four six lightning talks (and a long one)
TRANSCRIPT
![Page 2: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/2.jpg)
The Talks• Why Open Source Vendors are Bad for
Security
• “Be Liberal in What you Accept” - NOT!
• DNSSEC
• PEIM
• OpenPGP/SDK
• Anonymous Presence
• CaPerl
![Page 3: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/3.jpg)
Why Open Source Vendors are Bad for
Security
![Page 4: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/4.jpg)
What do OS Vendors do?
• Package and bundle existing software
• Modify it to comply to their own vision
• Backport security fixes to old versions
• and fail to indicate that they have done so
![Page 5: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/5.jpg)
What do OS Vendors do?
• Break security fixes during packaging
• Introduce security flaws during packaging
![Page 6: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/6.jpg)
Disclosure Classification
• Zero-days
• Disclosure via the author of the software
• Disclosure via a packager of the software
• Disclosure via some co-ordinator
![Page 7: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/7.jpg)
Flavours of Co-ordinators
• CERT
• NISCC
• linux-vendors
![Page 8: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/8.jpg)
CERTThe CERT/CC is a major reporting center for Internet security problems. Staff members provide technical
advice and coordinate responses to security compromises, identify trends in intruder activity, work
with other security experts to identify solutions to security problems, and disseminate information to the broad community. The CERT/CC also analyzes product
vulnerabilities, publishes technical documents, and presents training courses.
![Page 9: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/9.jpg)
NISCCNISCC has no regulatory, legislative or law
enforcement role; it seeks to achieve its aim through four broad work streams:
• Threat Assessment. Using a wide range of resources to investigate, assess and disrupt threats.
• Outreach. Promoting protection and assurance by encouraging information sharing, offering advice
and fostering best practice. • Response. Warning of new threats; advising on mitigation; managing disclosure of vulnerabilities;
helping the CNI investigate and recover from attack. • Research and Development. Devising the most
advanced techniques and methods to support efforts across all work streams.
![Page 10: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/10.jpg)
linux-vendors
• Secret mailing list
• Not just Linux - at least FreeBSD too
![Page 11: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/11.jpg)
The Role of Co-ordinators(theory)
• Initial point of contact
• Mediate between authors, packagers, disclosers and “critical” users
• Co-ordinate fix releases
• Manage public notification
![Page 12: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/12.jpg)
The Role of Co-ordinators(practice)
• Protect their stakeholders
• Extend timelines to enable commercial vendors to complete lengthy internal processes
• Completely fail to help the clueful (i.e. those who can roll their own builds)
![Page 13: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/13.jpg)
Zero-days
• The world gets the announcement simultaneously
• The authors fix the software and release a patch
• Packagers then incorporate that patch and release their own updates
• Users of the base package get fixed first
![Page 14: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/14.jpg)
Disclosure via Author
• Author is notified, produces fix in conjunction with the attacker
• Two variants
• Author notifies co-ordinator and/or packagers
• Author releases patch to the world
• Users of the base package and maybe some packagers get fixed first
![Page 15: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/15.jpg)
Disclosure via Vendor
• Vendor is notified, produces fix in conjunction with author (maybe) and notifier
• May notify some other vendors and/or co-ordinator
• Users of the base package and some packagers get fixed first
![Page 16: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/16.jpg)
Disclosure via Co-ordinator
• Co-ordinator is notified, works with author to produce advisory and fixes
• If the co-ordinator has their way, advisory and fix is circulated to the favoured few first
• The co-ordinator does not always win this fight
• Favoured few get fixed first, followed by the rest of the world (base package users first, of course)
![Page 17: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/17.jpg)
Why are Vendors a Problem?
• Rather than make it easy for users to take a new version of software directly from the authors, they patch it and package it - this introduces delay
• Even worse, attempting to use the base package is usually untenable, or even destructive
![Page 18: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/18.jpg)
Why are Vendors a Problem?
• Vendors create the need for co-ordination - if everyone could use the base package, everyone would get fixed at the same time
• Vendors create the myth that they are needed for reliability
![Page 19: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/19.jpg)
What’s the Fix?
