SlideShare a Scribd company logo

Linux seccomp(2) vs OpenBSD pledge(2)

Giovanni Bechis
Giovanni Bechis

seccomp is a computer security facility in the Linux kernel, pledge is a similar security facility in the OpenBSD kernel. In this presentation Giovanni Bechis will review the development story and progress of both kernel interfaces and will analyze the main differences. There will be some examples of implementations of security patches made for some important open source projects.

Software
1 of 32
Download to read offline
Linux seccomp(2) vs OpenBSD pledge(2) Giovanni Bechis <giovanni@openbsd.org> Open Source Summit Europe 2017, Prague
About Me sys admin and developer @SNB OpenBSD hacker for ∼ 10 years random patches in random open source software (amavisd-new, courier-imap, cyrus-sasl, memcached, ...)
Mitigations stack protector stack buffer underrun detection ASLR (Address space layout randomization) prevents exploitation of memory corruption vulnerabilities WˆX priv-sep and priv-drop
dangerous system calls Disable system calls a process should not call SE Linux systrace Capsicum seccomp(2) pledge(2)
Linux seccomp(2) first version in Linux 2.6.12 (2005) filters enabled via /proc/$PID/seccomp in Linux 3.5 (2012) ”filter” mode has been added (”seccomp2”) can control which syscall are permitted via a BPF ”program” some programs are using seccomp(2) (Chrome, OpenSSH, vsftpd, systemd, Firefox, Docker, LXC, ...) in Linux 3.8 (2013) via /proc/$PID/status we can obtain the seccomp(2) status (if, for example, seccomp(2) is disabled) in Linux 3.17 (2014) seccomp(2) system call has been added as a superset of prctl(2)
OpenBSD pledge(2) introduced in OpenBSD 5.8 (2015) as tame(2), than renamed to pledge(2) still under development, some new features are coming in OpenBSD pledge(2) cannot be disabled around 500 programs with pledge(2) support in base around 50 ports patched to have pledge(2) support (unzip, mutt, memcached, chromium, ...)
seccomp(2) vs pledge(2) approaching the ”syscalls” problem study the program figure out all syscalls the program needs ”promise” only the operations that are really needed strace(1) or ktrace(1) and gdb(1) if something goes wrong
seccomp(2) vs pledge(2) program is annotated with pledge(2)/seccomp(2) calls/promises kernel enforces annotations and kills/reports the program that does not respect promises
seccomp(2) vs pledge(2) #include <linux/seccomp.h> #include <linux/filter.h> #include <linux/audit.h> #include <linux/signal.h> #include <sys/ptrace.h> int seccomp(unsigned int operation, unsigned int flags, void *args); #include <unistd.h> int pledge(const char *promises, const char *paths[]);
seccomp(2) vs pledge(2) $ wc -l seccomp/hello-seccomp.c seccomp/seccomp-bpf.h 58 seccomp/hello-seccomp.c 34 seccomp/seccomp-bpf.h 92 total $ wc -l pledge/hello-pledge.c 17 pledge/hello-pledge.c
seccomp(2) vs pledge(2) #define _GNU_SOURCE 1 #include <stdio.h> #include <stddef.h> #include <stdlib.h> #include <unistd.h> [...] static int install_syscall_filter(void) { struct sock_filter filter[] = { VALIDATE_ARCHITECTURE, EXAMINE_SYSCALL, [...] KILL_PROCESS, }; struct sock_fprog prog = { .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), .filter = filter, }; if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { perror("prctl(NO_NEW_PRIVS)"); goto failed; } if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { perror("prctl(SECCOMP)"); goto failed; } return 0; } int main(int argc, char **argv) { FILE *fd; if((install_syscall_filter()) == 0) { printf("Hello !n"); if((fd = fopen("/etc/passwd", "r"))) { printf("Passwd file openedn"); } fclose(fd); return 0; } else { return 1; }
seccomp(2) vs pledge(2) #include <stdio.h> #include <unistd.h> int main(int argc, char **argv) { FILE *fd; if(pledge("stdio", NULL) != -1) { printf("Hello !n"); if((fd = fopen("/etc/passwd", "r"))) { printf("Passwd file openedn"); } fclose(fd); return 0; } else { return 1; } }
seccomp(2) permitted syscalls #include <linux/seccomp.h> #include <linux/filter.h> #include <linux/audit.h> #include <linux/signal.h> #include <sys/ptrace.h> int seccomp(unsigned int operation, unsigned int flags, void *args); every single syscall available could be allowed
