CapExec: Towards Transparently-Sandboxed Services (Extended Version)
Mahya Soleimani Jadidi∗, Mariusz Zaborski†, Brian Kidney∗, Jonathan Anderson∗
∗ Department of Electrical and Computer Engineering Memorial University of Newfoundland {msoleimanija,brian.kidney,jonathan.anderson}@mun.ca
† Research and Development Fudo Security Inc. {[email protected]}
Abstract—Network services are among the riskiest programs some of which require a great deal of security expertise to executed by production systems. Such services execute large apply correctly. Incorrectly applied mechanisms may lead to a quantities of complex code and process data from arbitrary false sense of security without additional effectual protection. — and untrusted — network sources, often with high levels of system privilege. It is desirable to confine system services to a What is needed, in addition to the development of effective least-privileged environment so that the potential damage from sandboxing techniques, is the development of tools to apply a malicious attacker can be limited, but existing mechanisms those techniques. for sandboxing services require invasive and system-specific code Sandboxing is applicable through different techniques at changes and are insufficient to confine broad classes of network various levels within operating systems such as system call services. Rather than sandboxing one service at a time, we propose chroot(2) [1], sandboxing features in service managers such that the best place to add sandboxing to network services is in as systemd [2], or application containers such as jail(8) [3] the service manager that starts those services. As a first step or docker [4]. We believe that a great deal of benefit can towards this vision, we propose CapExec, a process supervisor be derived from the application of sandboxing at the level that can execute a single service within a sandbox based on a of system services without requiring invasive modifications to service declaration file in which, required resources whose limited access to are supported by Caper services, are specified. Using the the application code of every network service. Hence, we see Capsicum compartmentalization framework and its Casper ser- service managers as the key to securing systems with network- vice framework, CapExec provides robust application sandboxing facing services. Securing systems at this level, eliminates the without requiring any modifications to the application itself. We need for securing every service separately. believe that this is a first step towards ubiquitous sandboxing of network services without the costs of virtualization. In this paper, we have combined process supervision and Index Terms—application security, sandboxing, service man- FreeBSD’s capability-oriented compartmentalization frame- ager, Capsicum, compartmentalization work [5], Capsicum [6], to introduce CapExec as a sandboxing process supervisor (section II), which runs applications in a I.INTRODUCTION restricted capability mode. Capsicum provides a fine-grained sandboxing mechanism, Network services and applications have always been attrac- giving developers a significant degree of control within an tive targets for remote attackers. Network services typically application. However, some developers still avoid the use of arXiv:1909.12282v1 [cs.CR] 26 Sep 2019 incorporate complex protocol parsing code, often written in this technique, or even other sandboxing approaches, for the low-level languages, that is exposed to arbitrary content from following reasons: the network. Since these services commonly execute with system privilege, they are at high risk for remote exploitation • Difficulties of preserving the functionality of the program as a gateway to other system resources. Because of the risk while enhancing its security and the consequence of potential compromises, there is a need • Requirement for source code modifications and the addi- to confine network applications and limit the damage that can tional associated testing be inflicted by a successful attack. • Verifying the correctness and compatibility between lim- its defined in the sandbox One broad class of techniques that seem applicable to the problem of securing network services is sandboxing: These issues motivated us to facilitate the use of Capsicum restricting software’s access to system resources such that the by employing the same ideas in our supervisor program. application has the least privilege required to fulfill its func- CapExec uses Capsicum to restrict the privileges of services, tion. However, applying such limitations is challenging. Many limiting access to resources from compromised applications; it sandboxing frameworks require invasive code modifications, uses the Capsicum-based Casper service framework [7], [8] to provide