• SummerOfCode2018Projects
• ObliviousSandboxingwithCapsicum

Oblivious Sandboxing with Capsicum

• Student: ShubhGupta (shubh.gupta2104@gmail.com)

• Mentor: Joanthan Anderson (jonathan@)

Project description

Capsicum is a sandboxing framework for principled, coherent compartmentalisation of FreeBSD applications.However, a notable shortcoming of Capsicum today is that it only works when applications voluntarily give up the right to perform certain actions. It works with applications that understand Capsicum and that have been modified to be able to take its advantage. Up to now, no mechanisms have been provided for sandboxing the applications without their assistance i.e no mechanism has been developed to sandbox an application obliviously.

Approach to solving the problem

Currently only simple applications can run in the oblivious sandbox provided by capsh. This project will aim upon improving the wrapper system(libpreopen, capsh etc) and make applications work in an oblivious sandbox wherein applications will work in the sandbox without being modified or being known of, but this project will specifically focus on file(1) and Clang.

We aim on writing a core library which can do the "Run the application in a sandbox" work and making capsh a proof-of-concept wrapper around that.

The existing libpreopen and capsh code will provide a basis for understanding and improving the wrapper system based on the applications i.e file(1) and Clang chosen to sandbox obliviously.

Deliverables

The deliverables i aim to develop will be:

• Try to explore, what more wrappers libpreopen can support i.e what more native commonly used system calls can be wrapped so that applications can work without any modification.
• Improve capsh to leverage all the resources provided by libpreopen i.e pre-open the resources required by the application which can take a form:
  • Command line interface arguments
  • package policies that specify what resources a binary requires to be pre-opened, e.g., /usr/include and /usr/local/llvm60/lib/clang
• Make capsh understand the whole structure it is supposed to follow as mentioned above and work towards making it an interactive shell.
• Obliviously sandbox file(1) , by working out on a policy based on what part of the global namespace will the utility need before entering the capability mode i.e complete denial of the global namespace.
• Target on making Clang work in the oblivious sandbox by figuring out the policy, which includes figuring out what parts of the global namespace will it need before entering the capability mode and what cap_rights are to be mapped against them.
• If deliverables are matched before the allocated time, can work on some other complex application and test our sandbox to improve its functionality.
• If time persists, then working towards LLVM based transformation of libraries to libraries and applications that embed LLVM bitcode, allowing a transparent re-writing of function calls to capability-mode-friendly API’s without needing to LD_PRELOAD for interposition

Milestones

• May 14th: Start of coding
  • Work on improving libpreopen further by adding more filesystem call wrappers and making it functional to be able to preopen all filesystem related resources.
• May 21st - June 11th:

  • Safely run cat in the oblivious sandbox, by writing the command capsh cat <filename> with just the minimal set of resources it needs, which ensures to increase capsh's functionality from commands like echo wherein it wasn't providing access to the global namespace at all in the capability mode, to a command like cat where just the file which is to be opened, is opened and has read-only access

• Stretch goal before First evaluation

  • Run telnet in the capsh, which ensure preopening of a socket just like we did for a file.

• June 11th - June 15th: Mid-term Evaluations #1
• June 15th - June 30th:
  • Use the already written capsh code wherein it is able to open(2) the linker, library descriptors and make it understand the policy for sandboxing file(1)
• June 30th - July 9th:
  • Use various tests based on ktrace(1), procstat(1) and time tests to check the functioning of the sandbox.Begin to identify and improve the correct policy for sandboxing Clang
• July 9th - July 13th: Mid-term Evaluations #1
• July 13th - August 6th:
  • Extend the capsh functionalities to make it understand the policy required for sandboxing Clang which is a complex application while testing capsh on other elementary applications and identifying the correct functionality of the sandbox based on the tests performed with ktrace, procstat and time based testing
• August 6th: End of coding (soft)
  • Finishing up the work including the constantly maintained blog based on the progress made. If time persists, will work towards LLVM based transformation of libraries. Will continue contributing and working with the Capsicum team, provided the massive learning it holds and my interest in the particular project.
• August 14th: End of coding (hard)

Test Plan

ktrace

• The ktrace utility enables kernel trace logging for the specified processes. Kernel trace data is logged to a file ktrace.out. The kernel operations that are traced include system calls, namei translations, signal processing, and I/O.
• The log information can help in identifying the functionality of the program, and to look if it is just able to function as required. This will help in looking which particular parts of the process were denied access and why were they denied access, if this denial disturbs the functioning of the application. Hence, it becomes an involuntarily required tool for testing the code.

procstat

• The procstat utility displays detailed information about the processes identified by the pid arguments, or if the -a flag is used, all processes. It can also display information extracted from a process core file, if the core file is specified as the argument.
• Hence, we can know what capabilities are held by the process, and hence can include it in our test plan to check if the correct capabilities are held by the processes as desired.

The Code

https://github.com/ShubhGupta2125/capsh

https://github.com/ShubhGupta2125/libpreopen

Notes

Useful links

http://www.engr.mun.ca/~anderson/publications/2017/towards-oblivious-sandboxing.pdf

http://www.engr.mun.ca/~anderson/publications/2017/sandbox-comparison.pdf