Capsicum
Transformation of code to use Capsicum
- Robert had a student Gabriela Sklenarova that has work on automatic transformation of code to use Capsicum Sandboxes
- Based on the SOAAP work by Khilan Gudka
- Code is annotated with a compartmentalization hypothesis to discover problems
- Gabriela leveraged the work to automate the capsizing of the the software
- Uses a simplified programming model
- Brian Kidney is looking to extend upon this research
- Right now very much at the research stage
SOAAP
- Extension to LLVM that allows you to annotate programs with sandbox properties
- Does static analysis to tell you of problems with the suggested sandboxing
- Relies on the annotations
- Has to be aware of the sandboxing symantics
- SOAAP has dependancy on the version of LLVM
- TODO: Track down the current state of SOAAP
- Determine the amount of work to make is a port
Static Analysis
- Developing a new tool to investigate control-flow (and soon data-flow) graphs
[py-cdg](https://github.com/musec/py-cdg)
- Uses opt pass that emits callgraph output
- Identify cases in libc that access global namespaces e.g. syslog
- Example: assume you have full bitcode for application + libraries (libc), identify all syscalls not permitted in capability mode, identify high-centrality nodes leading to unpermitted syscalls
- TODO: Look at OpenSSL problem with the use of hardware crypto (/dev/crypto) and Capsicum
Casper Update and Future Work
- Currently all services in Casper wrap libc function
- Additional functions to limit them further
- Documentation is lacking for Casper at the moment
- Casper services are not sandboxed
- TODO: Investigate sandboxing of Casper services
Current Casper Services
- DNS
- libc DNS functions
- grp
- Look up uid/gid
- random
- Return buffer of random data
- pwd
- Password db operations
- sysctl
- Perform sysctls not allow directly
Namespace Management
- connect
- subsetting
- based on naming
- create (not currently available)
- Right now services cannot be added dynamically
- Only access to current service
- Need to link to service library
- TODO: Investigate the ability to create services on the fly
- libcaspermock
- A library to hide the ifdefs used to create Capsicum/Non-Capsicum version of a program
- Instead call this library which uses either Casper version or original version depending on if sandboxing is enabled
Future Service Suggestions
- DNS Socket
- Open a socket connected to a name
- e.g. Open me a socket connected to www.foo.com on port 80
- Configuration Service
- Service to provide a program with its configuration
- Service to go to UCL to parse a config and return a structured configuration via nv_list
- There are questions if UCL is significantly mature to handle all important configuration structures that exists
- Event notification will also need to be investigated to ensure configurations can be properly updated
- D-Bus
- Logging
- filesystem
- TLS
- Peer Discovery / Cluster Discovery
Making Capsicum Default
- Should we get rid of OPTIONS_CAPSICUM?
- Robert Watson would like to investigate the performance hit and keeping the option is needed for that
- Would prefer to delay in the removal, but is fundamentally for the change
capsh
- A shell to execute non-modified binaries in a Capsicum sandbox for inception
- The FreeBSD runtime linker has been made executible to enable this.
- Flow
- Open FD to runtime linker
- Open FD to exe
- Runtime linker is run using fexecve handing in FD to binary
- Library directories are preopened and accessed by open at
- libc calls are intercepted to use the preopened library directories
- Currently runs echo and closed to being able to run cat
- Work being done to extend the functionality, including handing in a handle to Casper in the future
- Presented at BSDCan 2017
[Oblivious sandboxing](https://www.bsdcan.org/2017/schedule/events/838.en.html)
- TODO: Ensure no-exec flag is honoured when launching applications in this manner
pdfork, pdwait4, truss, and weak FD
- Could add a flag to make it visible to waitfor/waitpid
- There are problems using truss on applications using pdfork
- A new PR will be created to investigate ideas around pdfork and wait visibility
- There is still some interest in weak FD that allow for access to process information as long as the process still exists
- Not blocking any current development
- There are question about implementation and performance hit if it requires another level of indirection
- Back burner for now until needed
Maintenance
- As new system calls are added we don't specifically consider Capsicum
- We fail safely
- There is a wiki page that specifies what you need to do when you add a system call, but it is not always followed
- It could help to identify probelms if we could run SOAAP automatically in Jenkins nightly
Brainstorm discussion ideas
- GCap
- Eliminate non-determinism in Capsicum
- Disable percise timers using Capsicum
- Port patching and integration