access to required resources through capability chan- operations:"OPEN", nels defined by Casper. To use CapExec, services’ required flags:"RDONLY", run-time resources should be described in service declaration cap_rights:"READ", cap_rights:"FCNTL", files, as an initial step to unify security and functionality cap_rights:"FSTAT", descriptions. When a service’s run-time requirements can be filename:"/etc/protocols", described in terms of Casper services, CapExec provides filename:"/dev/null" sandboxing without any modifications to source code. The } mechanism and its various evaluation results are described "system.dns":{ family: AF_INET in section II and section IV respectively. This project is } a significant advance beyond the current state of the art "system.net":{ (section V). host:"example.com", family: AF_INET II.CAPEXEC:ASANDBOXING SERVICE SUPERVISOR } We have designed and developed CapExec to be a security- "system.sysctl":{ "vm.overcommit":{ focused service supervisor that executes a service in a sandbox type:"mib", transparently, which means no modification to the service’s flag:"CAP_SYSCTL_READ" source code is required. } CapExec creates sandboxes relying on Capsicum [6] and } Casper services. Capsicum is a sandboxing framework devel- } oped for FreeBSD. The fundamental idea for the framework comes from the concept of capabilities in capability-based Writing service declarations requires knowledge of system systems [9]. Capabilities are unforgeable tokens of author- calls used within the applications code. The problem is compli- ity carried by processes to authorize access to the systems cated by system calls used indirectly by libraries. Recognizing resources. Using Capsicums API, once a process enters to this issue, we developed CapCheck, a tool for highlighting the capability mode, all system calls trying to access global library calls that use system calls not allowed in a Capsicum namespaces, such as the root filesystem or the PID1 names- sandbox. As can be seen in figure 1, even a call to fgets(1) pace, will fail. Capsicums sandboxing has changed the regular can result in unexpected system calls that are disallowed in flow of the system call mechanism in FreeBSD. In addition Capsicum sandboxes. to Capsicums general API, Casper has extended Capsicums CapCheck uses readelf and ldd to determine the calls made features by defining capability channels to allow access to to external libraries and the libraries that provide them. It some riskier but widely-used services [7]. then builds a full call graph for the application and searches Using Capsicum and Casper, CapExec creates and loads it to find paths that result in disallowed system calls. This required Casper services to provide access to white-listed run- information is provided to the end user to develop service time resources. These services and their limits are specified in declaration files. the application’s declaration files as the service configuration.
CapExec executes one application at the time in a sandbox … made with required Casper’s capability channels. Hence, lim- {__sys_fstat} {fgets} {__srefill} {__smakebuf} {_fstat} ited accesses to the subsetted namespaces are proxied for the {syscall} application, but any unprivileged behaviour or requests beyond … defined limits will fail due to capabilities violations.
A. Service Declaration: Unifying Application Functionality Fig. 1. Reduced call graph from traceroute(8) showing how a call to with Security Requirements fgets(3) can result in system calls disallowed in Capsicum. CapExec employes libucl [10] to parse the service declara- tion file conforming to JSON format [11]. The file should de- B. Sandboxed Execution scribes the service’s binary and its requirements. Requirements As the first step, CapExec parses declaration files and cre- are those system resources that are disallowed in capability ates the corresponding Casper services. In addition to support- mode, but their alternative restricted services are supported by ing all Casper services, CapExec needed a capability channel Casper daemon or libcasper API [8]. An example configura- for simple network communications. Therefore, we developed tion for the traceroute utility is given in Listing 1. an experimental networking Casper service, system.net, sup- porting bind(2) and connect(2). After parsing service declara- Listing 1. An example of the content of traceroute declaration file tion files, CapExec forks and executes the binary sandboxed in { binary:"/usr/sbin/traceroute" a child process, creating a new environment or context for the "system.fileargs":{ process, including arguments, libraries, environment variables, the new runtime linker, shared memory mappings and required 1Process ID libraries to make the process sandboxed. CapExec replaces disallowed libc system calls with other functions that redirect Listing 2. Software that depends on functionality disallowed by Capsicum requests to the existing Casper services. As a result, the source void test_gethostbyname() { code remains unmodified. Figure 2 shows this mechanism. const char *ipstr ="127.0.0.1"; struct in_addr ip; struct hostent *hp; if(!inet_aton(ipstr, &ip))
