Download - CapWeave Status
1
CapWeave Status
DARPA On-site Meeting30 Aug. 2012
2
Program Policy
CapWeave
Instrumented Program
Policy Parser
Weaver Generator
Code Generator
Capsicum
3
Privilege-Aware OS’s
• OS maintains a privilege for each process
• Process actively manages its privilege byinvoking security system calls (primitives)
4
Example Privilege-Aware OS’s
• Information-flow control– Asbestos [SOSP 2005]– HiStar [OSDI 2006]– Flume [SOSP 2007]
• Tagged memory: Wedge [NSDI 2008]• Capabilities: Capsicum [USENIX Sec. 2010]
5
Running example: gzip
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
compr(in, out) { body;}
public_leak.com
6
An Informal Policy for gzip
When gzip executes body,it should only be able to read from inand write to out.
7
Capsicum: A Privilege-Aware OS
• Two levels of privilege:– High Capability (can open files)– Low Capability (cannot open files)
• Rules describing privilege:1. Process initially executes with
capability of its parent2. Process can invoke the cap_enter system call
to take Low Capability
8
Securing gzip on Capsicum
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
compr(in, out) { cap_enter(); body;}
High Cap.
Low Cap.
public_leak.com
9
compr(in, out) { cap_enter(); body;}
Securing gzip on Capsicum
High Cap.
High Cap.High Cap.
High Cap.
Low Cap.gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
10
compr(in, out) { cap_enter(); body;}
Securing gzip on Capsicum
Low Cap.Low Cap.
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
High Cap.
11
compr(in, out) { cap_enter(); body;}
Securing gzip on Capsicum
High Cap.
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
fork_compr(in, out);
Low Cap.
High Cap.High Cap.
12
compr(in, out) { cap_enter(); body;}
Securing gzip on Capsicum
High Cap.
Low Cap.gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
fork_compr(in, out);
Capsicum
13
Program Policy
CapsicumPolicy Weaver
Capsicum Program
Progrmr.
Weaver Generator
Capsicum Dev.
Us
Pol. Wrtr.
OSPolicy Weaver
Capscium Dev.
CapsicumOS
Capsicum Program
CapsicumPolicy Weaver
14
Program Policy
OS Program
Progrmr.
Weaver Generator
OS Dev.
Us
Pol. Wrtr.
15
Weaver Generator Features
1. Designed an automata-theoreticweaver generator
2. Efficient weaving algorithm using a scaffold-based safety-game solver
3. Experimentally evaluated: feasible in practice
Weaver Generator
16
Program Policy
OSPolicy Weaver
OS Program
Progrmr.
Weaver Generator
OS
OS Dev.
Us
Pol. Wrtr.
17
open
Program: Prog Acts
parse_cl
call compr
ret comprexit
Program
Progrmr.
loop
body
18
Program Policy
OS Program
Progrmr.
OS
OS Developer
Us
Pol. Wrtr.
Weaver Generator
19
Policy: Prog Acts x Privs
*
(open, LowCap)
(body, HighCap)
Policy
Pol. Wrtr.
Privs = { High Cap, Low Cap}
20
Program Policy
OS Program
Progrmr.
OS
OS Dev.
Us
Pol. Wrtr.
Weaver Generator
21
OS
OS Dev.
AllowHighopen /
HighCap
Prims = { cap_enter, fork, join }
OS: Prog Acts Prims Privs
AllowHigh
AllowLow
22
OS
OS Dev.
drop
OS: Prog Acts Prims Privs
AllowHigh AllowLow
23
OS
OS Dev.
open /
LowCap
OS: Prog Acts Prims Privs
AllowLow AllowLow
24
Program Policy
OS Program
Progrmr.
OS
OS Dev.
Us
Pol. Wrtr.
Weaver Generator
25
open /fork
parse_cl /noop
loop /noop body / noop
ret compr / join
OS Program
Instr: Prog Acts Prims
call compr / cap_enter
26
Program Policy
OS Program
Progrmr.
OS
OS Dev.
Us
Pol. Wrtr.
Weaver Generator
27
z
a yx
dd
e
b b
yx
f
c
y
y
28
Policy Weaving Safety GameProgram actions Attacker actions
OS primitives Defender actions
Policy Weaving Safety GameProgram actions Attacker actions
OS primitives Defender actionsCorrect
instrumentationWinning
Defender strategy
Policy Weaving Safety GameProgram actions Attacker actionsPolicy Weaving Safety Game
Weaving as a Game
29
fork
parse_cl noopce
bodybody
ret compr
open open
noopce
loop
call compr
noop
join
a
dd
e
b b
f
c
z
yxy
x
y
y
30
fork
parse_cl noopce
bodybody
ret compr
open open
noopce
loop
call compr
noop
join
31
fork
parse_cl noopce
bodybody
ret compr
open open
noopce
loop
call compr
noop
join
32
ret compr /
fork
parse_clparse_cl /ce
body
ret compr
open
noop
loop
call compr
noop
join
body /
loop /
call compr /
open /
noop
33
The Importance of VPA’s
• Accurately approximate the setof program paths
• Accurately model relationship betweenOS primitives and privileges
• Modular strategies for stack-based games
34
Experiment Highlights
• Instantiated weaver-generator toa policy weaver for Capsicum
• Applied Capsicum policy weaver to six UNIXutilities from 8 to 108 kLoC
• Found strategies in 0:05 to 2:00
35
Experiment Data
Program LoC Pol. States Timebzip2-1.0.6 8,399 12 0:04fetchmail-6.3.19 43,370 12 1:13gzip-1.2.4 9,076 9 1:47tar-1.25 108,723 12 1:20tcpdump-4.1.1 87,593 12 0:30wget-1.12 64,443 21 0:25
36
Program Policy
Instrumented Program
Policy Parser
Weaver Generator
Code Generator
Capsicum
37
Old Status: Policies as VPA’s
• Can’t be minimized in general• No popular, common notation• Large alphabets
38
New Status: Policies as Regex’s
• Loss: expressiveness• Gains:– Support efficient minimization– Are well-known– Can be extended with “let” bindings
to represent large alphabets succinctly
39
Program Policy
Instrumented Program
Policy Parser
Weaver Generator
Code Generator
Capsicum
40
Role of a Code Generator
• Weaver generator outputs a state machinethat decides which primitives should be calledwhen
• Still need to rewrite program to invokeprimitives as dictated by the strategy
41
Current Status: Working Backend
• Strategy represented in memory as multi-dimensional array
• Automatically generate functions that marshall program data to RPC-compatibledata structures
• Transfer data between forked,RPCed processes
42
Integration with libcapsicum
f
args ret val
g
43
Integration with libcapsicum
fargs
ret valg
marshall_from_f
unmarshall_to_g
libcapsicum RPCargs iovec
args iovec
args
ret val
ret iovec
ret iovec
44
Program Policy
Instrumented Program
Policy Parser
Weaver Generator
Code Generator
Capsicum