Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
T
S
@pati_gallardo
Linux Security
and the Chromium Sandbox
Patricia Aas, T S
NDC TechTown 2018
@pati_gallardo
T
S
Patricia Aas - Consultant
C++ Programmer, Application Security
Currently : T S
Previously : Vivaldi, Cisco Systems, Knowit...
Remote Code Execution is what
browsers do.
Sandboxing
- System External Threat :
Protect the system from the
vulnerabilities in the browser
- System Internal Threat ...
- Process Architecture
- Linux Security APIs
- The Initial Sandbox
- Shrinking the Sandbox
@pati_gallardo
Process
Architecture
@pati_gallardo
The Executable Files
- vivaldi : The bash script wrapper,
launches vivaldi-bin. Sets up
environment.
- vivaldi-bin : The b...
1. Browser :
vivaldi-bin
2. Zygote (Parent) :
vivaldi-bin --type=zygote
3. Zygote (Child) :
vivaldi-bin --type=zygote
4. R...
Process Architecture
Browser
Gpu BrokerZygote
Renderer
GpuZygote Init
Renderer
Renderer
Process
Relationships
Tabs
- Process Architecture
- Linux Security APIs
- The Initial Sandbox
- Shrinking the Sandbox
@pati_gallardo
Linux Security
APIs
@pati_gallardo
@pati_gallardo
chrome://sandbox
NS(User)
NS(Pid)NS(Net)Web
Network
Filesystem System Calls
chroot
seccomp, capset
Resources
setrlimit
- Process Architecture
- Linux Security APIs
- The Initial Sandbox
- Shrinking the Sandbox
@pati_gallardo
The
Initial
Sandbox
@pati_gallardo
One Binary
Browser
Gpu BrokerZygote
Renderer
GpuZygote Init
Clone/Exec *
User/Pid/Net
Fork/Exec *
* NO_NEW_PRIVS
ForkFork
...
Initial Sandbox
Browser
Gpu BrokerZygote
Renderer
GpuZygote Init
Clone/Exec *
User/Pid/Net
Fork/Exec *
* NO_NEW_PRIVS
Fork...
Fork / Exec
- A typical start of a new process
on Linux is a “fork/exec”
- “Forking” is creating a new
process
- “Clone” i...
Windows of Opportunity : fork
1. Before Fork
2. After Fork
Windows of Opportunity: “Fork”/exec
1. Before clone/fork
2. At clone
3. Before Exec
4. At startup (input : argv, env)
Namespaces
@pati_gallardo
Namespaces
(Zygotes/Renderers)
Limits what a process can see
Api : clone/unshare @pati_gallardo
Namespaces in use
CLONE_NEWUSER
On some distributions a USER NS can be create
by an unprivileged user, and in one we can
c...
At Clone : Create NAmespaces
Clone flags define the process* created
and will create namespaces (NS) for it
1. Test which ...
int flags = CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET;
jmp_buf env;
if (setjmp(env) == 0) {
return CloneAndLongjmpInChil...
pid_t CloneAndLongjmpInChild(unsigned long flags,
pid_t* ptid,
pid_t* ctid,
jmp_buf* env) {
char stack_buf[PTHREAD_STACK_M...
int CloneHelper(void* arg) {
jmp_buf* env_ptr = reinterpret_cast<jmp_buf*>(arg);
longjmp(*env_ptr, 1);
// Should not be re...
Unshare- User Namespace
unshare(CLONE_NEWUSER)
Alternative to clone(CLONE_NEWUSER), will
not create new process, but move ...
Windows of Opportunity: “Fork”/exec
1. Before clone/fork
2. At clone
3. Before Exec
4. At startup (input : argv, env)
Before Exec : Launch Options
The process is prepared for the
upcoming exec (possibilities) :
1. Fix the environment
2. Fix...
- Process Architecture
- Linux Security APIs
- The Initial Sandbox
- Shrinking the Sandbox
@pati_gallardo
Shrinking
the Sandbox
@pati_gallardo
Shrinking the Sandbox
Browser
Gpu Broker
Seccomp
Zygote
SYS_ADMIN
Renderer
Pid capset rlimit
Gpu
Seccomp
Zygote Init
User ...