svc_config.json fprintf(stdout,"Unable to parseIP address%s.", ipstr);
hp = gethostbyaddr((const void*)&ip, sizeof(ip), AF_INET); env new_rtld libs CPPUNIT_ASSERT(hp != NULL); Parse }
Define grp_service_ dns_service_ preload sysctl_service_ preload preload In the absence of CapExec, the process calls gethostbyaddr(3)
Service Manager Attach libraries to be preloaded function and the corresponding libc function will be called as Daemon shown in figure 3. fork
system.dns system.grp system.sysctl
Process fexecve Casper Services: Limited defined access gethostbyaddr(3) Groups DNS Database Password Sandbox C Standard Library Database (libc)
User Level System Global Namespaces Original Application Kernel System Calls API
Kernel Level
Fig. 2. CapExec’s approach to run a service in a sandbox Fig. 3. The original procedure of calling unsafe functions and accessing to the system global namespaces
III.CAPEXECINPRACTICE When a process enters the capability mode, all system A useful approach to achieve compartmentalization in large calls which try to access the global namespaces will fail. So networks is to employ communication and access policies on the corresponding system functionality will not be met. The subnets. There are always applications such as firewalls and Casper daemons help solve this problem by creating restricted similar tools to enforce policies in a coarse-grained form of capability channels to access system resources with limited actions being held on the edge of the system. CapExec is a privileges. To use Casper services in CapExec, the service solution to have finer-grained enforced policies on services configuration file should contain the following content for our rather than users behaviors. If administrators can define de- example: tailed policies for important system services, then we will have network services that might be compromised, but they will not Listing 3. An example of a service declaration for system.dns cause information leakages over the network, privilege escala- { "system.dns":{ tion on servers or other consequence server failures. CapExec’s type: ADDR, dependency on configuration files causes administrators to be family: AF_INET able to run sandboxed network services using simple network } management tools such as running startup or shut down scripts } on specific domains. Limits can be applied to the network more manageable, centralized, and more verifiable. When CapExec parses the file, it defines a capability channel CapExec turns application sandboxing from a complicated for system.dns service with specified limits and sets required and time-consuming procedure into one that is simpler and libraries to be preloaded later. Preloaded libraries and their faster to implement. To examine this set of tools we sandbox functions retrieve capability channels that are open in the two of well-known existing utilities, cat(1) and traceroute(8), parent process, which is the main thread of CapExec. In on FreeBSD 12.0. In this section, we describe CapExec’s our example, a capability channel will be established for internal mechanism. the service system.dns. Then calling gethostbyaddr(3) will be redirected to the channel with Casper’s equivalent function What happens to the process? cap_gethostbyaddr(3). The procedure is shown in figure 4. Using CapExec, the administrator or developer of the system As it is mentioned before, to test our application function- can describe required resources in terms of Casper’s services ality on elementary utilities, we tried to sandbox cat(1) and similar to the example that has been shown in the listing 1. traceroute(8). cat(1) is a very small utility which needs only Suppose that listing 2 is a piece of code for our process. one Casper service, system.fileargs, to open files specified Process 100
gethostbyaddr(3)
CapExec: cap_gethostbyaddr(3) preloaded_dns_lib −1 Groups 10 Password DNS Database Database Casper Daemon Services Time (s)
Limited access with −2 confined results System Global Namespaces 10
C Standard Library (libc) User Level cat cat with CapExec
Kernel System Calls API 1 10 100 500 1000 Kernel Level Size in MBs
Fig. 4. The procedure of process execution with CapExec. The process Fig. 5. Time to open single file with original cat(1) in comparison with cat disallowed invocations are redirected to predefined capability channel in the running in CapExec’s sandbox corresponding Casper service. Numbers are showing the order of steps.