• Packagers should work with authors to make their packages redundant - or at least minimal
• Packagers should figure out how to help their users, rather than how to make themselves indispensable
![Page 20: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/20.jpg)
Be Liberal In What You Accept - NOT!
![Page 21: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/21.jpg)
The Original Quote
“In general, an implementation should be conservative in its sending behavior, and liberal in its receiving behavior.” RFC 760, Internet Protocol, Ed. Jon Postel
![Page 22: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/22.jpg)
CAN 2004-1099 A Cisco Secure Access Control Server (ACS) that is
configured to use Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) to authenticate users to the network will allow access to any user that uses a cryptographically correct certificate as long as
the user name is valid. Cryptographically correct means that the certificate is in the appropriate format
and contains valid fields. The certificate can be expired, or come from an untrusted Certificate
Authority (CA) and still be cryptographically correct.
![Page 23: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/23.jpg)
CAN-2004-0840
The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows
Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange
Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message
containing length values that are not properly validated.
![Page 24: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/24.jpg)
HTTP Request SmugglingPOST http://SITE/foobar.html HTTP/1.1Host: SITEConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 0Content-Length: 44
GET /poison.html HTTP/1.1Host: SITEBla: GET http://SITE/page_to_poison.html HTTP/1.1Host: SITEConnection: Keep-Alive
Proxy skips this
And sees this
Webserver sees this
And skips this
![Page 25: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/25.jpg)
HTTP Request Smuggling
• More fun if the webserver is using name-based virtual hosts
• Even more fun if the webserver has proxying enabled (Apache under some Linux distros does by default!)
![Page 26: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/26.jpg)
TCPA
• The plan is to have TCPA in all sorts of components
• Ethernet cards
• VGA cards
• Disk drives
• I leave you to ponder the implications of multiple implementations of TCPA
![Page 27: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/27.jpg)
DNSSEC
![Page 28: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/28.jpg)
DNSSEC
• DNSSEC is effectively signed DNS
• Signatures are hierarchical, starting at the root
• All responses are signed, including negative responses
• No online signing allowed!
![Page 29: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/29.jpg)
What Does it Look Like?
www.somewhere.org IN A?
org. IN KEY ...org. IN SIG ...somewhere.org. IN KEY ...somewhere.org. IN SIG ...www.somewhere.org. IN A 1.2.3.4www.somewhere.org. IN SIG ...
![Page 30: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/30.jpg)
Problems
• Response size
• “Islands of Trust”
• Key rollover
• Negative responses lead to zone walking
![Page 31: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/31.jpg)
Response Size
• Responses are BIG
• Big responses need TCP
• Many firewalls block TCP port 53
![Page 32: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/32.jpg)
Islands of Trust
• Until everything is signed, there will be zones that have no parent signature
• Three solutions
• Every resolver has every island’s root keys
• Cross-certification
• Domain Lookaside Validation
![Page 33: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/33.jpg)
Key Rollover
• How do we expire old keys and introduce new ones?
• Only a problem at the root(s)
• Two solutions
• Resolvers are manually reconfigured
• Threshold signing
• Amazingly, this is still an open problem
![Page 34: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/34.jpg)
Negative Responses
nonexistent.somewhere.org IN A?
org. IN KEY ...org. IN SIG ...somewhere.org. IN KEY ...somewhere.org. IN SIG ...mail.somewhere.org. NSEC A www.somewhere.org.mail.somewhere.org. SIG ...
![Page 35: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/35.jpg)
Walking the Zone
mail.somewhere.org IN A 1.2.3.4ns1.somewhere.org IN A 2.3.4.5ns2.somewhere.org IN A 3.4.5.6www.somewhere.org IN A 4.5.6.7
![Page 36: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/36.jpg)
Walking the Zonea.somewhere.org. IN A?somewhere.org. IN NSEC A mail.somewhere.org.
mail0.somewhere.org. IN A?mail.somewhere.org IN NSEC A ns1.somewhere.org.
ns10.somewhere.org. IN A?ns1.somewhere.org. IN NSEC A ns2.somewhere.org.
ns20.somewhere.org. IN A?ns2.somewhere.org. IN NSEC A www.somewhere.org.
www0.somewhere.org. IN A?www.somewhere.org. IN NSEC A somewhere.org.
