WEBVTT

00:00.000 --> 00:08.640
I'm always full again, which means we are ready for the next talk.

00:08.640 --> 00:12.480
We solve our video emergency thanks to the amazing output of Fossdan team.

00:12.480 --> 00:17.080
I have here all of our who is going to talk about a very interesting subject.

00:17.080 --> 00:21.520
He says it isn't interestingly in itself, but I disagree.

00:21.520 --> 00:25.480
Because privilege separation is super difficult, super amazing.

00:25.480 --> 00:29.880
It's probably usually don't see, nothing go, but we have an expert today with

00:29.880 --> 00:32.960
it's going to prove it's wrong, right over plus.

00:32.960 --> 00:44.040
Okay, thanks, you can hear my name is Otto, thanks for the nice introduction, and I want

00:44.040 --> 00:46.560
to talk about privilege separation and go.

00:46.560 --> 00:51.000
So who am I, I said, that's really a matter, I'm just a white guy and tech to talk

00:51.000 --> 00:52.560
about privilege of today.

00:52.560 --> 00:58.520
So as any tech talk, I start with an obligatory xkcd comic, because that's how you do it,

00:58.520 --> 01:05.520
I heard this one is xkcd 1200 authorization, and it shows a nice picture about the user count,

01:05.520 --> 01:09.200
and the user count has access like everything except the admin account.

01:09.200 --> 01:14.680
So the user can access the email, the pictures, the lovings, whatever.

01:14.680 --> 01:19.920
So we start with some kind of implicit recognition for the ledgerist, but how does it reflect

01:19.920 --> 01:26.680
in code on most public, like operating systems, I just stick to this topic, because everything

01:26.680 --> 01:34.720
is not my domain, runs as a user, so code runs with user privileges, and to just tell

01:34.720 --> 01:43.040
it I just try to find the code in here, so we have this, and come on, great success.

01:43.040 --> 01:48.640
So we have this wonderful code, and as we saw just it ran as a user, as you see, running

01:48.640 --> 01:53.240
as other, so we know who does it, and we have privileges, as a user has.

01:53.320 --> 01:57.600
Now you have a privileges to open the file, as you see, and there is open.

01:57.600 --> 02:08.200
So what can else, the code, was running my privileges do, so we can get a bit stupid here,

02:08.200 --> 02:22.180
because we have code running, so this is a good idea, let's find out, oh no, I got

02:22.260 --> 02:26.380
pawned by my presentation, so because we have code here, the code is running with my

02:26.380 --> 02:32.500
user privileges, the code may do something stupid, and leak my credentials, like in this

02:32.500 --> 02:37.500
incident, but okay, so what's all fun and games, but how is it in the real life, I mean

02:37.500 --> 02:41.260
the real-life, no one would do something stupid as have a shell open, where anybody would

02:41.260 --> 02:48.580
code to remote code execution, in the good case, in the reality, in the golden main, we

02:48.660 --> 02:54.060
have lots of lots of lines of code, we include dependencies, those, including dependencies

02:54.060 --> 03:00.740
as well, and as most in this room, when a dependable load comes in, say, if dependency

03:00.740 --> 03:06.700
X was updated, we want to, yeah, it's fine, so maybe for pet release, there were some

03:06.700 --> 03:13.540
7,000 lines of change, I don't know what it does, so my code is running, and maybe do

03:13.540 --> 03:18.980
some things I don't want it to do, so, and this is all just for the good case, maybe

03:18.980 --> 03:23.620
you remember the XZ incident a while back, they were also back down vectors, and just

03:23.620 --> 03:29.100
because none were found, the golden main doesn't mean they aren't any, so for myself

03:29.100 --> 03:34.940
I realized I'm unable to write secure code, I fail at it, and I think down a hard

03:34.940 --> 03:40.540
most of us would fail, so I would say to just go down, that my code only does what

03:40.540 --> 03:45.660
really, only can't do, what's really necessary, so this is like privilege, as I've

03:45.660 --> 03:51.220
seen, the code before could, I don't access my private key, that's my presentation, to

03:51.220 --> 03:57.260
know my private key, I don't think so, so there was once an analogy I heard, it was about

03:57.260 --> 04:02.380
the self-training web-�, like the people who got the web-�, changed themselves before

04:02.380 --> 04:08.180
returns, and back, and so maybe it's impossible to do this code, if there's the question,

04:08.180 --> 04:14.660
yes, I'm going to talk about it today, so yes, in most things, we have an API for that, and

04:14.660 --> 04:20.660
if I say one API, it's like hundreds, we have some different bi-posics, so they're available