pledge(2) promises #include <unistd.h> int pledge(const char *promises, const char *paths[]); ””: exit(2) stdio: malloc + rw stdio rpath, wpath, cpath, tmppath: open files fattr: explicit changes to ”fd” (chmod & friends) unix, inet: open sockets dns: dns requests route: routing operations sendfd: sends file descriptors via sendmsg(2) recvfd: receive file descriptors via recvmsg(2) getpw: passwd/group file access ioctl: small subset of ioctls is permitted tty: subset of ioctl for tty operations proc: fork(2), vfork(2), kill(2) and other processes related operations exec: execve(2) is allowed to create another process which will be unpledged settime: allows to set the system time pf: allows a subset of ioctl(2) operations on pf(4) device
seccomp(2) reporting if you create a ”int install syscall reporter(void);” function the kernel will report which syscalls you need. kernel4.4$ ./hello-report Hello ! Looks like you also need syscall: open(2)
seccomp(2) reporting #include "syscall-reporter.h" #include "syscall-names.h" const char * const msg_needed = "Looks like you also need syscall: "; int install_syscall_reporter(void) { struct sigaction act; sigset_t mask; memset(&act, 0, sizeof(act)); sigemptyset(&mask); sigaddset(&mask, SIGSYS); act.sa_sigaction = &reporter; act.sa_flags = SA_SIGINFO; if (sigaction(SIGSYS, &act, NULL) < 0) { perror("sigaction"); return -1; } if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) { perror("sigprocmask"); return -1; } return 0; }
seccomp(2) reporting kernel2.6.32$ ./hello prctl(NO_NEW_PRIVS): Invalid argument SECCOMP_FILTER is not available. :( kernel3.10$ ./hello Bad system call kernel3.10$ ./hello-report Looks like you also need syscall: mmap(9) kernel4.4$ ./hello Hello ! Bad system call kernel4.4$ ./hello-report Hello ! Looks like you also need syscall: open(2)
pledge(2) reporting openbsd6.2$ ./hello Hello ! Abort trap (core dumped)
seccomp(2) logging dmesg(1) and rsyslogd(8) Oct 12 16:02:56 ubuntu kernel: auditd: type:1326 audit(1507816976.188:30): auid=1000 uid=1000 gid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 pid=1227 comm="hello" exe="/home/test/src/hello" sig=31 arch=c000003e syscall=2 compat=0 ip=0x7fbb3ab75010 code=0x0 Oct 12 16:02:56 ubuntu audit[1227]: SECCOMP auid=1000 uid=1000 gid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 pid=1227 comm="hello" exe="/home/test/src/hello" sig=31 arch=c000003e syscall=2 compat=0 ip=0x7fbb3ab75010 code=0x0
pledge(2) logging dmesg(8) and syslogd(8) Oct 12 16:17:30 laptop /bsd: hello(31340): syscall 5 "rpath" $ grep -A1 "^5 STD" /usr/src/sys/kern/syscalls.master 5 STD { int sys_open(const char *path, int flags, ... mode_t mode); } lastcomm(1) and daily(8) on OpenBSD ≥ 6.2 (with accounting enabled)
pledge(2) logging rm - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.00) ls - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.00) rm - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.00) hello -DXP giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.16) cc - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.64)
pledge(2) logging From root@bigio.paclan.it Sat Jun 17 16:08:46 2017 Delivered-To: root@bigio.paclan.it From: Charlie Root <root@bigio.paclan.it> To: root@bigio.paclan.it Subject: bigio.paclan.it daily output OpenBSD 6.1-current (GENERIC) #1: Fri Jun 16 22:37:23 CEST 2017 giovanni@bigio.paclan.it:/usr/src/sys/arch/amd64/compile/GENERIC 4:08PM up 35 mins, 3 users, load averages: 0.26, 0.13, 0.10 Purging accounting records: hello -DXP giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.16)
adding pledge(1) support to ∼ 500 programs Index: worms.c =================================================================== RCS file: /var/cvs/src/games/worms/worms.c,v retrieving revision 1.22 retrieving revision 1.23 diff -u -p -r1.22 -r1.23 --- worms.c 18 Feb 2015 23:16:08 -0000 1.22 +++ worms.c 21 Nov 2015 05:29:42 -0000 1.23 @@ -1,4 +1,4 @@ -/* $OpenBSD: worms.c,v 1.22 2015/02/18 23:16:08 tedu Exp $ */ +/* $OpenBSD: worms.c,v 1.23 2015/11/21 05:29:42 deraadt Exp $ */ /* * Copyright (c) 1980, 1993 @@ -182,6 +182,9 @@ main(int argc, char *argv[]) struct termios term; speed_t speed; time_t delay = 0; + + if (pledge("stdio rpath tty", NULL) == -1) + err(1, "pledge"); /* set default delay based on terminal baud rate */ if (tcgetattr(STDOUT_FILENO, &term) == 0 &&
