cloud ABI binary if it is given no resources the worst thing that they can do is allocate too much memory and then 3 CPU as a result of this with explicit capabilities passed into the program at start-up it is much easier to audit these programs to say what they need as a consequence it is much easier to test these programs
this leads to better release engineering and to higher and could allow for higher level orchestration the ability to migrate processes between hosts Robin virtual machines or containers this could lead to more efficient resource use in fully and certainly to more secure resource use to give you a bit of background on this cloud ABI technology it was initially developed by human in and a human called ed should that is are located in the European continent is initially for the human derivative of Unix called Free BSD it is now available for multiple human operating systems and it is compatible with our since net and cloudy and original Unix so some of you may be familiar with the human technological capsicums cloud ABI derived cloud AVI is derived from this capsicum projects In Capsicum process is initially getting access to global resources and can acquire the resources just like any other eunuchs process but capsicum process can call a function called cap enter after which sits calls that allow it to acquire the resources are blocked the return narrow and all result in the process being killed this allows for more secure processes
after they have started after they have left their initial start-up phase the problem with this capsicum project is that you it integrating external library into a capsicum process causes runtime error strange behaviours highs books because a library buried deep in the call stack might try to open a file might try to initialize a pseudorandom number generator from a device
and then finally fall back to a less secure methods such as the time of day of character the innovation Cloud API takes this to make capsicum default it is always on 5 ABI processes cannot call of the they cannot see global reason global resources such as process tables file systems all user databases unless explicitly given access to give you an idea of what we removed all these
API is are unavailable to account to a Cloud API process the 1st category is simple common sense these are maybe API is that were not greatly designed in 1st place or they we tend to result in but they tend to result in buffer overflow books there are 4 it's safe it's a buffer so safe alternatives already available with both Unix and clouded the 2nd category is basically the Unix file system on a Unix operating system a process can open or tend to open any file by its this is impossible in Cloud API there is no open function that is no static functions there is no objective there is no no get you I think next we move on to the neutral state functions these are the ones that tend to have an effect for process white but regardless of whether is
multithreaded these are removed because they make program it's harder to reason about removing them simplifies the API and thereafter it's safer alternatives standard in its standard error and standard error also removed simply because they are a global resource that should be
explicitly declared of the is also removed these method all parsing the message method of passing in arguments to a Cloud API
process is incompatible without the which relies on acquiring resources based on string value this is this allowed after removing these things we had 1 simple concepts
Unix file descriptors become capability tokens these are the of tokens by which a cloud API process requires all resources all API is in Cloud API that allow acquisition of new resources require an existing file descriptor to be passed in file-descriptor might describe a directory the file socket or even the
handle to control a sub process the 2nd thing we have is a single application binary interface this
means that a Cloud API processed once compiled on any Unix system native for humans will run on any
other Unix system without recompilation at without recompilation the IDI is available for the following
human systems previously archlinux deviance a bond to is even available for the Mac OS uh support is in progress on the Linux is but with the next release of humans Free BSD it will be a native feature such it's best at this
point to illustrate with an example will be taking a very simple not the case of a
of a Unix utility L. S this takes the name or the name or part of the directory and prints out the names of the files and folders inside this is a very simple example stripped down to illustrate our differences you will note that the process is taking in a strange call and assigning it to the variable that is then passing it this string down to the operating system and the operating system is acquiring resources on behalf of the process if we did not see the source code of this process we do do not know what it would be capable it might list the directory in my list the directory and send those results back humans for further analysis it might the contents of the directory it might delete them it could do any number of things we don't know without fully auditing source code using some features of Unix we can come closer to a Cloud API designed In this 1 the analyst program does not take any string input it receives only file descriptors file descriptors 0 is the directory that we're trying to show the contents of script 1 happens to be standard given this model if if the program was on the able to past strings to the call to open and call to list we could say that this process was was not able to do anything other than that acts on the resources with provided namely reader read-only access to a single directory and everything below and write-only access to a single fosters namely set standard the problem with this model is that it becomes very inflexible pass in file descriptors in the exact
sequence they will be used by the program so the Cloud ABI system relies on a new mechanism called our data in our data there
are a set of API together file descriptors according to a tree structure programs can acquire these spiky 9 as list so far the scriptures for maps In the example you see the the help of a programmable Cloud API run to match 8 yam file containing a description of the input the program to file descriptors that the program will receive In this example the python executable is not a Unix executable it is Cloud API executable therefore during the build this python executable any reference to standard EN standard our standard error the sea level function open sea level functions stacked sea level function open that would have resulted in compile-time error as a result we can safely say but this execution of this Python script cannot do anything except read the contents of a single directory and write the output to a single file descriptor this makes this this makes this process to execute without trusting
its source we need all we need only know that we have exposed the inputs we provide to that program the inputs are explicit not implicit the a further example it should be mentioned at this point in this example is at the moment hypothetical the Python port to Cloud API is in progress it cannot currently do this other programs written in the other C programs reported and there is a cloud API ports set of packages available to view further example of illustrating what might be possible we show here