04:20.660 --> 04:26.660
in Linux, the BSDs, and other similar operating systems, and we have OS specifics, and

04:26.660 --> 04:33.020
I'm going to talk a bit about those today, but at OS specific, I'm going to limit on Linux,

04:33.020 --> 04:37.780
because I think it affects most people in the rooms, I may say a thing about 2 or 2, about

04:37.780 --> 04:44.300
BSD, about a thing times short, but before actually showing code, talking about, we have

04:44.300 --> 04:50.500
to think about the structure of a code, because if we want to restrict permissions, we may

04:50.500 --> 04:54.580
have to redesign the architecture of a code, like first we start with all the privileges

04:54.580 --> 04:58.980
are possible, and then we try to go down like a cane, and every time we go down, this

04:58.980 --> 05:05.020
is like a barrier, so we drop some privileges, and we drop them for good, so for example,

05:05.020 --> 05:09.460
we say, at first we have to read the configuration file of our software, because there's

05:09.460 --> 05:13.700
everything configured, so we still need the privilege to read files, then after we have

05:13.700 --> 05:17.820
to done, we can say, no, we don't need to read files anymore, and then this is gone,

05:17.820 --> 05:23.660
and so on, and at least we may be run with so little privileges, so that when our software

05:23.660 --> 05:31.980
has a back, it's not bad, and saying when not if, and so, three simple points,

05:32.060 --> 05:39.740
drop a privilege task, drop privileges, that's good, okay, so let's start with the good old

05:39.740 --> 05:46.380
way, which works on everything, projects, and this is, I think most have already got it,

05:46.380 --> 05:51.020
so routing is a code, so routing, and then switching user privileges, so this is the old

05:51.020 --> 05:59.420
way, and that's some things that are so great, but we can get pretty far at it, here I've shown

05:59.980 --> 06:05.980
three code boxes, the first to show you where the input is from, the extended Unix package,

06:05.980 --> 06:11.180
which has the Swiss calls, it differs from operating system on architecture to architecture,

06:11.180 --> 06:17.580
so, but this is almost possible, so this should work on, like everything, except Windows,

06:18.780 --> 06:23.980
I think I'll work Windows, so at first, we see how to change the route, and the change route

06:23.980 --> 06:28.860
means at first, our program can see everything, the route file system sees, and then

06:28.860 --> 06:34.220
but we can say, no, our route shouldn't be the route anymore, we want to run under this directory,

06:34.220 --> 06:38.300
and our empty is one standard directory for that, it should be empty otherwise,

06:39.020 --> 06:44.700
yeah, what's the fun, so we can go into it, and our code now lists in this directory,

06:44.700 --> 06:50.540
but the route isn't actually a security mechanism, so we have to also drop user rights,

06:51.100 --> 06:56.460
and so here we have set groups, so we aren't the group of our user anymore, but only one group,

06:57.100 --> 07:00.780
this group shouldn't be allowed to do anything at the same for the user,

07:02.380 --> 07:08.140
this has set rest UID, because at first we have set UID, but the effect of UID, and so on,

07:08.140 --> 07:13.420
I don't want to go into details, but that's actually how you switch user rights,

07:13.980 --> 07:19.100
the downside is only the route user can do it, so to execute this, you already need extended

07:19.100 --> 07:24.940
privileges, that's the downside, and it was made better with operating specific libraries,

07:24.940 --> 07:32.140
I get two later on, so how to actually use this, I marked the blocks in both, which I showed before,

07:32.140 --> 07:39.740
because otherwise it wouldn't fit on the slides, so first, I would say, show who we are and what

07:39.740 --> 07:44.780
can we do, then I looked up our demo user, it doesn't see user which has any rights,

07:44.860 --> 07:51.500
really where we got where we are going to, then we switch our route and switch our user, so effectively

07:51.500 --> 07:57.340
as a first step, we shouldn't be able to see any files anymore, but we are still a privileged user

07:57.340 --> 08:04.620
and we could theoretically break out, and otherwise as long, we are than a user who can't do anything,

08:04.620 --> 08:10.380
and our code can at least come out access our privacy anymore, so to show it,

08:10.380 --> 08:22.460
okay, okay, at first we see in of all files system, and the end we are running as

08:22.460 --> 08:27.420
either one problem, one and we doesn't see anything, and yes, not presentations are running as

08:27.420 --> 08:36.060
the root user, so as we see, as I said earlier, having to start your application route isn't always

08:36.060 --> 08:39.660
the best thing to do, because for example you have a command line application where you don't