101 as command line arguments. Listing 4 shows cat’s service 0 declaration file that we used to make it sandboxed. 10
Listing 4. An example of a service declaration to sandbox cat(1) 10−1 { binary:"/bin/cat" Time (s) −2 "system.fileargs":{ 10 operations:"OPEN", cat flags:"O_RDONLY", 10−3 CapExec cap_rights:"READ", filename:"test.txt" 10 100 1000 10000 } Number of files } Fig. 6. Time to open multiple files with cat(1)
IV. EVALUATION AND COMPARISONS This includes the reading of configuration files, the creating 1) Runtime Performance: In this section, we describe of Casper services and fork(2) calls to load and open them. evaluation results and our observations about runtime per- Here is how we explain various points affected execution formances, memory usage, correctness, and comparison of time with the observed latency. CapExec parses a service running existing applications, cat(1) and traceroute(8), in declaration file and then defines essential Casper services CapExec’s sandbox and other sandboxing technologies. We with their specified limits. Opening Casper services is always have chosen these two utilities as they are both simple small associated with calling fork(2) for each service. After all utilities sandboxed before using Capsicum. Examining these service definitions, CapExec forks and executes the binary, application allows us to have a direct comparison to traditional in the child process, in capability mode. Hence, the cost applications of Capsicum requiring source code modification. of establishing a sandbox environment and Casper channels To investigate running cat(1) with CapExec, which only always exist, but just once during runtime, which is negligible needs one Casper service (system.fileargs), we examined for large inputs, in terms of size. It shows 1% on average in our cat(1) and its sandboxed version with two test scenarios. In cases for huge files, and 1% to 2% for small cases. However, the first scenario, we examined invocations of cat with files this step costs more for a large number of files with equal of various sizes from 1 MB to 1 GB, shown in figure 5. Since sizes in our second test scenario. In worst cases of those tests, a large portion of CapExec overhead is spent pre-opening it takes over twice of the time. We can explain this issue with and holding handles to file descriptors, in the second test this fact that there is a linear relationship between the number scenario, we ran our tests with a varied number of empty files of mentioned services and their features in service declaration as the input set, from 10 to 10000, shown in figure 6. All file and the time required for configuration. measurements were performed ten times per test case. There are additional reasons for the delays seen in our As can be seen in figure 6, executing cat in our sandbox outputs. The presence of preloaded libraries redirected system adds overhead to the execution time. We find this delay more calls and the communication between the sandboxed process tolerable as the number of inputs grows. The majority of the and Casper daemon, all affect process runtime. The increasing cost of using CapExec is spent in setting up the sandbox. number of Casper services opened by the supervisor program causes more latency during runtime. CapExec delegates tasks to Casper services for disallowed Although we believe these delays are acceptable to achieve replaced system calls. Requests are sent to Casper services secure services, there are various places in CapExec which through a capability channel which passes commands through can be optimized. For example, with better sets of service UNIX domain sockets to Casper services. We can see this declaration options, such as Casper fileargs arguments, we procedure in the ktrace(8) output shown in the listing 7. The could speed the first phase of sandbox creation. CapExec has system call sendto(2), instead of the forbidden system call, is been developed with the most straightforward possible design invoked. We can see that the final open(1) system call was as a proof of concept but additional optimization on the current executed by a different process. Since in our examined appli- system is one of our current focuses. cations, no system call failed and no related capability error was observed and they worked normally, we can infer that the 15 corresponding configuration file sufficed for the applications. cat CapExec Listing 7. The trace of the syscall for cat(1) under the CapExec. cat CALL sendto(0x4,0x80163b0a0,0x4e,0,0,0) 10 cat GIO fd 4 wrote 78 bytes 0x0000 6c00 0200 0000 0000 0000 003b 0000 0000 0000 0004 0400 0500 |l...... ;...... | 0x0018 0000 0000 0000 0000 0000 0000 0000 636d 6400 Memory (Mb) 5 6f70 656e 0004 |...... cmd.open..| 0x0030 0500 0700 0000 0000 0000 0000 0000 0000 0000 6e61 6d65 0074 |...... name.t| 0x0048 6573 742f 3000 0 10 100 1000 10000 |est/0.| Number of files cat RET sendto 78/0x4e Fig. 7. Memory utilization for various number of files opened by cat(1) [...] capexec CALL openat(AT_FDCWD,0x800283078,0
VII.CONCLUSION In this paper, we introduced CapExec, a prototype sandbox- ing supervisor that facilitates service sandboxing both on local and network services. Using Capsicum and Casper, along with a simple configuration file, we transparently provide this isola- tion at run time without any modification on the application’s source code. The system requires to be configured based on essential Casper services, which is challenging for the user, but to facilitate this procedure, we provide CapCheck, a tool to discover system calls that require wrapping. This demonstrates that sandboxing itself can be a service, a key foundation for building security-aware service managers in the future.