PR_SET_NO_NEW_PRIVS
prctl(PR_SET_NO_NEW_PRIVS)
Preserved across fork, clone and execve
“If no_new_privs is set, then opera...
Seccomp
@pati_gallardo
Seccomp
(Renderers/GPU/Broker)
Limits which syscalls a process
can call and how these calls are
handled
Api : seccomp @pat...
Seccomp BPF Program
Program written in an assembly-like
language to filter system-calls.
Runs in a simple VM in kernel spa...
Seccomp : BPF Policies
BPF Program defined in a Policy
Fundamentally a whitelist, allows a set of
syscalls and has custom ...
void StartSandboxWithPolicy(sandbox::bpf_dsl::Policy* policy)
{
SandboxBPF sandbox(policy);
assert(sandbox.StartSandbox())...
void SandboxBPF::InstallFilter() {
CodeGen::Program program = AssembleFilter();
struct sock_filter bpf[program.size()];
co...
Chroot
@pati_gallardo
Chroot
(Zygotes/Renderers)
Limits what a process can see of
the filesystem
Api : chroot @pati_gallardo
Chroot : Drop Access to FS
- clone(CLONE_FS) a child process
- Child chroot(”/proc/self/fdinfo/”)
- Child immediately does...
bool ChrootToSafeEmptyDir() {
pid_t pid = -1;
char stack_buf[PTHREAD_STACK_MIN];
void* stack = stack_buf + sizeof(stack_bu...
int ChrootToSelfFdinfo(void*) {
assert(chroot("/proc/self/fdinfo/") == 0);
assert(chdir("/") == 0);
_exit(kExitSuccess);
}...
Capabilities
@pati_gallardo
Capabilities
(Zygote/Renderers)
Limits what a process is
privileged enough to do
Api : capset @pati_gallardo
Drop Capabilities
Uses capset() to drop all or some
capabilities
“Linux divides the privileges traditionally
associated wi...
Resource Limits
@pati_gallardo
Resource Limits
(Renderers)
Limits the access this process
has to platform resources
Api : setrlimit @pati_gallardo
Resource Limits : setrlimit
Limits using setrlimit:
1. RLIMIT_AS : Maximum size of the
process’ virtual memory (address
sp...
Trust is Relative
Browser
Gpu Broker
Seccomp
Zygote
SYS_ADMIN
Renderer
Pid capset rlimit
Gpu
Seccomp
Zygote Init
User caps...
@pati_gallardo
chrome://sandbox
Sources
Chromium/Kernel source + Linux Man Pages + lwn.net
Michael Kerrisk
Book: The Linux Programming Interface
Course: L...
Patricia Aas, Consultant
T S
C++ and Application Security
T
S
@pati_gallardo
T
SD P
@pati_gallardo
T
S
Appendix / Some Notes
@pati_gallardo
Other APIs
in use
@pati_gallardo
Not Used Much in Chromium, but...
YAMA LSM
Limits the access that other
process have to this process -
especially ptracing
Status is checked by reading :
/p...
Setuid/setgid
(Legacy)
Increases what a process is
privileged enough to do, by
using the privilege of the
executables owne...
CGroups
(ChromeOS)
Limits the resources available to
a process. Used in ChromeOS -
not covered here.
/proc/<PID>/cgroup
/p...
Process Groups
(Chromedriver)
Can be used to treat a group of
processes as one.
Used with the ‘detach’ property
of Chromed...
Challenges
@pati_gallardo
Debugging
@pati_gallardo
Crash Reporting @pati_gallardo
P f .
Patricia Aas, T S
@pati_gallardo
T
S
T
S
@pati_gallardo
Prochain SlideShare
Chargement dans…5
×

Linux Security APIs and the Chromium Sandbox

The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.

The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.