08:39.740 --> 08:45.660
want to have a root user, so there are more modern APIs to restrict file access, and this is

08:45.660 --> 08:51.740
on this is Linux only, and this is the LandLog API, it's quite new in the kernel, but I think

08:51.740 --> 08:57.020
on most of your laptops, if there are Linux device, there should be already available, and LandLog

08:57.020 --> 09:04.460
is a nice API to restrict those files system and network access, to time constraint, I only

09:04.460 --> 09:09.580
will show file system, and this is like the user isn't allowed to view any more, anything,

09:09.580 --> 09:18.540
any more, just a nice package of the GoLandLog project, it's like a go wrapper for this

09:18.540 --> 09:23.900
call, but this is called, and the setup thing is, so I don't have to read any dangerous kernel

09:23.900 --> 09:31.180
APIs, and I can just go, and here we are accessing this API, and say we restrict to passes,

09:31.180 --> 09:39.260
and to know passes, so if we run this, see at first it was the same up before, that was

09:39.260 --> 09:44.780
like we have a root pass system, whatever, afterwards, and we're running it my user other again,

09:44.780 --> 09:50.620
we can't see anything, so this can be done with user privileges, and it's like you see on

09:50.620 --> 09:55.820
the both code, it's three lines, and your code isn't able to access the file system anymore,

09:55.900 --> 10:01.660
in this case we can't pawn ourselves and leak our product key, so this is what the very

10:01.660 --> 10:07.260
true example, but we can't also be a bit more specific, in this case the both lines,

10:07.820 --> 10:13.420
I have restricted the directories to read only for the current directory and see it, just for example,

10:13.420 --> 10:18.380
and even with the right permissions to the temp directory, so in this case if I want to access

10:18.380 --> 10:23.820
as you see it, done there in the loop, the current directory should work because I set the profile

10:24.540 --> 10:30.060
and otherwise if I want to access my dot SSH folder, this should fail because it isn't not in the

10:30.060 --> 10:39.420
allowed part, because it's like an allowance you're going to construct, so yeah great success we see

10:39.420 --> 10:45.420
in the directory there are the first ones slides and but it cannot access my dot SSH folder,

10:46.380 --> 10:52.620
also SSH had earlier, land block can also be used to allow in and out build a bounding TCP connections,

10:52.700 --> 10:57.820
but that gives us a far moment, if it's something you need, take a look into it,

11:01.020 --> 11:05.340
as we're telling earlier, the system calls you're using for example for sure route,

11:05.340 --> 11:11.260
setting user IDs, or land block itself, and system calls are a barrier to privilege, it allows

11:11.260 --> 11:16.620
you to switch your code for just longing user space to get some resource, which is well locked

11:16.620 --> 11:21.420
by the current, and this can be like everything, if you open a file or you open the open or open

11:21.420 --> 11:26.380
at or what else is called, and go you don't use directly, but your code will do it in the end,

11:26.380 --> 11:38.140
and you can't forbid those system calls in, yeah, so let's show it on Linux, on Linux the way to

11:38.140 --> 11:44.940
restrict system calls is a bit complex and it's called SACCOMP BPS, actually it stands for the

11:45.260 --> 11:51.020
package filtering things, so you write a program which inspects every system called your program

11:51.020 --> 11:56.380
makes, and then it says, oh, this is okay, this is not, and you can even access some of the

11:56.380 --> 12:02.540
parameters, you can't do reference pointers, so you can't check strings, but it's very complex,

12:03.100 --> 12:07.980
and this is like the opposite of what I want to show here, that you can do easy things,

12:07.980 --> 12:14.700
this is what we want example of the GoSeccom BPS project, it's a GoRetor, so you don't have to

12:14.780 --> 12:21.100
write BPS code for yourself and your map, and you can write a simple process and go, in this case,

12:22.300 --> 12:27.980
don't, it's in some lines, we say, by default everything's loud, but we forbid the open

12:27.980 --> 12:34.140
says call, and so we can trigger all of this and load this, and afterwards we shouldn't be able

12:34.140 --> 12:42.540
to open this file because, well, it should be open, but this works anyway, and that's the issue

12:42.620 --> 12:47.820
with system codes, because it's on Linux and some other operating systems, system codes aren't

12:47.820 --> 12:54.620
equally for all architectures, for example, if you take a view as a system codes on x86 and

12:54.620 --> 12:59.660
I don't know, some arm, they're quite different and they're all different arm codes, so

13:00.860 --> 13:07.820
in this case, to make this work, it's actually the open access call, we of course all know,

13:07.820 --> 13:12.380
because everyone knows system codes, I don't know, I got this by tracing, and then