![Page 37: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/37.jpg)
The Fix
nonexistent.somewhere.org. IN A?
H(www.somewhere.org)=AF72B....H(nonexistent.somewhere.org)=C01593...H(ns.somewhere.org)=F2178....
AF72B.... IN NSEC3 A F2178....AF72B.... IN SIG ...
![Page 38: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/38.jpg)
Privacy Enhanced Identity Management
• Google Summer of Code
• Caroline Sheedy - Dublin City University
• Mentored by the Apache Software Foundation
• A library of building blocks for zero knowledge proofs
![Page 39: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/39.jpg)
Zero Knowledge 101
• Prover proves a fact in (near) zero knowledge
• Verifier verifies the fact
• Certifier may certify the fact
• Auditor may audit the proof
![Page 40: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/40.jpg)
Where’s Waldo?
• I want to prove I know where Waldo is, without revealing the location.
![Page 41: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/41.jpg)
Zero Knowledge 101
Prover
Fact
CertifierFact
Signature
![Page 42: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/42.jpg)
FactSignature
Verifier
Zero Knowledge 101
Prover
FactSignature
FactSignature
Auditor
![Page 43: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/43.jpg)
Bit Commitment
• Not exactly ZK, but related
• No Certifier
• Prover chooses a bit, and commits to it
• Later the Prover reveals the bit, and the Verifier can verify no cheating
![Page 44: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/44.jpg)
What We’re Implementing
• Several bit commitment schemes
• ZK proof that we hold a signed certificate without revealing the certificate
• ZK proof that we know a member of a set without revealing which member
• ZK proof that we have a signed number X s.t. X > Y, without revealing X.
![Page 45: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/45.jpg)
What the Library Provides
• Low-level functions to do the tricky crypto goop
• No protocols
• No marshalling
![Page 46: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/46.jpg)
OpenPGP/SDK
• Free C implementation of OpenPGP
• Sponsored by Nominet
• BSD licensed
• Co-author: Rachel Willmer
![Page 47: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/47.jpg)
Goals
• Complete
• Flexible
• Storage agnostic
• Protocol agnostic
• Correct
![Page 48: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/48.jpg)
Functionality
• Parse OpenPGP packets into in-memory data structures
• Decompress compressed packets and parse the contents
• Call the application back for each complete packet
• Check signatures
![Page 49: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/49.jpg)
Functionality
• Construct OpenPGP packets
• Compress them
• Sign them
![Page 50: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/50.jpg)
Example: Read Secret Keystatic ops_secret_key_t skey;
static ops_parse_callback_return_tcallback(const ops_parser_content_t *content,void *arg_) { if(content->tag == OPS_PTAG_CT_SECRET_KEY) { memcpy(&skey,&content->content.secret_key,sizeof skey); skey_found=ops_true; return OPS_KEEP_MEMORY; }
return OPS_RELEASE_MEMORY; }
![Page 51: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/51.jpg)
void get_key(const char *keyfile) { ops_reader_fd_arg_t arg; ops_parse_options_t opt;
ops_parse_options_init(&opt); opt.cb=callback;
arg.fd=open(keyfile,O_RDONLY); assert(arg.fd >= 0); opt.reader_arg=&arg; opt.reader=ops_reader_fd;
ops_parse(&opt);
.... }
Example: Read Secret Key
![Page 52: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/52.jpg)
Example: Write Public Key
ops_write_struct_public_key(&skey.public_key,&opt); ops_fast_create_user_id(&id,user_id); ops_write_struct_user_id(&id,&opt); ops_signature_start(&sig,&skey.public_key,&id, OPS_CERT_POSITIVE); ops_signature_add_creation_time(&sig,time(NULL)); ops_keyid(keyid,&skey.public_key); ops_signature_add_issuer_key_id(&sig,keyid); ops_signature_add_primary_user_id(&sig,ops_true); ops_signature_hashed_subpackets_end(&sig); ops_write_signature(&sig,&skey.public_key,&skey,&opt); ops_secret_key_free(&skey);
![Page 53: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/53.jpg)
Anonymous Presence
![Page 54: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/54.jpg)
Objectives• Alice wants to rendezvous with Bob
• Alice doesn’t want anyone to know she is talking to Bob
• Alice and Bob don’t want their conversations to be linked
• A rendezvous server is required
• There is a global passive adversary
• The server is not trusted
![Page 55: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/55.jpg)
Apres
• A system to achieve this
• Alice and each of her friends share a secret
• At each time slice, Alice calculates H(secret,timeslice) for each friend
• Alice sends the list to the server
![Page 56: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/56.jpg)
Apres
• The server finds matching values and relays messages between them
• Alice and Bob set up a secure session based on the shared secret (e.g. modified Diffie-Hellman)
• They can then talk via the server, or directly if they choose
![Page 57: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/57.jpg)
Unlinkability
• Since only Alice and Bob know the secret, H(secret,timeslice) gives unlinkability
• However, when the time changes, they mustn’t switch to the new value synchronously
• Solution: always start new timeslices a random time before they are due, and stop a random time after they expire
![Page 58: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/58.jpg)
Unlinkability
• Alice is identifiable by number of friends
• Solution: add dummies up to the next round number
![Page 59: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/59.jpg)
Implementation
• Apres exists as a Perl library
• Test versions for plain TCP and IRC
• IRC uses a bot and a plugin
![Page 61: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/61.jpg)
Summary
Motivation
What are capabilities?