example configuration for web server the server binary itself would not have its own configuration files it could not read that provided and that file contains streams referring to power which the web server would not be able to work so in this example we combined arguments and configuration into a single file and this file is provided to the cloud ADI run help in order to acquire resources on behalf of the With this web compromise it could not start listening on Newport's he could not open a network connection to send the contents of any that acquired data out to the world all it could do this network traffic on socket that we have provided so this moment what is so this moment we ask what can we do in the
future with this cloud system we might imagine a future where software appliances can
safely run customer-provided slogans or 3rd party plug-ins without exposing the internals of the system or the entire operating system these problems will be provided with a limited set of file descriptors and would therefore be constrained in what they can do to to affect the outside world we might use this
device alone isolate vulnerability vulnerable
system such as pumped all transcoding libraries for security cameras from Fleet wide security systems by this means we could avoid problems in error-prone libraries such as the human library image magic all the various video encoding libraries that have extremely complex input requirements and as a result tend to have many vulnerabilities that we might imagine the ability to use Cloud API in order to implement the human system and Amazon E C 2 without the overhead of virtual machines all containers similarly we might imagine human-system Google App Engine with the ability to submit programs written in any language C C + + rest assembly language In theory these would be safe languages to implement programs in and allow them to be uploaded to a 3rd party cloud services without fertilization this would allow us to compose applications not containers I should know show you a
brief demo of what has been achieved with this with human language Python and the Cloud API system course would help pressure so bright screen
In order to run a Cloud API program on this system we can use the Cloud API at time the ironic help python use the binary and the has been compiled against the client API system headers and version of the city but combiner itself cannot accept standard input right to standard output so the final that we providing is going to the cloud ABI run program which is a Unix program it is opening resources on behalf of of the python binary the Python binaries than receiving file descriptors what the chemical the contents of that yeah like look like this at the moment the
binary is work in progress this is the 1st thing about working with we have transliterated native Unix Python arguments into Yemen and the command is given the base we're also people to
execute system called good In this case the Python script about binary of learning CPU and then printing the result of our to standard error as a result of Cloud API that this is the worst this process can do get and nobody's that is done no damage to the system as a whole because it did not have access in order to do that damage if we have a look at the contents of results of yeah we see that only had access to was read-only access in order to import standard library right only access the standard error of support and the ability execute a simple Cisco work will
continue on the path from port to Cloud API system there will be a sprint running at the Human Events uroplakin 20 on Sunday if you would like more information please visit this
huge please visit these addresses on the human network our usual taps are for I usual network taps on the networks are enforced and different thet
but so sometimes question but let's start and between high and the and terror canceled for the book adequate for the on this so I'm wondering if you know share our in the community located a lot of tools warned it of the same problem 0 here at from here things like computers the from parents and has a like the units of from university number dorsal promise I so while another system so the problem that we have found In our experience without armor as the land such systems is that the incentives with intent to be wrong is not it is not the creator of a piece of software that configures the system it is typically the distributors and system administrators so as a result the configuration of the protection system such as asked AC Parma or SE tends not to be in sync with the requirements of the programs that are running so all too often of administrative in the middle in the midst of battle on will typically just turn them off more also with inexperienced administrators but even even seasoned veterans of multiple campaigns have been known to switch the systems of all when there is incoming fire you just period another question for me and so on the existing production have always always on and was a big because of the on your currently running with the system is still in its early stages it was conceived approximately 2 orbits ago around 2 and a half cycles and until but the creator has been working on a quite a while and is an experience the by an experienced developer as humans gun the Python part of this is most certainly not production-ready it is it would be tricky qualitative unfortunately the human responsible for its development uh some inconsiderate human gave him another gave him a job so there was there was not time to complete it in before the Secretary hi things so the and I'm have wanted to use some of these support full uh binary libraries like BC books are on the lands to the art to ABI support and and we have seen them patterns in command followed by humans and they they tend to use Linux a lot and the boy to previous yard they cyc EDTA of tools and we are also seeing a proliferation of from tool called always taking into a different approach to security uh it's the a set themselves stock that threatened the future of building ABI how we invest in time implode ABI when we all want to face different problems in the next harvest so so I am pleased to report that the next harvest fleet is on its way to us and they will pay for for that stretches the human technology Doctor provide similar benefits to Cloud API it has slightly are slightly higher overhead and is restricted only to the elements operating system the Cloud API for Linux support is 90 per cent complete it lacks the integration with their distributions at the moment we are working to improve this at what was the other part of your question please you of so there are there is a
repository available all don't get there is a repository available all
human-derived software who have maybe I call there are over 100 packages in this I do not believe the busy box is 1 of them the Cloud API model is better suited to
long running Damon processes than to interactive use it can become um quite on next not unnatural it can be quite come cumbersome in order to provide all file descriptors to Cloud API binaries in interactive use shell so that that is possibly development but if you wish to see if the if the package has been ported I recommend visiting Cloud API ports uh link that was included in your included in your in your notes any other questions rooted in which


  397 ms - page object


AV-Portal 3.21.3 (19e43a18c8aa08bcbdf3e35b975c18acb737c630)