  • Soyez le premier à commenter

Linux Security APIs and the Chromium Sandbox

  1. 1. T S @pati_gallardo
  2. 2. Linux Security and the Chromium Sandbox Patricia Aas, T S NDC TechTown 2018 @pati_gallardo T S
  3. 3. Patricia Aas - Consultant C++ Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her T S @pati_gallardo
  4. 4. Remote Code Execution is what browsers do.
  5. 5. Sandboxing - System External Threat : Protect the system from the vulnerabilities in the browser - System Internal Threat : Protect the browser from malware on the system @pati_gallardo @pati_gallardo
  6. 6. - Process Architecture - Linux Security APIs - The Initial Sandbox - Shrinking the Sandbox @pati_gallardo
  7. 7. Process Architecture @pati_gallardo
  8. 8. The Executable Files - vivaldi : The bash script wrapper, launches vivaldi-bin. Sets up environment. - vivaldi-bin : The browser binary - vivaldi-sandbox : A setuid binary, not in much use today @pati_gallardo
  9. 9. 1. Browser : vivaldi-bin 2. Zygote (Parent) : vivaldi-bin --type=zygote 3. Zygote (Child) : vivaldi-bin --type=zygote 4. Renderer (MANY) : vivaldi-bin --type=renderer 5. GPU (Parent) : vivaldi-bin --type=gpu-process 6. GPU Broker (Child) : vivaldi-bin --type=gpu-broker @pati_gallardo The Running Processes
  10. 10. Process Architecture Browser Gpu BrokerZygote Renderer GpuZygote Init Renderer Renderer Process Relationships Tabs
  11. 11. - Process Architecture - Linux Security APIs - The Initial Sandbox - Shrinking the Sandbox @pati_gallardo
  12. 12. Linux Security APIs @pati_gallardo
  13. 13. @pati_gallardo chrome://sandbox
  14. 14. NS(User) NS(Pid)NS(Net)Web Network Filesystem System Calls chroot seccomp, capset Resources setrlimit
  15. 15. - Process Architecture - Linux Security APIs - The Initial Sandbox - Shrinking the Sandbox @pati_gallardo
  16. 16. The Initial Sandbox @pati_gallardo
  17. 17. One Binary Browser Gpu BrokerZygote Renderer GpuZygote Init Clone/Exec * User/Pid/Net Fork/Exec * * NO_NEW_PRIVS ForkFork Clone
  18. 18. Initial Sandbox Browser Gpu BrokerZygote Renderer GpuZygote Init Clone/Exec * User/Pid/Net Fork/Exec * * NO_NEW_PRIVS ForkFork Clone
  19. 19. Fork / Exec - A typical start of a new process on Linux is a “fork/exec” - “Forking” is creating a new process - “Clone” is a type of fork which can restrict a process at creation - “Exec” is executing a binary in a process@pati_gallardo
  20. 20. Windows of Opportunity : fork 1. Before Fork 2. After Fork
  21. 21. Windows of Opportunity: “Fork”/exec 1. Before clone/fork 2. At clone 3. Before Exec 4. At startup (input : argv, env)
  22. 22. Namespaces @pati_gallardo
  23. 23. Namespaces (Zygotes/Renderers) Limits what a process can see Api : clone/unshare @pati_gallardo
  24. 24. Namespaces in use CLONE_NEWUSER On some distributions a USER NS can be create by an unprivileged user, and in one we can create a PID NS. CLONE_NEWPID Same PID number can represent different processes in different PID namespaces. One init (PID 1) process per PID NS CLONE_NEWNET Isolate a process from network @pati_gallardo Zygote + Renderer
  25. 25. At Clone : Create NAmespaces Clone flags define the process* created and will create namespaces (NS) for it 1. Test which NS are available 2. Fail if not sufficient 3. Construct the biggest supported and applicable set Emulates fork with longjmp * Also used to create threads @pati_gallardo Zygote + Renderer
  26. 26. int flags = CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET; jmp_buf env; if (setjmp(env) == 0) { return CloneAndLongjmpInChild(flags, ptid, ctid, &env); } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