Why are they good?
History lesson
Capability Languages
CaPerl
![Page 62: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/62.jpg)
Motivation
Collaboration means sharing - code, too
Sharing code is dangerous
I want to be able to run scripts I know nothing about
![Page 63: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/63.jpg)
The Traditional Approach
Sandboxes, jails ... call them what you will
But sandboxes are either too restrictive or too lax
One per script? Are you kidding?
There must be a better way!
I claim there is: capabilities
![Page 64: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/64.jpg)
What’s a Capability?
Not a POSIX capability
An opaque thingy that represents the ability to do something
For example...Read /some/file/somewhere
Write /some/other/file/somewhere/else
Talk on the socket connected to somehost:someport
Put money into Ben’s bank account
Take money out of Ben’s bank account
![Page 65: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/65.jpg)
Why are capabilities good?
Environment can choose exactly what the visiting code can do
New capabilities can be invented by writing (easy) code
Designation is authorisation
Security partitions within code are easy
![Page 66: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/66.jpg)
Why not use the traditional approach?
Its hard to express “allow the program to write the file the user chose, and no other”
You do everything twice
Its OK to do X
Please do X
![Page 67: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/67.jpg)
Why not use the traditional approach?
You do everything thrice - BACKWARDS!
Please do X
Damn! Permission denied
Its OK to do X
Please do X
![Page 68: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/68.jpg)
Why not use the traditional approach?
Or ... you don’t do it at all.
![Page 69: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/69.jpg)
If capabilities are so great, why aren’t we all using them?
![Page 70: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/70.jpg)
History
Invented in the 60s
Implemented in hardware, 1970-77
Hardware was slow and expensive
Shot down by academics - “just ACLs in disguise”
![Page 71: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/71.jpg)
History (Operating Systems)
KeyKOS
EROS
Coyotos
CapROS
Amoeba
![Page 72: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/72.jpg)
The Granovetter Diagram
![Page 73: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/73.jpg)
Capability Languages
Requirements for capabilities
Implementing capabilities in standard languages
Designing the language around capabilities
Modifying standard languages
![Page 74: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/74.jpg)
Language requirements
Capabilities are represented by opaque thingiesAn objectA bound function
A random numberA pointer
Capabilities cannot be forgedCapabilities cannot be discoveredAuthority is confined to capabilitiesOnly trusted code can create capabilities with new powersSummary: if you don’t have the capability, you can’t do it
![Page 75: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/75.jpg)
Implementing capabilities in standard languages
Opacity is a problem
Forgeability is a problem
Confining authority is a problem
But ... we already know which languages people like
![Page 76: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/76.jpg)
How about C?
Out of the question!
All code has free access to all RAM
No way to confine authority
No way to prevent forging
![Page 77: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/77.jpg)
C++?
For our purposes, the same as C
![Page 78: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/78.jpg)
Python?
Perhaps proxies work
It may be true, but they’re horribly awkward to use
Restricted execution mode is not maintained
![Page 79: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/79.jpg)
Perl
Forget it!