[memcached] adding seccomp support #include "config.h" #include <seccomp.h> #include <errno.h> #include <stdlib.h> #include "memcached.h" // In the future when the system is more tested this could be switched // to SCMP_ACT_KILL instead. #define DENY_ACTION SCMP_ACT_ERRNO(EACCES) void drop_privileges(void) { scmp_filter_ctx ctx = seccomp_init(DENY_ACTION); if (ctx == NULL) { return; } int rc = 0; rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_wait), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); #ifdef MEMCACHED_DEBUG rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); #endif if (rc != 0) { goto fail; } rc = seccomp_load(ctx); if (rc < 0) { goto fail; } [...] }
[memcached] adding pledge support #include <errno.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include "memcached.h" /* * this section of code will drop all (OpenBSD) privileges including * those normally granted to all userland process (basic privileges). The * effect of this is that after running this code, the process will not able * to fork(), exec(), etc. See pledge(2) for more information. */ void drop_privileges() { extern char *__progname; if (settings.socketpath != NULL) { if (pledge("stdio unix", NULL) == -1) { fprintf(stderr, "%s: pledge: %sn", __progname, strerror(errno)); exit(EXIT_FAILURE); } } else { if (pledge("stdio inet", NULL) == -1) { fprintf(stderr, "%s: pledge: %sn", __progname, strerror(errno)); exit(EXIT_FAILURE); } } }
what to do if something goes wrong ? prctl(PR_SET_NO_PRIVS,1, 0, 0, 0) = 0 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len = 19, filter = 0x7fffc3349260}) = 0 fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 1), ...}) = 0 ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0 brk(NULL) brk(0xd83000) write(1, "Hello !n", 8Hello ! ) = 8 +++ Killed by SYGSYS +++ Bad system call (core dumped)
what to do if something goes wrong ? 94140 hello CALL write(1,0xb56246ae000,0x8) 94140 hello GIO fd 1 wrote 8 bytes "Hello ! " 94140 hello RET write 8 94140 hello CALL kbind(0x7f7ffffcbee8,24,0x73b422cd44dee9e4) 94140 hello RET kbind 0 94140 hello CALL open(0xb53f8a00b20,0<O_RDONLY>) 94140 hello NAMI "/etc/passwd" 94140 hello PLDG open, "rpath", errno 1 Operation not permitted 94140 hello PSIG SIGABRT SIG_DFL 94140 hello NAMI "hello.core"
what to do if something goes wrong ? $ gdb hello hello.core GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-unknown-openbsd6.1"... Core was generated by ‘hello’. Program terminated with signal 6, Aborted. Loaded symbols for /home/data/ossummit_2017/src/hello Reading symbols from /usr/lib/libc.so.89.5...done. Loaded symbols for /usr/lib/libc.so.89.5 Reading symbols from /usr/libexec/ld.so...done. Loaded symbols for /usr/libexec/ld.so #0 0x000009f584a507aa in _thread_sys_open () at {standard input}:5 5 {standard input}: No such file or directory. in {standard input} (gdb) bt #0 0x000009f584a507aa in _thread_sys_open () at {standard input}:5 #1 0x000009f584a3f559 in *_libc_open_cancel (path=Variable "path" is not available. ) at /usr/src/lib/libc/sys/w_open.c:36 #2 0x000009f584aaab82 in *_libc_fopen (file=0x9f2b8b00b20 "/etc/passwd", mode=Variable "mode" is not available. ) at /usr/src/lib/libc/stdio/fopen.c:54 #3 0x000009f2b8a005dc in main (argc=1, argv=0x7f7ffffc3c58) at hello.c:8 Current language: auto; currently asm (gdb)
don’t you speak ”C” ? import sys, os from seccomp import * f = SyscallFilter(defaction=KILL) f.add_rule(ALLOW, "exit_group") f.add_rule(ALLOW, "rt_sigaction") f.add_rule(ALLOW, "brk") f.add_rule(ALLOW, "open") f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) f.load() tmp_fd = os.open(’/tmp/test.txt’, os.O_WRONLY) os.write(tmp_fd, ’Hello, worldn’)
don’t you speak ”C” ? use OpenBSD::Pledge; my $file = "/usr/share/dict/words"; pledge(qw( rpath )) || die "Unable to pledge: $!"; open my $fh, ’<’, $file or die "Unable to open $file: $!n"; while ( readline($fh) ) { print if /pledge/i; } close $fh; system("ls");
The future ?
seccomp(2) vs pledge(2) - Bibliography http://man7.org/linux/man-pages/man2/seccomp.2.html https://man.openbsd.org/pledge.2 https://wiki.mozilla.org/Security/Sandbox/Seccomp https://github.com/aggsol/linux-pledge https://github.com/seccomp/libseccomp https://github.com/afresh1/OpenBSD-Pledge