  27. 27. pid_t CloneAndLongjmpInChild(unsigned long flags, pid_t* ptid, pid_t* ctid, jmp_buf* env) { char stack_buf[PTHREAD_STACK_MIN]; void* stack = stack_buf + sizeof(stack_buf); return clone(&CloneHelper, stack, flags, env, ptid, nullptr, ctid); } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
  28. 28. int CloneHelper(void* arg) { jmp_buf* env_ptr = reinterpret_cast<jmp_buf*>(arg); longjmp(*env_ptr, 1); // Should not be reached assert(false); return 1; } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
  29. 29. Unshare- User Namespace unshare(CLONE_NEWUSER) Alternative to clone(CLONE_NEWUSER), will not create new process, but move caller. Credentials::CanCreateProcessInNewUserNS @pati_gallardo Zygote Parent
  30. 30. Windows of Opportunity: “Fork”/exec 1. Before clone/fork 2. At clone 3. Before Exec 4. At startup (input : argv, env)
  31. 31. Before Exec : Launch Options The process is prepared for the upcoming exec (possibilities) : 1. Fix the environment 2. Fix file descriptors 3. Fix signal handling 4. Set up process group 5. Maximize resource limits 6. Set PR_SET_NO_NEW_PRIVS 7. Change current dir 8. Select executable path 9. Setup command-line@pati_gallardo GPU + Zygote
  32. 32. - Process Architecture - Linux Security APIs - The Initial Sandbox - Shrinking the Sandbox @pati_gallardo
  33. 33. Shrinking the Sandbox @pati_gallardo
  34. 34. Shrinking the Sandbox Browser Gpu Broker Seccomp Zygote SYS_ADMIN Renderer Pid capset rlimit Gpu Seccomp Zygote Init User capset chroot Clone/Exec * User/Pid/Net Fork/Exec * * NO_NEW_PRIVS Done post fork ForkFork Clone
  35. 35. PR_SET_NO_NEW_PRIVS prctl(PR_SET_NO_NEW_PRIVS) Preserved across fork, clone and execve “If no_new_privs is set, then operations that grant new privileges (i.e. execve) will either fail or not grant them. This affects suid/sgid, file capabilities, and LSMs.” /usr/include/linux/prctl.h @pati_gallardo All except Browser
  36. 36. Seccomp @pati_gallardo
  37. 37. Seccomp (Renderers/GPU/Broker) Limits which syscalls a process can call and how these calls are handled Api : seccomp @pati_gallardo
  38. 38. Seccomp BPF Program Program written in an assembly-like language to filter system-calls. Runs in a simple VM in kernel space. All syscalls will be filtered by this program TSYNC : Once a Seccomp Program is installed it applies to all threads in a process@pati_gallardo Renderer + Gpu + Broker
  39. 39. Seccomp : BPF Policies BPF Program defined in a Policy Fundamentally a whitelist, allows a set of syscalls and has custom handling of others. An extended Policy is generally more permissive 1. BaselinePolicy 1.1 GpuProcessPolicy 1.1.1 GpuBrokerProcessPolicy 1.2 RendererProcessPolicy @pati_gallardo Renderer + Gpu + Broker
  40. 40. void StartSandboxWithPolicy(sandbox::bpf_dsl::Policy* policy) { SandboxBPF sandbox(policy); assert(sandbox.StartSandbox()); } bool SandboxBPF::StartSandbox() { InstallFilter(); return true; } @pati_gallardo chromium/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc Code Simplified To Illustrate
  41. 41. void SandboxBPF::InstallFilter() { CodeGen::Program program = AssembleFilter(); struct sock_filter bpf[program.size()]; const struct sock_fprog prog = { static_cast<unsigned short>(program.size()), bpf }; memcpy(bpf, &program[0], sizeof(bpf)); assert(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0); assert(seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &prog) == 0); } @pati_gallardo chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc Code Simplified To Illustrate