Way too clever
Can load arbitrary binary
Possibly clever overloading would work, but......would we ever trust it?
![Page 80: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/80.jpg)
Smalltalk?
Squeak-E, apparently
![Page 81: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/81.jpg)
Ruby? Erlang? Haskell?
I have no idea!
Not widely used
![Page 82: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/82.jpg)
Build the language around capabilities
Several advantages
Safety
Ease of use
Language fits the problem
But how many new languages succeed?
![Page 83: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/83.jpg)
E
Very cool language
Deferred evaluation
Cunning network tricks
![Page 84: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/84.jpg)
E example
def calcMilesBeforeEmptyVow(carRcvr) { def [milesBeforeEmptyPromise, milesBeforeEmptyResolver] := Ref.promise() def fuelRemainingVow := carRcvr <- getFuelRemaining() def mpgVow := carRcvr <- getEfficiency() when (fuelRemainingVow, mpgVow) -> done(fuelRemaining, mpg) { milesBeforeEmptyResolver.resolve(mpg * fuelRemaining) } catch prob {milesBeforeEmptyResolver.smash("Car Lost" + prob)} return milesBeforeEmptyPromise}
![Page 85: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/85.jpg)
What’s wrong with E?
Written by academic language nerds
Esoteric syntax
Monthly syntax changes
Based on Java
![Page 86: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/86.jpg)
Others?
Mozart?
![Page 87: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/87.jpg)
Modifying existing languages
Risk reduction
Shallow learning curve
My preferred option
Not always possible
![Page 88: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/88.jpg)
Python
Modify the interpreter
Interpreter has no clue what is going on
Python developers not interested
Restricted execution mode is broken...
...and no-one cares.
![Page 89: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/89.jpg)
Perl
Inspiration! Use the language itself to enforce capability discipline
![Page 90: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/90.jpg)
CaPerl: outline
What is CaPerl?
Language modifications
“Taming”
Using CaPerl
Implementation
Examples
![Page 91: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/91.jpg)
What is CaPerl?
Converts Perl into a capability language
Compiles into standard Perl
Compiler is written in Perl and yapp
![Page 92: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/92.jpg)
Language modifications
We introduce the notion of trusted vs. untrusted code
![Page 93: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/93.jpg)
Language modifications
public sub ...
anyone can call it
trusted sub ...
only trusted code or its own module can call it
sub ...
only its own module can call it
![Page 94: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/94.jpg)
Language modifications
use module;
module must have been compiled by CaPerl
use untrusted module;
Only trusted code can do this
module can be anything
![Page 95: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/95.jpg)
Language modifications
bless $self,$class;
Only trusted code can do this
bless $self;
Untrusted code can do this
![Page 96: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/96.jpg)
Trusted Code
Can do almost all standard Perl stuff
Can only look inside objects belonging to the same module
Can import any module
Can call any function in the same module
Can call both public and trusted functions in other modules
![Page 97: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/97.jpg)
Untrusted Code
Can not call plain (i.e. non O-O) functions
Can only look inside objects belonging to the same module
Can only import trusted modules compiled with CaPerl
Can call any function in the same module
Can only call public functions in other modules
![Page 98: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/98.jpg)
Taming
Wrap libraries with capabilities
Only trusted code can tame (obviously)
Then we can use (almost) all of CPAN!