13:12.380 --> 13:17.340
it would be forbidding, so what I want to show here, if you want to explicitly filter

13:17.340 --> 13:22.060
system codes, you have to actually trace your program or you write low-level C, and know what you're

13:22.060 --> 13:25.820
doing, but we are in the go-deft room, we write go-code, and we don't want to actually know

13:26.620 --> 13:33.660
what's the compiler does, or it's not my domain, so I looked elsewhere, what to use, and then

13:34.460 --> 13:41.340
well, I stumbled upon system D, actually, because system D, you may know it uses,

13:41.660 --> 13:47.820
has also the possibility to limit system codes, it's called system codes, you write it in

13:47.820 --> 13:52.380
your unit, and then you give some group in it, and they're set like, I like that, system

13:52.380 --> 13:57.500
service is allowed, it's just a collection of my system codes, and you may access some

13:57.500 --> 14:03.820
privilege system codes, and system D automatically uses, creates a second filter, for the one

14:03.820 --> 14:09.980
similar, a familiar with the BSD, especially obviously, it has a similar syntax to the

14:10.300 --> 14:16.540
system code, which is quite nice, but I don't cover here due to time constraints, so I just

14:16.540 --> 14:23.420
did what we do in open-source, I looked at system D code and kind of stolen copy it, and wrote

14:23.420 --> 14:29.180
a small help library, it's over there, it's a source code set, and then you can write a one-line

14:29.180 --> 14:34.380
filter based on groups, in this case, this is actually the system D groups, I have just

14:34.380 --> 14:39.660
always copied around and converted to go, so it's pure go, and then I can say, from now on,

14:39.660 --> 14:45.020
I want to have system codes in the system service group, this is like a fine default,

14:45.020 --> 14:51.260
but can do a lot, but I don't want to have network IO, so I apply this filter, and if I run this,

14:52.380 --> 14:59.420
so yeah, at first, we can open the ETC pass with E, because opening files is in there,

14:59.900 --> 15:07.660
but we shouldn't be able to access the web resource, here we see it exits with that system

15:07.660 --> 15:14.540
code, so in one line, now we were able to say, these kinds of system codes are good, these are

15:14.540 --> 15:20.220
evil, and the evil ones result in your program being shut down, and it's like nothing that

15:20.220 --> 15:25.980
can recover from, in theory, you were able to make it recoverable with second BPS, but in my

15:25.980 --> 15:33.020
small head library, I introduced a lot of my research projects, like tooling programs,

15:33.020 --> 15:41.660
I prefer to say they're actually killed, okay, so far, so far, I just talked about dropping

15:41.660 --> 15:47.740
privileges so far, but I announced something about privilege separation, so what is, if you code

15:47.740 --> 15:53.020
in just one small head project, head of program, but that's one thing, but you want a little

15:53.020 --> 15:59.180
take software, you have running somewhere with thousands of lines, which can do any everything,

15:59.180 --> 16:04.380
if you drop to the union set of everything it needs to be, you have achieved nothing, so this

16:04.380 --> 16:09.020
is where privilege separation comes in, privilege separation means that you take your big

16:09.020 --> 16:15.100
program and separate it into different sub-programs, and now you're able to restrict each sub-program

16:15.100 --> 16:21.500
to its necessary last privileges, these privileges, for example, if you have a tool which needs

16:21.500 --> 16:25.820
that access, because it has some better interface, and it's file access, because it has a

16:25.820 --> 16:31.420
database, you can make two programs out of it, one is only allowed to receive web request, one

16:31.420 --> 16:37.340
with allowed to access a file system for the database, and then you have an IPC or IPC between it,

16:38.940 --> 16:47.100
so how we can do it, at first I just show how one way how to go to do it and go, you just have

16:47.180 --> 16:52.860
some kind of multiple main functions where you jump in, I have brought this fork child helper

16:52.860 --> 16:59.660
method, which is kind of boring, if you look at it, it creates a new process, it's like for

16:59.660 --> 17:04.940
an exec, but we can't actually talk an exec directly in Gales, we use the exec command, which is

17:04.940 --> 17:12.540
quite nice to use, and we just add another flag of the child name, so then we redirect the output

17:13.260 --> 17:20.300
bit boring, one thing which was noting for later, we can go extra files, if you remember,

17:20.300 --> 17:26.540
if you start the process, it's at the SDDM, SDDR, so we have file descriptor 012, but we can give

17:26.540 --> 17:33.260
more for shadowing, so how we do actually use this, here we've got the main function,