Recommended

BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Linux packet-forwarding
Linux packet-forwardingLinux packet-forwarding
Linux packet-forwardingMasakazu Asama
 
Linux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersLinux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersBrendan Gregg
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 
eBPF Perf Tools 2019
eBPF Perf Tools 2019eBPF Perf Tools 2019
eBPF Perf Tools 2019Brendan Gregg
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 

Recommended

BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Linux packet-forwarding
Linux packet-forwardingLinux packet-forwarding
Linux packet-forwardingMasakazu Asama
 
Linux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersLinux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersBrendan Gregg
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 
eBPF Perf Tools 2019
eBPF Perf Tools 2019eBPF Perf Tools 2019
eBPF Perf Tools 2019Brendan Gregg
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernelAdrian Huang
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
外部キー制約に伴うロックの小話
外部キー制約に伴うロックの小話外部キー制約に伴うロックの小話
外部キー制約に伴うロックの小話ichirin2501
 
Study on Android Emulator
Study on Android EmulatorStudy on Android Emulator
Study on Android EmulatorSamael Wang
 
Block I/O Layer Tracing: blktrace
Block I/O Layer Tracing: blktraceBlock I/O Layer Tracing: blktrace
Block I/O Layer Tracing: blktraceBabak Farrokhi
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracingViller Hsiao
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance AnalysisBrendan Gregg
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux KernelAdrian Huang
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Brendan Gregg
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Exploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET ImplementationExploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET Implementationnkslides
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hw1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hwvideos
 
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoCapturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoScyllaDB
 
ret2dl resolve
ret2dl resolveret2dl resolve
ret2dl resolvesounakano
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
Epoll - from the kernel side
Epoll - from the kernel sideEpoll - from the kernel side
Epoll - from the kernel sidellj098
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxPatricia Aas
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSDGiovanni Bechis
 

More Related Content

What's hot

The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernelAdrian Huang
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
外部キー制約に伴うロックの小話
外部キー制約に伴うロックの小話外部キー制約に伴うロックの小話
外部キー制約に伴うロックの小話ichirin2501
 
Study on Android Emulator
Study on Android EmulatorStudy on Android Emulator
Study on Android EmulatorSamael Wang
 
Block I/O Layer Tracing: blktrace
Block I/O Layer Tracing: blktraceBlock I/O Layer Tracing: blktrace
Block I/O Layer Tracing: blktraceBabak Farrokhi
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracingViller Hsiao
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance AnalysisBrendan Gregg
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux KernelAdrian Huang
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Brendan Gregg
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Exploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET ImplementationExploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET Implementationnkslides
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hw1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hwvideos
 
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoCapturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoScyllaDB
 
ret2dl resolve
ret2dl resolveret2dl resolve
ret2dl resolvesounakano
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
Epoll - from the kernel side
Epoll - from the kernel sideEpoll - from the kernel side
Epoll - from the kernel sidellj098
 

What's hot (20)

The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
外部キー制約に伴うロックの小話
外部キー制約に伴うロックの小話外部キー制約に伴うロックの小話
外部キー制約に伴うロックの小話
 
Study on Android Emulator
Study on Android EmulatorStudy on Android Emulator
Study on Android Emulator
 
Block I/O Layer Tracing: blktrace
Block I/O Layer Tracing: blktraceBlock I/O Layer Tracing: blktrace
Block I/O Layer Tracing: blktrace
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracing
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance Analysis
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux Kernel
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
Exploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET ImplementationExploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET Implementation
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hw1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hw
 
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoCapturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
 
ret2dl resolve
ret2dl resolveret2dl resolve
ret2dl resolve
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
 