WARNING: you have to use your brains to tame
![Page 99: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/99.jpg)
Implementation
yapp and Perl create a parse tree
Standard Perl emitted directly from the tree
Simple recursion, small amount of context passed down the tree
Surprisingly small
Almost all trivial
![Page 100: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/100.jpg)
Using CaPerl
Compile code: caperl module.tm
Tell the compiler whether each module is trusted or untrusted
The output is Perl, which you run in the normal way, with the CaPerl libraries on the LIBPATH
Modules are completely independent of each other
![Page 101: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/101.jpg)
Innards
Marking CaPerl code
Restricting function calls
Making objects opaque
Loading only appropriate (i.e. trusted/untrusted) modules
Control of function calls
![Page 102: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/102.jpg)
Marking CaPerl code
becomes
package module;$module::CAPERL_CODE=1;
package module;
$module::CAPERL_TRUSTED=1;
![Page 103: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/103.jpg)
Restricting function calls$obj->func();
becomes
(my($T1,$T2),$T1=$obj,$T2=ref($T1),(eval "\$${T2}::CAPERL_CODE" || croak 'not a capability'),$T1)->func();
![Page 104: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/104.jpg)
Restricting function calls
sub func {
becomes
sub func { my ($Tp,$Tf,$Tl)=caller; confess "Attempt to call private function from $Tf($Tl)" if $Tp ne 'module';
![Page 105: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/105.jpg)
Restricting function calls
trusted sub func {
becomes
sub func { my ($Tp,$Tf,$Tl)=caller; confess "Attempt to call trusted function from $Tf($Tl)" if $Tp ne 'module' && !eval "\$${Tp}::CAPERL_TRUSTED";
![Page 106: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/106.jpg)
Restricting function calls
public sub func {
becomes
sub func {
![Page 107: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/107.jpg)
Making objects opaque
becomes
(my ($Tleft,$Tr),($Tleft=$obj, $Tr=ref($Tleft),$Tr eq 'ThisModule' || $Tr eq 'HASH' || die "attempt to dereference object of type '$Tr'"), $Tleft)->{thing}
$obj->{thing}
![Page 108: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/108.jpg)
use somemodule;
becomes
use somemodule;$somemodule::CAPERL_CODE || croak ‘somemodule is not CaPerl code’;
Loading modules
![Page 109: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/109.jpg)
Loading modules (trusted code)
use untrusted module;
becomes
use module;
![Page 110: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/110.jpg)
Examples
Run untrusted CGIs
Tame opendir
![Page 111: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/111.jpg)
Run untrusted CGIs
use untrusted CGI;use Wrap::CGI;use untrusted CGI::Carp;use Wrap::POSIX;
my $cgi=new Wrap::CGI(new CGI());
$cgi->print($cgi->header(-type => 'text/html'));
![Page 112: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/112.jpg)
my $e=\%ENV;my $path=$e->{PATH_INFO};my $base=$e->{WRAP_CGI_BASE};
croak('Bad path info: '.$path) if $path !~ /^\/([A-Za-z0-9_]+)$/;$path=$1;
Run untrusted CGIs
![Page 113: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/113.jpg)
my $dir=”../wrapped-dirs/$path”;mkdir($dir,0700) || $! == $EEXIST || croak(“Can't create subdir $dir: $!”);
use CAP::RWDirectory;my $dc=new CAP::RWDirectory($dir);
use untrusted File::Slurp;my $text=read_file(“$base/$path.pm”);eval($text);
my $o=eval(“new $path”);$o->go($cgi,$dc);
Run untrusted CGIs
![Page 114: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/114.jpg)
Tamingpackage Wrap::opendir;
use untrusted Symbol;
trusted sub new { my $class=shift; my $dir=shift;
my $self={}; bless $self,$class; $self->{dir}=$dir;
return $self;}
![Page 115: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/115.jpg)
Tamingsub DESTROY { my $self=shift;
$self->closedir() if defined($self->{handle});}
public sub opendir { my $self=shift;
$self->{handle}=gensym(); return opendir($self->{handle},$self->{dir});}
![Page 116: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/116.jpg)
Tamingpublic sub readdir { my $self=shift;
croak() if !$self->{handle}; return readdir($self->{handle});}
public sub closedir { my $self=shift;
my $ret=closedir($self->{handle}); delete($self->{handle}); return $ret;}
![Page 117: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/117.jpg)
Where have I punted?
Actually, not in very many places
Language support is incomplete
Maybe should be “native” modules that can do plain Perl
Loading of modules should be through capabilities
![Page 118: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/118.jpg)
Conclusions
Capabilities are not as hard to implement as you might think
Capabilities are not as hard to use as you might think
Using pre-compilation to add capabilities to existing languages is not only viable, its relatively easy
Capabilities have powerful security properties
![Page 119: Four Six Lightning Talks (and a long one)](https://reader033.vdocuments.mx/reader033/viewer/2022042107/6256e956096c7548985c2a57/html5/thumbnails/119.jpg)
Questions?
http://caperl.links.org/
(not up yet)