capweave status

1

CapWeave Status

DARPA On-site Meeting30 Aug. 2012

2

Program Policy

CapWeave

Instrumented Program

Policy Parser

Weaver Generator

Code Generator

Capsicum

3

Privilege-Aware OS’s

• OS maintains a privilege for each process

• Process actively manages its privilege byinvoking security system calls (primitives)

4

Example Privilege-Aware OS’s

• Information-flow control– Asbestos [SOSP 2005]– HiStar [OSDI 2006]– Flume [SOSP 2007]

• Tagged memory: Wedge [NSDI 2008]• Capabilities: Capsicum [USENIX Sec. 2010]

5

Running example: gzip

gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}

compr(in, out) { body;}

public_leak.com

6

An Informal Policy for gzip

When gzip executes body,it should only be able to read from inand write to out.

7

Capsicum: A Privilege-Aware OS

• Two levels of privilege:– High Capability (can open files)– Low Capability (cannot open files)

• Rules describing privilege:1. Process initially executes with

capability of its parent2. Process can invoke the cap_enter system call

to take Low Capability

8

Securing gzip on Capsicum


compr(in, out) { cap_enter(); body;}

High Cap.

Low Cap.

public_leak.com

9



High Cap.

High Cap.High Cap.

High Cap.

Low Cap.gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}

10



Low Cap.Low Cap.


High Cap.

11



High Cap.


fork_compr(in, out);

Low Cap.

High Cap.High Cap.

12



High Cap.

Low Cap.gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}

fork_compr(in, out);

Capsicum

13

Program Policy

CapsicumPolicy Weaver

Capsicum Program

Progrmr.

Weaver Generator

Capsicum Dev.

Us

Pol. Wrtr.

OSPolicy Weaver

Capscium Dev.

CapsicumOS

Capsicum Program

CapsicumPolicy Weaver

14

Program Policy

OS Program

Progrmr.

Weaver Generator

OS Dev.

Us

Pol. Wrtr.

15

Weaver Generator Features

1. Designed an automata-theoreticweaver generator

2. Efficient weaving algorithm using a scaffold-based safety-game solver

3. Experimentally evaluated: feasible in practice

Weaver Generator

16

Program Policy

OSPolicy Weaver

OS Program

Progrmr.

Weaver Generator

OS

OS Dev.

Us

Pol. Wrtr.

17

open

Program: Prog Acts

parse_cl

call compr

ret comprexit

Program

Progrmr.

loop

body

18

Program Policy

OS Program

Progrmr.

OS

OS Developer

Us

Pol. Wrtr.

Weaver Generator

19

Policy: Prog Acts x Privs

*

(open, LowCap)

(body, HighCap)

Policy

Pol. Wrtr.

Privs = { High Cap, Low Cap}

20

Program Policy

OS Program

Progrmr.

OS

OS Dev.

Us

Pol. Wrtr.

Weaver Generator

21

OS

OS Dev.

AllowHighopen /

HighCap

Prims = { cap_enter, fork, join }

OS: Prog Acts Prims Privs

AllowHigh

AllowLow

22

OS

OS Dev.

drop


AllowHigh AllowLow

23

OS

OS Dev.

open /

LowCap


AllowLow AllowLow

24

Program Policy

OS Program

Progrmr.

OS

OS Dev.

Us

Pol. Wrtr.

Weaver Generator

25

open /fork

parse_cl /noop

loop /noop body / noop

ret compr / join

OS Program

Instr: Prog Acts Prims

call compr / cap_enter

26

Program Policy

OS Program

Progrmr.

OS

OS Dev.

Us

Pol. Wrtr.

Weaver Generator

27

z

a yx

dd

e

b b

yx

f

c

y

y

28

Policy Weaving Safety GameProgram actions Attacker actions

OS primitives Defender actions

Policy Weaving Safety GameProgram actions Attacker actions

OS primitives Defender actionsCorrect

instrumentationWinning

Defender strategy

Policy Weaving Safety GameProgram actions Attacker actionsPolicy Weaving Safety Game

Weaving as a Game

29

fork

parse_cl noopce

bodybody

ret compr

open open

noopce

loop

call compr

noop

join

a

dd

e

b b

f

c

z

yxy

x

y

y

30

fork

parse_cl noopce

bodybody

ret compr

open open

noopce

loop

call compr

noop

join

31

fork

parse_cl noopce

bodybody

ret compr

open open

noopce

loop

call compr

noop

join

32

ret compr /

fork

parse_clparse_cl /ce

body

ret compr

open

noop

loop

call compr

noop

join

body /

loop /

call compr /

open /

noop

33

The Importance of VPA’s

• Accurately approximate the setof program paths

• Accurately model relationship betweenOS primitives and privileges

• Modular strategies for stack-based games

34

Experiment Highlights

• Instantiated weaver-generator toa policy weaver for Capsicum

• Applied Capsicum policy weaver to six UNIXutilities from 8 to 108 kLoC

• Found strategies in 0:05 to 2:00

35

Experiment Data

Program LoC Pol. States Timebzip2-1.0.6 8,399 12 0:04fetchmail-6.3.19 43,370 12 1:13gzip-1.2.4 9,076 9 1:47tar-1.25 108,723 12 1:20tcpdump-4.1.1 87,593 12 0:30wget-1.12 64,443 21 0:25

36

Program Policy


Policy Parser

Weaver Generator

Code Generator

Capsicum

37

Old Status: Policies as VPA’s

• Can’t be minimized in general• No popular, common notation• Large alphabets

38

New Status: Policies as Regex’s

• Loss: expressiveness• Gains:– Support efficient minimization– Are well-known– Can be extended with “let” bindings

to represent large alphabets succinctly

39

Program Policy


Policy Parser

Weaver Generator

Code Generator

Capsicum

40

Role of a Code Generator

• Weaver generator outputs a state machinethat decides which primitives should be calledwhen

• Still need to rewrite program to invokeprimitives as dictated by the strategy

41

Current Status: Working Backend

• Strategy represented in memory as multi-dimensional array

• Automatically generate functions that marshall program data to RPC-compatibledata structures

• Transfer data between forked,RPCed processes

42

Integration with libcapsicum

f

args ret val

g

43

Integration with libcapsicum

fargs

ret valg

marshall_from_f

unmarshall_to_g

libcapsicum RPCargs iovec

args iovec

args

ret val

ret iovec

ret iovec

44

Program Policy


Policy Parser

Weaver Generator

Code Generator

Capsicum

capweave status

Documents

open comprin

capsicumhigh cap

outlow cap

capsicumlow cap

securing gzip

high capability

gzipwhen gzip

low capability7