Epoll - from the kernel side
Epoll - from the kernel sideEpoll - from the kernel side
Epoll - from the kernel side
 

Similar to Linux seccomp(2) vs OpenBSD pledge(2)

Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxPatricia Aas
 
What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?Docker, Inc.
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersDevDay Dresden
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Docker Container: isolation and security
Docker Container: isolation and securityDocker Container: isolation and security
Docker Container: isolation and security宇 傅
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentMohammed Farrag
 
CUDA Deep Dive
CUDA Deep DiveCUDA Deep Dive
CUDA Deep Divekrasul
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingHao-Ran Liu
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovPivorak MeetUp
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonoveurobsdcon
 
Gpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaGpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaFerdinand Jamitzky
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
httplinux.die.netman3execfork() creates a new process by.docx
httplinux.die.netman3execfork() creates a new process by.docxhttplinux.die.netman3execfork() creates a new process by.docx
httplinux.die.netman3execfork() creates a new process by.docxadampcarr67227
 
망고100 보드로 놀아보자 15
망고100 보드로 놀아보자 15망고100 보드로 놀아보자 15
망고100 보드로 놀아보자 15종인 전
 
start_printf: dev/ic/com.c comstart()
start_printf: dev/ic/com.c comstart()start_printf: dev/ic/com.c comstart()
start_printf: dev/ic/com.c comstart()Kiwamu Okabe
 

Similar to Linux seccomp(2) vs OpenBSD pledge(2) (20)

Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
 
What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for Developers
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Npc14
Npc14Npc14
Npc14
 
Docker Container: isolation and security
Docker Container: isolation and securityDocker Container: isolation and security
Docker Container: isolation and security
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports Development
 
CUDA Deep Dive
CUDA Deep DiveCUDA Deep Dive
CUDA Deep Dive
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene Pirogov
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysis
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
 
Gpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaGpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cuda
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
httplinux.die.netman3execfork() creates a new process by.docx
httplinux.die.netman3execfork() creates a new process by.docxhttplinux.die.netman3execfork() creates a new process by.docx
httplinux.die.netman3execfork() creates a new process by.docx
 
망고100 보드로 놀아보자 15
망고100 보드로 놀아보자 15망고100 보드로 놀아보자 15
망고100 보드로 놀아보자 15
 
start_printf: dev/ic/com.c comstart()
start_printf: dev/ic/com.c comstart()start_printf: dev/ic/com.c comstart()
start_printf: dev/ic/com.c comstart()
 

More from Giovanni Bechis

SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresGiovanni Bechis
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyGiovanni Bechis
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with PuppetGiovanni Bechis
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3Giovanni Bechis
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profitGiovanni Bechis
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management frameworkGiovanni Bechis
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeGiovanni Bechis
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!Giovanni Bechis
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceGiovanni Bechis
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teGiovanni Bechis
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDGiovanni Bechis
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaGiovanni Bechis
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internetGiovanni Bechis
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografiaGiovanni Bechis
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Giovanni Bechis
 
Pf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open sourcePf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open sourceGiovanni Bechis
 

More from Giovanni Bechis (20)

the Apache way
the Apache waythe Apache way
the Apache way
 
SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new features
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easy
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with Puppet
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profit
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management framework
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
LibreSSL
LibreSSLLibreSSL
LibreSSL
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open Source
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con te
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSD
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezza
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internet
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografia
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
 
Pf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open sourcePf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open source
 

Recently uploaded

%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...masabamasaba
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationShrmpro
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 

Recently uploaded (20)

%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 

Linux seccomp(2) vs OpenBSD pledge(2)

