privilege separation and pledge filedefence in depth we designed & modified many more programs...
TRANSCRIPT
![Page 1: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/1.jpg)
Privilege Separation and Pledge- Theo de Raadt OpenBSDMain maid
DNS maid NTP protocol maid
![Page 2: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/2.jpg)
Application software (ports)(Educating upstream about better practices)
Own Applications: design & architecture(Privilege SeparationPrivilege Separation, Privilege Drop, auditing, ...)
Address Space and other resources(ASLR, W^X, cookies, ...)
Libraries (especially libc)(strlcpy, arc4random, strict malloc, auditing, ...)
System call interface(pledgepledge)
Kernel(Some ASLR, W^X, ...)
Hardware and BIOS(cry into our beer...)
Many small changes to improve security
Focus on interaction between these two parts
![Page 3: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/3.jpg)
Privilege Separation
A design pattern — splits a program into processes performing different sub-functions
Each process is designed to operate in a separate security domain
Processes cooperate over pipes using some protocol
Subset of “sandboxing” concept
![Page 4: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/4.jpg)
Separated at birth
Master process
Runs as root, only does settimeofday()
DNS Servicer
Does DNS lookups
Internet Speaker
Speaks NTP to Internet
(Our own ntpd as an example)
![Page 5: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/5.jpg)
Privilege Separation examples
The original 3:
Qmail
Postfix
OpenSSH
And…. Chrome
![Page 6: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/6.jpg)
Defence in Depth
We designed & modified many more programs to use this design pattern
Experience gained with 60 more programs!!!60 more programs!!!
Routing daemons, Mail daemons, dhcp tools, tcpdump…
Let’s build a mechanism which enforces security domains!
![Page 7: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/7.jpg)
Major ones..
bgpd, dhclient, dhcpd, dvmrpd, eigrpd, file, httpd, iked, ldapd, ldpd, mountd, npppd, ntpd, ospfd, ospf6d, pflogd, radiusd relayd, ripd, script, smtpd, syslogd, tcpdump, tmux, xconsole, xdm, X server, ypldap, pkg_add
![Page 8: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/8.jpg)
Pledges are POSIX subsets
Pledge syscall requests that only (a carefully selected) subset of POSIX functionality be permitted
Subsets such as: stdio rpath wpath cpath fattr inet dns getpw proc exec sendfd recvfd …
Deep functional support in the kernel — more sophisticated than "seccomp"
![Page 9: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/9.jpg)
Privsep – enforce with Pledge
Master process
Pledge "settime"
DNS Servicer
Pledge "dns"
Internet Speaker
Pledge "inet"
(Our own ntpd as an example)
![Page 10: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/10.jpg)
Processes select own pledge – inline
"I pledge this is the only subset of POSIX I will use"
Make the promise in the code when ready.
Cannot undo the promise…
imsg_init(ibuf_dns, pipe_ntp[1]);
if (pledge("stdio dns", NULL) == -1)err(1, "pledge");
while (quit_dns == 0) {
![Page 11: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/11.jpg)
Good debugging experience
Most violations result in process being killed
core is dumped — go ahead use gdb
234 prog CALL socket(AF_LOCAL, 0x1<SOCK_STREAM,0)234 prog PLDG socket, "inet", errno 1 Operation not permitted234 prog PSIG SIGABRT SIG_DFL234 prog NAMI "prog.core"
![Page 12: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/12.jpg)
Privsep mistakes identified
Implementation errors found in 10% of privsep programs
Sub-processes did actions beyond design rule! tsk tsk.
ntpd, bgpd, tcpdump, …
Validate program operation matches design rule
![Page 13: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/13.jpg)
Future work
OpenSSH privilege separation is dated, and could be improved...
Continue refining semantics
Cooperate if another OS wants pledge
Observe impact on upstream software, and assist
![Page 14: Privilege Separation and Pledge fileDefence in Depth We designed & modified many more programs to use this design pattern Experience gained with 60 more programs!!! Routing daemons,](https://reader033.vdocument.in/reader033/viewer/2022041415/5e1b245ac5f21b0925118168/html5/thumbnails/14.jpg)
General Observation
Perfection is impossible to achieve unless an enforcement mechanism keeps us honest