REFERENCES [1] (Retrieved at: June 6, 2019) Freebsd manual pages: chroot(8). [Online]. Available: ”https://www.freebsd.org/cgi/man.cgi?chroot(8)” [2] (Last edited: May 23, 2019) systemd system and service manager. [On- line]. Available: ”https://www.freedesktop.org/wiki/Software/systemd/” [3] (2018) Freebsd’s mannual page: jail(8). [Online]. Avail- able: ”https://www.freebsd.org/cgi/man.cgi?query=jail&sektion\=8& apropos=0&manpath=FreeBSD+12.0-RELEASE+and+Ports” [4] (Retrieved at: June 14, 2019) Docker security. [Online]. Available: https://docs.docker.aom/engine/security/security/ [5] M. K. McKusick, G. V. Neville-Neil, and R. N. Watson, The design and implementation of the FreeBSD operating system. Pearson Education, 2014. [6] R. N. M. Watson, J. Anderson, B. Laurie, and K. Kennaway, “Capsicum: Practical capabilities for unix,” in Proceedings of the 19th USENIX Conference on Security, ser. USENIX Security’10. Berkeley, CA, USA: USENIX Association, 2010, pp. 3–3. [Online]. Available: http://dl.acm.org/citation.cfm?id=1929820.1929824 [7] P. J. Dawidek and M. Zaborski, “Sandboxing with capsicum,” ; login:: the magazine of USENIX & SAGE, vol. 39, no. 6, pp. 12–17, 2014. [8] Z. Dawidek, Pawel Jakub. (2016, 2) Freebsd manual pages: libcasper’. [Online]. Available: ”https://www.freebsd.org/cgi/man.cgi?query=libcaspe\r&sektion= 3&apropos=0&manpath=FreeBSD+11.0-RELEASE+and+Ports” [9] R. S. Fabry, “Capability-based addressing,” Commun. ACM, vol. 17, no. 7, pp. 403–412, Jul. 1974. [Online]. Available: http://doi.acm.org/ 10.1145/361011.361070 [10] (Retrieved at: June 14, 2019) Libucl. [Online]. Available: http: //rodrigo.ebrmx.com/github /vstakhov/libucl [11] D. Crockford. (2000) Json’s website. [Online]. Available: ”https: //json.org” [12] (Last update: June 2019) Gentoo linux’s article: s6. [Online]. Available: ”https://wiki.gentoo.org/wiki/S6” [13] (Retrieved at: June 6, 2019) Official introduction page: Launchd. [Online]. Available: ”https://www.launchd.info” [14] (Retreived at: June 6, 2019) inetd daemon. [Online]. Avail- able: ”https://www.ibm.com/support/\knowledgecenter/en/ssw aix 72/ com.ibm.aix.cmds3/inetd.htm” [15] (Retrieved at: June 6, 2019) Seccomp bpf (secure computing with filters). [Online]. Available: ”https://www.kernel.org/doc/html/v4.16/ userspace-api/seccomp filter.html” [16] M. Heily. (Retrieved at: June 6, 2019) relaunchd. [Online]. Available: ”https://github.com/csjayp/relaunchd” [17] (Retrieved at: June 6, 2019) The nosh package. [Online]. Available: ”https://jdebp.eu/Softwares/nosh/” [18] (Last update: 2019) Gentoo linux’s article: daemontools. [Online]. Available: ”https://wiki.gentoo.org/wiki/Daemontools” [19] (Last update: June 2019) Gentoo linux’s article: runit. [Online]. Available: ”https://wiki.gentoo.org/wiki/Runit” [20] (Retrieved at: June 6, 2019) An overview of s6. [Online]. Available: ”https://skarnet.org/software/s6/overview.html” [21] (Retrieved at: June 14, 2019) Introducing cloudabi. [Online]. Available: https://cloudabi.org