  • 1. Linux seccomp(2) vs OpenBSD pledge(2) Giovanni Bechis <giovanni@openbsd.org> Open Source Summit Europe 2017, Prague
  • 2. About Me sys admin and developer @SNB OpenBSD hacker for ∼ 10 years random patches in random open source software (amavisd-new, courier-imap, cyrus-sasl, memcached, ...)
  • 3. Mitigations stack protector stack buffer underrun detection ASLR (Address space layout randomization) prevents exploitation of memory corruption vulnerabilities WˆX priv-sep and priv-drop
  • 4. dangerous system calls Disable system calls a process should not call SE Linux systrace Capsicum seccomp(2) pledge(2)
  • 5. Linux seccomp(2) first version in Linux 2.6.12 (2005) filters enabled via /proc/$PID/seccomp in Linux 3.5 (2012) ”filter” mode has been added (”seccomp2”) can control which syscall are permitted via a BPF ”program” some programs are using seccomp(2) (Chrome, OpenSSH, vsftpd, systemd, Firefox, Docker, LXC, ...) in Linux 3.8 (2013) via /proc/$PID/status we can obtain the seccomp(2) status (if, for example, seccomp(2) is disabled) in Linux 3.17 (2014) seccomp(2) system call has been added as a superset of prctl(2)
  • 6. OpenBSD pledge(2) introduced in OpenBSD 5.8 (2015) as tame(2), than renamed to pledge(2) still under development, some new features are coming in OpenBSD pledge(2) cannot be disabled around 500 programs with pledge(2) support in base around 50 ports patched to have pledge(2) support (unzip, mutt, memcached, chromium, ...)
  • 7. seccomp(2) vs pledge(2) approaching the ”syscalls” problem study the program figure out all syscalls the program needs ”promise” only the operations that are really needed strace(1) or ktrace(1) and gdb(1) if something goes wrong
  • 8. seccomp(2) vs pledge(2) program is annotated with pledge(2)/seccomp(2) calls/promises kernel enforces annotations and kills/reports the program that does not respect promises
  • 9. seccomp(2) vs pledge(2) #include <linux/seccomp.h> #include <linux/filter.h> #include <linux/audit.h> #include <linux/signal.h> #include <sys/ptrace.h> int seccomp(unsigned int operation, unsigned int flags, void *args); #include <unistd.h> int pledge(const char *promises, const char *paths[]);
  • 10. seccomp(2) vs pledge(2) $ wc -l seccomp/hello-seccomp.c seccomp/seccomp-bpf.h 58 seccomp/hello-seccomp.c 34 seccomp/seccomp-bpf.h 92 total $ wc -l pledge/hello-pledge.c 17 pledge/hello-pledge.c
  • 11. seccomp(2) vs pledge(2) #define _GNU_SOURCE 1 #include <stdio.h> #include <stddef.h> #include <stdlib.h> #include <unistd.h> [...] static int install_syscall_filter(void) { struct sock_filter filter[] = { VALIDATE_ARCHITECTURE, EXAMINE_SYSCALL, [...] KILL_PROCESS, }; struct sock_fprog prog = { .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), .filter = filter, }; if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { perror("prctl(NO_NEW_PRIVS)"); goto failed; } if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { perror("prctl(SECCOMP)"); goto failed; } return 0; } int main(int argc, char **argv) { FILE *fd; if((install_syscall_filter()) == 0) { printf("Hello !n"); if((fd = fopen("/etc/passwd", "r"))) { printf("Passwd file openedn"); } fclose(fd); return 0; } else { return 1; }
  • 12. seccomp(2) vs pledge(2) #include <stdio.h> #include <unistd.h> int main(int argc, char **argv) { FILE *fd; if(pledge("stdio", NULL) != -1) { printf("Hello !n"); if((fd = fopen("/etc/passwd", "r"))) { printf("Passwd file openedn"); } fclose(fd); return 0; } else { return 1; } }
  • 13. seccomp(2) permitted syscalls #include <linux/seccomp.h> #include <linux/filter.h> #include <linux/audit.h> #include <linux/signal.h> #include <sys/ptrace.h> int seccomp(unsigned int operation, unsigned int flags, void *args); every single syscall available could be allowed
  • 14. pledge(2) promises #include <unistd.h> int pledge(const char *promises, const char *paths[]); ””: exit(2) stdio: malloc + rw stdio rpath, wpath, cpath, tmppath: open files fattr: explicit changes to ”fd” (chmod & friends) unix, inet: open sockets dns: dns requests route: routing operations sendfd: sends file descriptors via sendmsg(2) recvfd: receive file descriptors via recvmsg(2) getpw: passwd/group file access ioctl: small subset of ioctls is permitted tty: subset of ioctl for tty operations proc: fork(2), vfork(2), kill(2) and other processes related operations exec: execve(2) is allowed to create another process which will be unpledged settime: allows to set the system time pf: allows a subset of ioctl(2) operations on pf(4) device
