2008 Nsdi Wedge
Reference:
- A. Bittau, P. Marchenko, M. Handley, and B. Karp. Wedge: Splitting Applications into Reduced-privilege Compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI’08, pages 309–322, Berkeley, CA, USA, 2008. USENIX Association.
Evaluation
Apache/OpenSSL
- Introducing compartments to preserve the confidentiality and integrity of SSL connnections.
- protect the server’s RSA private key
- prevent one user from obtaining the cleartext sent over another user’s SSL connection
- or prevent one user from injecting content to another user’s SSL connection.
SSL Session key is computed from three inputs:
- random value supplied by the server, clear text;
- random value supplied by the client, clear text;
- random value supplied by the client, encrypted using server’s public key;
OpenSSH
Goals for partitioning OpenSSH:
- Minimize the code with access to the server’s private key.
- Before authentication, run with minimal privilege, so that exploits are contained;
- After authentication, run with full privileges for the authenticated user;
- Prevent bypassing of authentication, even if the minimally privileged code is exploited.
Started partitioning with OpenSSH version 3.1p1, the last version prior to the introduction of privilege separation.
- The network-facing code during authentication –> unprivileged sthread.
- explicitly give the sthread:
- read access to the server’s public key and configuration options
- read/write access to the connection’s file descriptor.
- running it in unprivileged user;
- setting its filesystem root to an empty directory.
- Callgate 1: 280 lines of C.
- secret key is protected behind this gate.
- Callgate 2: for password.
- Callgate 3: for DSA key-based.
- Callgate 4: for S/Key challenge-response authentication.