% capcisum # sandboxing week today: OS-level (capsicum) Wednesday: language-level (SFI) # the confused deputy `/sys/fort` compiler given "home files license": able to write to `/sysx/*` good: `/sysx/fort /home/xi/foo.f -dump /sysx/stat` "bad": `/sysx/fort /home/xi/foo.f -dump /sysx/bill` users cannot directly write to `sysx/bill` but can trick the compiler into doing so how about setuid programs in general? # what's the root cause `/sys/fort` is running on behalf of two principals user principal: open `foo.f` compiler principal: home files license other examples: web server, cross-site request forgery # how to fix this compiler switch UIDs more checking: for every filename from the user, check if the user can access it (watch for TOCTTOU) pass a capability (e.g., fd) instead of filenames: `sysx/fort` couldn't overwrite the bill file if the user has no access # threat model what's the problem capsicum tries to solve? applications have bugs: assume compromise after some point esp. with network-facing parts: browsers, servers, ... (unless you go prove them bug-free) _not_ arbitrary/malicious applications # sandboxing high-level idea: break up into smaller compartments secure each (or the most vulnerable) compartment confine damage to one compartment (ideally w/ least privilege) real-world examples? # sandboxing plans virtual machine: good isolation; hard to share; perf discretionary access control (DAC) mandatory access control (MAC) capability - _not_ Linux capabilities CAP_* (partition root) # DAC discretionary: users can call `chmod` (e.g., unix) object ACLs: unix file permissions processes privileges: uid check a process's privilege when it accesses an object . . . sandbox: create separate principals (Android: each app in its own uid) root required for: creating new principals, chroot processes: the confused deputy # MAC centrally controlled security policies Linux: SELinux, seccomp-bpf (_not_ seccomp in the paper) Mac OS X: Seatbelt, from TrustedBSD MAC Windows: Mandatory Integrity Control (track integrity levels) # capsicum capability: combine object & privilege pragmatic unix-y: compared to pure capability-based OSes fd is a capability for a file - what else can be represented? cannot make up fds - why? can access the file as long as you have the fd can pass fds to other proccesses enabled by default since FreeBSD 10 (casper: FreeBSD 11) Linux port (not upstreamed), capweave (Oakland'13) # demo: have you tried capsicum? no access to global namespace - why? disallow ".." - why? does unix permissions still apply? casper: reverse DNS lookups, random number generation, ... # q what does capsicum guarantee (for developers, not for users)? how to attack capsicum-based applications? is capsicum easy to use / how much to rewrite? what applications are (not) suitable?