  • 15. seccomp(2) reporting if you create a ”int install syscall reporter(void);” function the kernel will report which syscalls you need. kernel4.4$ ./hello-report Hello ! Looks like you also need syscall: open(2)
  • 16. seccomp(2) reporting #include "syscall-reporter.h" #include "syscall-names.h" const char * const msg_needed = "Looks like you also need syscall: "; int install_syscall_reporter(void) { struct sigaction act; sigset_t mask; memset(&act, 0, sizeof(act)); sigemptyset(&mask); sigaddset(&mask, SIGSYS); act.sa_sigaction = &reporter; act.sa_flags = SA_SIGINFO; if (sigaction(SIGSYS, &act, NULL) < 0) { perror("sigaction"); return -1; } if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) { perror("sigprocmask"); return -1; } return 0; }
  • 17. seccomp(2) reporting kernel2.6.32$ ./hello prctl(NO_NEW_PRIVS): Invalid argument SECCOMP_FILTER is not available. :( kernel3.10$ ./hello Bad system call kernel3.10$ ./hello-report Looks like you also need syscall: mmap(9) kernel4.4$ ./hello Hello ! Bad system call kernel4.4$ ./hello-report Hello ! Looks like you also need syscall: open(2)
  • 18. pledge(2) reporting openbsd6.2$ ./hello Hello ! Abort trap (core dumped)
  • 19. seccomp(2) logging dmesg(1) and rsyslogd(8) Oct 12 16:02:56 ubuntu kernel: auditd: type:1326 audit(1507816976.188:30): auid=1000 uid=1000 gid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 pid=1227 comm="hello" exe="/home/test/src/hello" sig=31 arch=c000003e syscall=2 compat=0 ip=0x7fbb3ab75010 code=0x0 Oct 12 16:02:56 ubuntu audit[1227]: SECCOMP auid=1000 uid=1000 gid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 pid=1227 comm="hello" exe="/home/test/src/hello" sig=31 arch=c000003e syscall=2 compat=0 ip=0x7fbb3ab75010 code=0x0
  • 20. pledge(2) logging dmesg(8) and syslogd(8) Oct 12 16:17:30 laptop /bsd: hello(31340): syscall 5 "rpath" $ grep -A1 "^5 STD" /usr/src/sys/kern/syscalls.master 5 STD { int sys_open(const char *path, int flags, ... mode_t mode); } lastcomm(1) and daily(8) on OpenBSD ≥ 6.2 (with accounting enabled)
  • 21. pledge(2) logging rm - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.00) ls - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.00) rm - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.00) hello -DXP giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.16) cc - giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.64)
  • 22. pledge(2) logging From root@bigio.paclan.it Sat Jun 17 16:08:46 2017 Delivered-To: root@bigio.paclan.it From: Charlie Root <root@bigio.paclan.it> To: root@bigio.paclan.it Subject: bigio.paclan.it daily output OpenBSD 6.1-current (GENERIC) #1: Fri Jun 16 22:37:23 CEST 2017 giovanni@bigio.paclan.it:/usr/src/sys/arch/amd64/compile/GENERIC 4:08PM up 35 mins, 3 users, load averages: 0.26, 0.13, 0.10 Purging accounting records: hello -DXP giovanni ttyp1 0.00 secs Sat Jun 17 15:56 (0:00:00.16)
  • 23. adding pledge(1) support to ∼ 500 programs Index: worms.c =================================================================== RCS file: /var/cvs/src/games/worms/worms.c,v retrieving revision 1.22 retrieving revision 1.23 diff -u -p -r1.22 -r1.23 --- worms.c 18 Feb 2015 23:16:08 -0000 1.22 +++ worms.c 21 Nov 2015 05:29:42 -0000 1.23 @@ -1,4 +1,4 @@ -/* $OpenBSD: worms.c,v 1.22 2015/02/18 23:16:08 tedu Exp $ */ +/* $OpenBSD: worms.c,v 1.23 2015/11/21 05:29:42 deraadt Exp $ */ /* * Copyright (c) 1980, 1993 @@ -182,6 +182,9 @@ main(int argc, char *argv[]) struct termios term; speed_t speed; time_t delay = 0; + + if (pledge("stdio rpath tty", NULL) == -1) + err(1, "pledge"); /* set default delay based on terminal baud rate */ if (tcgetattr(STDOUT_FILENO, &term) == 0 &&
