Presentation on theme: "The Plan 9 Security Architecture"— Presentation transcript:
1The Plan 9 Security Architecture Russ Cox, MIT LCSjoint work withEric Grosse, Rob Pike,Dave Presotto, Sean QuinlanBell Labs, Lucent Technologies
2What is a security architecture? OutlineWhat is a security architecture?What is Plan 9?What did Plan 9 do right?What did Plan 9 do wrong?How did we fix it?Conclusion
3What is a security architecture? An interface for applications toauthenticate users and servicesestablish secure channelsA mechanism to manage authentication secrets (keys)Lots of code to implement cryptographic protocols and functionsOS protection: user ids, access permissions, etc.
4Goals Clarity Ease of use Decoupling of security from application code if a user doesn’t understand key management and how the system works, there’s not much security.Ease of useif security is hard to use, it won’t get used.Decoupling of security from application codesecurity code is hard to get right.fix problems without touching applications.
5Systems approach Security involves technology: protocols, math, etc. not the focus today.assume all this as fundamentalsFocus on how to deploy within OS contextmust be integrated into environment (not ssh)users will “work around” hard-to-use security
6What is a security architecture? OutlineWhat is a security architecture?What is Plan 9?What did Plan 9 do right?What did Plan 9 do wrong?How did we fix it?Conclusion
7Plan 9 Research OS developed at Bell Labs Easy for us to work on: development since late 1980sbase for other research since 1995Easy for us to work on:we wrote and control all the sourcesimple design makes everything easier
8Plan 9 principles Every resource has a file-like name One protocol, 9P, used by kernel to access remote or user-level resourcesEach process has its own private, malleable name space
9All resources are files Examples/dev/time current time/net/ether0 ethernet device/net/tcp TCP network connections/env/path environment variable $path/dev/draw graphics device/mnt/wsys window system control filesInterfaces are usually textual
10One file protocol, 9P get handle for file system root Simple, small protocol13 message typeseasy to write new servers, filtersattachget handle for file system rootwalkdescend the hierarchystatwstatopenreadwriteclunkthrow away a handle
11Name space Resources gathered in hierarchical name space Shared by all members of process grouprfork(RFNAMEG) starts new process groupChanging the name space:mount(int fd, char *mtpt, int flags, char *name);bind(char *dir, char *mtpt, int flags);Shell level% dial tcp!emelie!9fs /srv/emelie% mount /srv/emelie /n/emelie% bind /386/bin /bin% bind –a $home/386/bin /bin
12Example: rio, the window system Starts with kernel devices/dev/mouse, /dev/draw, /dev/screen, /dev/consProvides same interface to each clientworks because of per-process name spaces/dev/mouse always means “my mouse”Client looks identical to servercan run clients without window systemcan run rio inside itself (debugging, remote desktop)
13Overall security model User logs in to terminalTypes password, stored locally, used to authenticate remote servicesAuth server holds secret information encryptedAuth protocols use auth server to authenticate both sides of connection.Auth protocol is part of 9P attach messageOccasionally, one user must authenticate for another user: the speaks for relationExample: cpu command causes CPU server to connect to file server on behalf of the remote user
14Host owner Local machine resources owned by the host owner normal user accountno a priori special privilegeson terminals, the user who booted the terminalon CPU servers, a pseudo-userAnalogous to root but much weakeronly controls local resourceshas no special powers outside its machinecannot read everyone’s files, etc.
15What is a security architecture? OutlineWhat is a security architecture?What is Plan 9?What did Plan 9 do right?What did Plan 9 do wrong?How did we fix it?Conclusion
16File permissions All resources are files Familiar model for access control: file permissionsalrwxrwxrwx, a is append-only, l is exclusive usepermissions enforced by servers, not kernelsystem logs are a-rw-rw-rw-no syslog daemon: programs write directly to logmail spools are alrw--w--w-to deliver mail, just open mailbox and write a message
17SandboxingSince all resources are in name space, if we control name space we control resources untrusted user can seeSandbox: construct a name space with only those resources the user should be able to accessTurn off the ability to make new network connectionsunmount("/net")Turn off ability to add new local resourcesrfork(RFNOMNT)Start user process
18Advantages (so far)System architecture provides a focus for design of securityUniform way to provide access to resources leads to uniform way to control access.File permissionsName space manipulationSandboxing is easy and intuitively secureNo superuser
19What is a security architecture? OutlineWhat is a security architecture?What is Plan 9?What did Plan 9 do right?What did Plan 9 do wrong?How did we fix it?Conclusion
20Problems (about to be fixed) One security domaincan’t be rsc in one place and rcox in anothercan’t have different passwordsAuth protocol hard-wired into 9Pfixing an auth bug would require redefining 9PAuth code in all servers, clients, kernelsfixing an auth bug would require extensive code changesNeedham-Schroeder-like shared key authenticationpasswords, DES keys too short: vulnerable to eavesdropper dictionary attack
21What is a security architecture? OutlineWhat is a security architecture?What is Plan 9?What did Plan 9 do right?What did Plan 9 do wrong?How did we fix it?Conclusion
22Redesign around an agent – factotum From the Oxford English Dictionary:a. In L. phrases: Dominus factotum, used for ‘one who controls everything’, a ruler with uncontrolled power; Johannes factotum, a Jack of all trades, a would-be universal genius. Also fig.b. One who meddles with everything, a busybodyc. In mod. sense: A man of all-work; also, a servant who has the entire management of his master’s affairs.
