Analyzing Capsicum for Usability and Performance Ben Farley.

Slides:

Advertisements

Similar presentations

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Advertisements

Usage of the memoQ web service API by LSP – a case study

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

28.2 Functionality Application Software Provides Applications supply the high-level services that user access, and determine how users perceive the capabilities.

Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.

1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.

Group Communications Group communication: one source process sending a message to a group of processes: Destination is a group rather than a single process.

Hidden Terminal based Attack, Diagnosis and Detection Yao Zhao, Leo Zhao, Yan Chen Lab for Internet & Security Tech, Northwestern Univ.

Maintenance = Software Evolution Any changes after the client has accepted the product is considered maintenance. n Any Changes? n What might these be?

Understanding Factors That Influence Performance of a Web Server Presentation CS535 Project By Thiru.

A Framework for Smart Proxies and Interceptors in RMI Nuno Santos P. Marques, L. Silva CISUC, University of Coimbra, Portugal

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Highly Available ACID Memory Vijayshankar Raman. Introduction §Why ACID memory? l non-database apps: want updates to critical data to be atomic and persistent.

1 Chapter Client-Server Interaction. 2 Functionality  Transport layer and layers below  Basic communication  Reliability  Application layer.

1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.

Least-Privilege Isolation: The OKWS Web Server Brad Karp UCL Computer Science CS GZ03 / M th December, 2008.

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.

CS533 Concepts of Operating Systems Jonathan Walpole.

Scalable Web Server on Heterogeneous Cluster CHEN Ge.

Problems with Send and Receive Low level –programmer is engaged in I/O –server often not modular –takes 2 calls to get what you want (send, followed by.

SCIRun and SPA integration status Steven G. Parker Ayla Khan Oscar Barney.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

(a) What is the output generated by this program? In fact the output is not uniquely defined, i.e., it is not always the same. So please give three examples.

The Alternative Larry Moore. 5 Nodes and Variant Input File Sizes Hadoop Alternative.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

Security CS Introduction to Operating Systems.

CE Operating Systems Lecture 13 Linux/Unix interprocess communication.

Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,

S O A P ‘the protocol formerly known as Simple Object Access Protocol’ Team Pluto Bonnie, Brandon, George, Hojun.

M. Accetta, R. Baron, W. Bolosky, D. Golub, R. Rashid, A. Tevanian, and M. Young MACH: A New Kernel Foundation for UNIX Development Presenter: Wei-Lwun.

CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.

Designing a Middleware Server for Abstract Database Connection.

Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

CSS430 Protection1 Textbook Ch14 These slides were compiled from the OSC textbook slides (Silberschatz, Galvin, and Gagne) and the instructor’s class materials.

Synchronization in Distributed File Systems Advanced Operating System Zhuoli Lin Professor Zhang.

Netprog: Client/Server Issues1 Issues in Client/Server Programming Refs: Chapter 27.

Lecture 3 Page 1 CS 236 Online Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

OE-NIK HP Advanced Programming Web services Standards and protocols Using web services Using web services with asynchronous calls.

Jonas Johansson Summarizing presentation of Scheduler Activations – A different approach to parallelism.

UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.

1 Issues in Client/Server Refs: Chapter 27 Case Studies RFCs.

Computer System Structures

Chapter 4 – Thread Concepts

GridOS: Operating System Services for Grid Architectures

Presented by: Daniel Taylor

Chapter 14: System Protection

On the Duality of Operating System Structures

Chapter 4 – Thread Concepts

Operating System Structure

Web Caching? Web Caching:.

Design and Maintenance of Web Applications in J2EE

User Interface Agent Matias Kassala JYPE

Synchronization in Distributed File System

Cluster Resource Management: A Scalable Approach

Building Systems That Flexibly Control Downloaded Executable Content

Issues in Client/Server Programming

Presented by: SHILPI AGARWAL

Operating Systems: A Modern Perspective, Chapter 3

Concurrency: Processes CSE 333 Summer 2018

Atlas: An Infrastructure for Global Computing

January 15, 2004 Adrienne Noble

Preventing Privilege Escalation

1.3.7 High- and low-level languages and their translators

Architectural Mismatch: Why reuse is so hard?

Least-Privilege Isolation: The OKWS Web Server

CSE 451: Operating Systems Messaging and Remote Procedure Call (RPC)

Presentation transcript:

Analyzing Capsicum for Usability and Performance Ben Farley

Motivation  Security is important  Rise in large-scale cyber attacks (i.e. Stuxnet)  Software is written by programmers  Security is only as good as they can make it  Software is big  Programs get very hard to analyze and understand as they get bigger

The Problem  Security is difficult!  Ideal: simple-to-use security  Intuitive, makes sense to developers  Doesn't hurt functionality of programs  Provides security without too much extra complexity  Even more ideal: simple-to-migrate?

Outline  Evaluation Criteria  Capsicum  Performance  Usability  Limitations  Conclusion

Evaluation Criteria  Performance  Programmer usability  (Also important: is it secure?)  Example: server hosting files

Capsicum  Provides new security primitives for UNIX  Capability  Unforgeable token of authority  Replaces file descriptors when accessing resources  Holding a capability is sufficient to allow access to a resource  Capability mode  Limits access to global namespace  Can only use what you already had  Library that provides more complicated functionality

Performance  Is it fast (or is it not slow?)  Principle: reasonable to take a minor performance hit for improved security  More complicated calls = more overhead  How much more?  When and where?

Performance System call Time taken (in microseconds)

Performance Time taken (in microseconds)

Performance  Certain calls have significant overhead  Certain calls have none  Real application?

Usability  Server example  Security policy: clients can only access their files on the file system  Server thread accepts requests, spawns workers as it receives them Better: thread pool?  Limited interaction between worker and server  Most communication between client and worker Via sockets (capabilities)  Workers untrusted

Usability ServerWorker Client Request Do work Done Spawn worker Get capabilities Start sandbox Normal Server and WorkerCapsicum Server and Worker

Server performance Time taken (in milliseconds)

Usability  Not intuitive or easy to learn  Poor documentation  Some arbitrary choices on implementation  But! Automatable?  Specific (limited) points of interest open(), fork(), etc  Most things stay the same read(), write(), close(), etc  Can get away with looking only at types of things you might want to modify

Limitations  Cannot “revoke” capabilities ServerWorker Client Request Do work Get job Done Revoke capabilities Get job Send capabilities Security policy violated!

Limitations  Somewhat ad hoc implementation  Send capabilities = normal IPC message, but tack on some stuff Good and bad  Root-level attacker = bad news

Conclusion  Provides good functionality  Slight performance hit  Slight usability hit  But programming languages people should be able to fix/help this

Thanks!