  • 24. [memcached] adding seccomp support #include "config.h" #include <seccomp.h> #include <errno.h> #include <stdlib.h> #include "memcached.h" // In the future when the system is more tested this could be switched // to SCMP_ACT_KILL instead. #define DENY_ACTION SCMP_ACT_ERRNO(EACCES) void drop_privileges(void) { scmp_filter_ctx ctx = seccomp_init(DENY_ACTION); if (ctx == NULL) { return; } int rc = 0; rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_wait), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); #ifdef MEMCACHED_DEBUG rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); #endif if (rc != 0) { goto fail; } rc = seccomp_load(ctx); if (rc < 0) { goto fail; } [...] }
  • 25. [memcached] adding pledge support #include <errno.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include "memcached.h" /* * this section of code will drop all (OpenBSD) privileges including * those normally granted to all userland process (basic privileges). The * effect of this is that after running this code, the process will not able * to fork(), exec(), etc. See pledge(2) for more information. */ void drop_privileges() { extern char *__progname; if (settings.socketpath != NULL) { if (pledge("stdio unix", NULL) == -1) { fprintf(stderr, "%s: pledge: %sn", __progname, strerror(errno)); exit(EXIT_FAILURE); } } else { if (pledge("stdio inet", NULL) == -1) { fprintf(stderr, "%s: pledge: %sn", __progname, strerror(errno)); exit(EXIT_FAILURE); } } }
  • 26. what to do if something goes wrong ? prctl(PR_SET_NO_PRIVS,1, 0, 0, 0) = 0 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len = 19, filter = 0x7fffc3349260}) = 0 fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 1), ...}) = 0 ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0 brk(NULL) brk(0xd83000) write(1, "Hello !n", 8Hello ! ) = 8 +++ Killed by SYGSYS +++ Bad system call (core dumped)
  • 27. what to do if something goes wrong ? 94140 hello CALL write(1,0xb56246ae000,0x8) 94140 hello GIO fd 1 wrote 8 bytes "Hello ! " 94140 hello RET write 8 94140 hello CALL kbind(0x7f7ffffcbee8,24,0x73b422cd44dee9e4) 94140 hello RET kbind 0 94140 hello CALL open(0xb53f8a00b20,0<O_RDONLY>) 94140 hello NAMI "/etc/passwd" 94140 hello PLDG open, "rpath", errno 1 Operation not permitted 94140 hello PSIG SIGABRT SIG_DFL 94140 hello NAMI "hello.core"
  • 28. what to do if something goes wrong ? $ gdb hello hello.core GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-unknown-openbsd6.1"... Core was generated by ‘hello’. Program terminated with signal 6, Aborted. Loaded symbols for /home/data/ossummit_2017/src/hello Reading symbols from /usr/lib/libc.so.89.5...done. Loaded symbols for /usr/lib/libc.so.89.5 Reading symbols from /usr/libexec/ld.so...done. Loaded symbols for /usr/libexec/ld.so #0 0x000009f584a507aa in _thread_sys_open () at {standard input}:5 5 {standard input}: No such file or directory. in {standard input} (gdb) bt #0 0x000009f584a507aa in _thread_sys_open () at {standard input}:5 #1 0x000009f584a3f559 in *_libc_open_cancel (path=Variable "path" is not available. ) at /usr/src/lib/libc/sys/w_open.c:36 #2 0x000009f584aaab82 in *_libc_fopen (file=0x9f2b8b00b20 "/etc/passwd", mode=Variable "mode" is not available. ) at /usr/src/lib/libc/stdio/fopen.c:54 #3 0x000009f2b8a005dc in main (argc=1, argv=0x7f7ffffc3c58) at hello.c:8 Current language: auto; currently asm (gdb)
  • 29. don’t you speak ”C” ? import sys, os from seccomp import * f = SyscallFilter(defaction=KILL) f.add_rule(ALLOW, "exit_group") f.add_rule(ALLOW, "rt_sigaction") f.add_rule(ALLOW, "brk") f.add_rule(ALLOW, "open") f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) f.load() tmp_fd = os.open(’/tmp/test.txt’, os.O_WRONLY) os.write(tmp_fd, ’Hello, worldn’)
  • 30. don’t you speak ”C” ? use OpenBSD::Pledge; my $file = "/usr/share/dict/words"; pledge(qw( rpath )) || die "Unable to pledge: $!"; open my $fh, ’<’, $file or die "Unable to open $file: $!n"; while ( readline($fh) ) { print if /pledge/i; } close $fh; system("ls");
  • 32. seccomp(2) vs pledge(2) - Bibliography http://man7.org/linux/man-pages/man2/seccomp.2.html https://man.openbsd.org/pledge.2 https://wiki.mozilla.org/Security/Sandbox/Seccomp https://github.com/aggsol/linux-pledge https://github.com/seccomp/libseccomp https://github.com/afresh1/OpenBSD-Pledge