23Factotum interface This is Plan 9, so factotum is a file server % cd /mnt/factotum% ls –l-lrw … gre gre 0 Apr 17 13:47 confirm--rw-r--r-- … gre gre 0 Apr 17 13:47 ctl-lr … gre gre 0 Apr 17 13:47 log-lrw … gre gre 0 Apr 17 13:47 needkey--r--r--r-- … gre gre 0 Apr 17 13:47 proto--rw-rw-rw- … gre gre 0 Apr 17 13:47 rpc%
24Factotum overview Factotum Secstore Kernel holds keys uses keys to execute authentication protocolshost owner’s factotum moderates identity changes on that machineuser can run his own factotum; programs use whatever is at /mnt/factotumSecstoreprovides a safe for holding keysconsulted by factotum to retrieve keysKernelallows host owner’s factotum to issue identity change capabilities
25Example boot sequence Kernel starts, user logs in user[none]: greUser has account on local secstore server, so fetch factotum keys from secstoresecstore password: *********STA PIN+SecurID: *********Factotum uses keys to authenticate to other services (mail, file servers, VNC) during login
26Keys A key is a list of attribute=value pairs: proto=p9sk1 dom=cs.xyz.com user=gre!password=xyzzy confirm=yesproto=apop server=comcast.netuser=gre12345 !password=booThe ‘!’ prefix means “secret; don’t show this in key list”Attributes are known either byfactotum itself – proto, confirm, ownerthe protocols – password, user, server, domthe user – anything else
27Factotum and keysKeys are added to factotum by writing them to the ctl file.% cd /mnt/factotum% cat >ctlkey dom=bell-labs.com proto=p9sk1 user=gre!password=’don’’t tell’key proto=apop server=x.y.com user=gre!password=’secret mail’^D% cat ctlkey dom=bell-labs.com proto=p9sk1 user=gre !password?key proto=apop server=x.y.com user=gre !password?%
28Key patterns Key patterns are attribute=value pairs. The key must be a superset of the pattern% cat ctlkey dom=bell-labs.com proto=p9sk1 user=gre !password?key proto=apop server=x.y.com user=gre !password?% echo ’delkey proto=apop’ >ctl%
29Secstore Secure, encrypted file store for small, precious files a safe to hold keysPAK protocol provides password-based accesshash password to yield auth keyactively attacking PAK is equivalent to computational Diffie-HellmanFile encryption/decryption performed by clienthash password another way to yield crypt keyif server is compromised, attacker must break individual files
30Secstore and factotumFactotum fetches file named factotum from secstore at boot timeassumed to hold initial set of keysuser[none]: gresecstore password: *****can reload the secstore file into factotum at any timesecstore –G factotum >/mnt/factotum/ctlcan edit the key file (fetch to ramfs, edit, put back)User must remember only one passwordcan be fairly high entropystored keys can be arbitrarily high entropy
31Factotum interface for programs Authproxy executes RPCs over /mnt/factotum/rpc to proxy a conversation between factotum and a file descriptor.Attr *a;AuthGetkey *getkey;a = authproxy(fd, getkey, “proto=p9any role=client”);Last argument is a key pattern, as a printf-style string:a = authproxy(fd, getkey, “proto=p9any role=client server=%s”, machine);Attr holds attr=value results of authenticationuser name and domain at other endnonce keys for the conversationpossibly a capability to change user id
32Identity changes via capabilities User id changes are managed by capabilitiesstringallows a process running as oldname to become newnamesingle useHost owner’s factotum issues capabilities by writing their SHA1 checksums to /dev/caphashecho | sha1sum >/dev/caphashFactotum hands capability to another process, which then writes it to /dev/capuseecho >/dev/capuse/dev/caphash is removed after the host owner’s factotum startsother host owner processes can’t use it.
33Unprivileged, safe servers Servers run as none, the opposite of a superusercan’t debug any processesexplicitly excluded from some file systems (e.g., dump)(like everyone else,) requires a capability in order to become another userBugs in server are less criticalon Unix, servers run as root: breaking a server gives you full accesson Plan 9, servers run as none: breaking a server gives you hardly any access
34New 9P Need to decouple 9P from authentication protocol Plan 9 is all about making everything look like filesso make 9P authentication look like reading and writing a fileauth open an auth fileread, write to execute protocolattach no auth info but afid instead… continue as before
35Authentication in the new 9P First connect to the file server:fd = dial(“tcp!emelie!9fs”);Next use a system call to emit a message to create (and open) a one-time authentication file:afd = fauth(fd, “service”);Then run the authentiation protocol over it:a = authproxy(afd, nil, “proto=…”);Finally use afd in mount callmount(fd, afd, “/n/emelie”, MREPL, “service”);
36What is a security architecture? OutlineWhat is a security architecture?What is Plan 9?What did Plan 9 do right?What did Plan 9 do wrong?How did we fix it?Conclusion
37FutureConnect factotum to web browser for access to web-hosted servicesPort factotum to Unix and WindowsThe cron problemGet rid of speaks for: it makes cpu server host owner too special
38Summary A file-oriented approach to security A secure place to keep your keysA trusted agent to handle themA clean way to separate security code from kernels, applications, etc.Advantages:easy to understand the modeleasy to useeasy to change keys, protocols, implementationsMore secure and easier to use.
39Links Plan 9 paper Security paper Plan 9 distribution Email Security paperPlan 9 distribution