SystemsSec 2018W Lecture 21

2018-04-08T21:05:32Z

Dominique:

==Audio==

[https://homeostasis.scs.carleton.ca/~soma/systemssec-2018w/lectures/comp4108-2018w-lec21-28Mar2018.m4a Lecture 21 Audio]

==Notes==

Last class we talked about virtualization and what security that gives you. In user mode and supervisor mode we have different privileges, the CPU is helping you, but what about when you don’t have the hardware to help you? How do you implement privileges inside a process? Like in a browser, code in a page shouldn’t have access to everything a browser can do. Modern browsers use the OS multiprocess model to protect, separate tabs are running in a different separate process. Inside of a process we want to limit the resources, we do this by using an abstraction, this abstraction is the language runtime.

In classic compile languages we have a an input source -> preprocessor -> compiler -> linker -> outputs a binary. A linker is just taking code and sticking it together, it resolve the symbolic references into actual addresses. The compiler takes the language and converts it into code that the processor executes. By processor we’re not talking about hardware, the processors actually have their own small compilers that do translation into another lower language. But the idea is that you can walk through from your code to to the assembly and map the instructions together.

What is a language runtime and how do we implement it? The language runtime is the code that provides the environment for your code. Ex: we expect command line arguments to be loaded to main, something has to do that. So any language higher than assembly has some sort of language runtime.

In most languages, apart from C, we don’t have direct access to resources. There is a language runtime in C but it’s very lightweight and is mostly before main is called. In C, the code that runs doesn’t start at the beginning of main, there are a whole bunch of system calls done automatically before main runs. Once you’re actually running C, you’re basically running directly on the hardware so there isn’t abstraction but most other languages aren’t like that.

Most other languages, classically, used an interpreter. An interpreter is similar to a shell prompt, it takes instructions line by line, interprets it, and then send it to run. Advantageous because it’s not very complex, just like a big set of case statements. Allows for fine grain control, like array bounds checking, but we loose efficiency because it’s going line by line.

Can we get safety and efficiency? Just in time (JIT) compilation is doing compilation in chunks as you go. But compiling is slow so we get around this by having multiple compilers. Compilation is not optimization, but we can do optimizations especially for loops. By using JIT, modern languages can get close to C’s speed.

Checking code at runtime isn’t efficient but the JIT compilers can guarantee some things so we don’t need to check them. But there can be bugs here and getting around them gives an attack C-like power. So how do we handle this? Instead of a compiler producing a binary, it produces byte code which is then run through a JIT to be translated into machine code. You can annotate your byte code with restrictions and context and the JIT will enforce the safety with this information and do optimization.

This can be even faster than a regular runtime but in practice Java runs slower than Javascript, why? Code complexity and language complexity, when the language is complicated then the interpreter has to be more complicated. Also, for it’s permission model Java implements a full access control system, basically like a full OS does except instead of processes it has objects. What happens when a privileged object calls a less privileged object? It’s complicated. We have a language runtime so we have a point of control but how do we know who’s allowed to do what because it’s dynamic? So it’s based on who called you, the call stack. Part of the complexity of the JVM is stack introspection to figure out permissions. Was used a lot by signed (free access) vs unsigned (sandboxed) java applets. But then the Java runtime has to check the signatures. So you can end up with bugs at all levels, complexity is the enemy of security.

Talking about privileges at the process level, what about browsers? Think browser extensions. Extensions were originally just code loaded into the browser that could change how the browser worked. Nowadays, starting with chrome, extensions are given permissions. Modern browsers have to run javascript at different privilege levels which brings complexity and bugs, a lot of which are found in extensions.

In this context, what is sandboxing? Isolating code, limiting access kind of like a process. How do we implement this? Sandboxing is a goal, there’s no implementation specific details associated. NaCl (Native Client) runs X86 machine code in the browser but sandboxes it. Have something that makes sure the code is safe, removes instructions that violate rules, before running it. But they need to be more portable so they made pNaCl that runs byte code. Was standardized into web assembly. Lesson: sandboxing is not a technology, it’s a goal that wants to limit access, usually by filtering, maybe CPU help, etc.

What do we mean when we say that OSs sandbox apps? OS virtualization is at the heart of apps on mobiles and containers of servers. In the system model, it’s like putting a box around process(es). Disadvantage, kernels weren’t designed to do resource isolation, so resource sharing is complicated.

SystemsSec 2018W Lecture 6

2018-02-01T17:29:45Z

Dominique: /* Notes */

==Audio==

[http://homeostasis.scs.carleton.ca/~soma/systemssec-2018w/lectures/comp4108-2018w-lec06-24Jan2018.m4a Lecture 6 Audio]

==Notes==
Note on the experiences: Everyone gets one re-grade. You can resubmit on the same topic or choose a new one.

Ubuntu 17.10 is the standard the Proffessor is using. Login name: “student”, password: “tneduts!”

How can you SSH into the VM?
In the VM go to Settings, networks, adapters. In adapters there’s “attached to” options.

There’s an implicit firewall with a NAT (network address translation) system. It protects from random incoming packets, by dropping them, but does not protect from attacks piggybacking off other traffic. Like the Javascript that runs when you visit a webpage.

Your VM is NAT-ted to the outside world, it shares your host box’s IP address.

More attached to options that control the sharing of IP addresses and access to the outside world.

- NAT network: The VM can talk to the outside world but not to the host box

- Host only adapter: The VM can only talk to the host

- Internal network: VMs can talk together but not to the outside world

- Bridged adapter: VM pretends it has an ethernet connection so the VM has it’s own IP address

The way the Professor set up to SSH in to the VM: have multiple adapters, one set to NAT and one set to host only. This isn’t trivial, imagine configuring network topologies for the cloud. You need a lot of knowledge to do even simple things.

=On the experiences=

Why shouldn’t you make scripts setuid root? Making a non privileged program have setuid privileges. How are you going to drop the privileges?

C is problematic but everything is written for C so it has to be used.
Anti-viruses have a lot of privileged access to you system which creates it’s own risk so they’re not worth it.

What damage could those exercises do to the system? Corrupt the password file, lock yourself out of sudo, loose root.
Making a copy of sudo using “cp” doesn’t make a working copy, use “cp -a” instead.

Shadow file has the password hashes because the passwd file is readable by everyone. You can turn shadow off which will put the passwords back into the passwd file.

For the experience on restricting network access, how do you know it works? Professor recommended not using the VM for this experience.

Soma-notes - User contributions [en]

SystemsSec 2018W Lecture 21

SystemsSec 2018W Lecture 6