  42. 42. Chroot @pati_gallardo
  43. 43. Chroot (Zygotes/Renderers) Limits what a process can see of the filesystem Api : chroot @pati_gallardo
  44. 44. Chroot : Drop Access to FS - clone(CLONE_FS) a child process - Child chroot(”/proc/self/fdinfo/”) - Child immediately does a chdir(“/”) - Child does _exit(kExitSuccess) You can see this by looking at ls -l /proc/<pid>/root Of the Zygote or any ancestor Credentials::DropFileSystemAccess@pati_gallardo Zygotes + Renderer
  45. 45. bool ChrootToSafeEmptyDir() { pid_t pid = -1; char stack_buf[PTHREAD_STACK_MIN]; void* stack = stack_buf + sizeof(stack_buf); int clone_flags = CLONE_FS | LINUX_SIGCHLD; pid = clone(ChrootToSelfFdinfo, stack, clone_flags, nullptr); int status = -1; assert(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess; } @pati_gallardo chromium/sandbox/linux/services/credentials.cc Code Simplified To Illustrate
  46. 46. int ChrootToSelfFdinfo(void*) { assert(chroot("/proc/self/fdinfo/") == 0); assert(chdir("/") == 0); _exit(kExitSuccess); } @pati_gallardo chromium/sandbox/linux/services/credentials.cc Code Simplified To Illustrate
  47. 47. Capabilities @pati_gallardo
  48. 48. Capabilities (Zygote/Renderers) Limits what a process is privileged enough to do Api : capset @pati_gallardo
  49. 49. Drop Capabilities Uses capset() to drop all or some capabilities “Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled.” Man page for capabilities Credentials::DropAllCapabilities@pati_gallardo Zygotes + Renderers
  50. 50. Resource Limits @pati_gallardo
  51. 51. Resource Limits (Renderers) Limits the access this process has to platform resources Api : setrlimit @pati_gallardo
  52. 52. Resource Limits : setrlimit Limits using setrlimit: 1. RLIMIT_AS : Maximum size of the process’ virtual memory (address space) in bytes 2. RLIMIT_DATA : Maximum size of the process's data segment LinuxSandbox::LimitAddressSpace @pati_gallardo Renderer
  53. 53. Trust is Relative Browser Gpu Broker Seccomp Zygote SYS_ADMIN Renderer Pid capset rlimit Gpu Seccomp Zygote Init User capset chroot Clone/Exec * User/Pid/Net Fork/Exec * * NO_NEW_PRIVS Done post fork ForkFork Clone No access to filesystem
  54. 54. @pati_gallardo chrome://sandbox
  55. 55. Sources Chromium/Kernel source + Linux Man Pages + lwn.net Michael Kerrisk Book: The Linux Programming Interface Course: Linux Security and Isolation APIs All Errors Are My Own
  56. 56. Patricia Aas, Consultant T S C++ and Application Security T S @pati_gallardo
  57. 57. T SD P
  58. 58. @pati_gallardo T S
  59. 59. Appendix / Some Notes @pati_gallardo
  60. 60. Other APIs in use @pati_gallardo
  61. 61. Not Used Much in Chromium, but...
  62. 62. YAMA LSM Limits the access that other process have to this process - especially ptracing Status is checked by reading : /proc/sys/kernel/yama/ptrace_scope @pati_gallardo
  63. 63. Setuid/setgid (Legacy) Increases what a process is privileged enough to do, by using the privilege of the executables owner Api : set*uid / set*gid @pati_gallardo
  64. 64. CGroups (ChromeOS) Limits the resources available to a process. Used in ChromeOS - not covered here. /proc/<PID>/cgroup /proc/cgroups @pati_gallardo
  65. 65. Process Groups (Chromedriver) Can be used to treat a group of processes as one. Used with the ‘detach’ property of Chromedriver Api : setpgid @pati_gallardo
  66. 66. Challenges @pati_gallardo
  67. 67. Debugging @pati_gallardo
  68. 68. Crash Reporting @pati_gallardo
  69. 69. P f . Patricia Aas, T S @pati_gallardo T S
  70. 70. T S @pati_gallardo

×