17:34.540 --> 17:42.380
below there the parent code, it starts the child, here it's the backcode, and then restrict

17:42.380 --> 17:47.900
itself, so we did a privileged task creating that of child, then we are dropping privileges,

17:47.900 --> 17:53.660
and we're writing for the child to add, the child itself, it starts here, also it drops privileges

17:53.660 --> 17:58.540
to even lower, basically it's just, it just can't write, it can't even open files out of it,

17:58.540 --> 18:06.140
it does the simple hello, it's an exit, so if we run this, okay the output is described

18:07.020 --> 18:12.620
but we have created two processes, one which is allowed to create another process, and another one

18:12.620 --> 18:19.420
which is thus allowed to do some iL same, for example, if we have some library which we don't

18:19.420 --> 18:26.780
trust to parse some input, for example it may be some special yellow case or image manipulation

18:26.780 --> 18:32.460
or whatnot, we can drop this dangerous library, we may have written ourselves, or we got

18:32.460 --> 18:37.740
somewhere from the internet, and we don't really trust in another child's read, we just launch

18:37.740 --> 18:43.660
up the child's read without any privileges, so if there's a vector or resource leak or whatever

18:43.660 --> 18:51.740
in this child's thing it cannot access your files anymore, and then it might die, but your main

18:51.740 --> 18:59.820
program stays safe, so so far we need some communication because mostly we don't just want to

18:59.820 --> 19:06.060
print and have a word to SDD out, but also get some information back, so there's one way

19:07.420 --> 19:13.180
one need way I like to use for communication between processes, and it's a socket pair system

19:13.180 --> 19:19.500
called socket pair 2, it's actually like a bi-duction or pipe, so just two file descriptors,

19:19.500 --> 19:24.220
both can be read and written 2, and it works quite like a unique domain socket which has some

19:24.220 --> 19:31.500
benefits, but it doesn't create any files, so you create a socket pair, and now you give it to the

19:31.500 --> 19:38.940
new child as an extra file descriptor, so you have an additional way of communicating, and just

19:38.940 --> 19:46.060
use it here, I write something in this file descriptor on my side, and the child itself opens this

19:46.060 --> 19:51.740
additional file descriptor, and can read and write into it as well, so we have another pipe

19:51.820 --> 19:55.740
between the parent and the child process, and in this case it's a simple string based

19:55.740 --> 20:01.020
RPC, but you can use the net RPC package over that, you can use GRPC over whatever,

20:01.020 --> 20:06.540
I mean you have a B-directional communication channel now, I just doesn't want to use a full

20:06.540 --> 20:13.980
blown RPC now because I could be overkill, so yeah, I'll send a cello back again, so whatever,

20:15.180 --> 20:20.780
but yeah, I don't want to get into any more details, because otherwise there's definitely

20:20.780 --> 20:25.820
going to be confusing, what I wanted to show so far was, is there more, of course, there's more,

20:26.860 --> 20:31.820
we can also restrict more privileges, more limits, like with the setR limit, there are C groups,

20:31.820 --> 20:36.940
EPPF, which can do a lot of nice things, obviously I haven't covered the previous days,

20:36.940 --> 20:42.780
also nice test account saying, but I don't want to overwhelm you with any much code that doesn't fit

20:42.780 --> 20:48.700
on one slide, my takeaway lesson is think about your code, what can you code through, and how you

20:48.780 --> 20:56.060
can restrict it, how can you bring it down, and there, for example, the second PFF example

20:56.060 --> 21:01.900
I showed of the landlock, it's like a one line you do, because maybe your code only reads

21:01.900 --> 21:07.420
south at one moment and later it shouldn't be, so you can make a one line div and have a great

21:07.420 --> 21:12.220
impact on your program, and then if you want to go farther, then you can think, how can I redesign

21:12.220 --> 21:17.260
a program to make it in the multiple thread or process in this case, and these only go to the

21:17.260 --> 21:24.620
least privileges, so I want to kind of end of this note, reflect on your privileges, what can you

21:24.620 --> 21:31.180
do better, and if you want to have some more information, the specifics had already been there,

21:31.180 --> 21:35.980
on the first, there's a blockpost, the second doesn't exist, because I procrastinated it,

21:35.980 --> 21:41.660
I will make it maybe next week, it's kind of finished, but the repo on codebook exists,

21:41.660 --> 21:45.500
it has examples for everything I showed here, and the way more, for example, how you just

21:45.500 --> 21:50.700
hand actually files over a file descriptor to another program, so if you're interested in the

21:50.700 --> 21:55.660
topic, please check out the demo repo and the first link, the second will work maybe tomorrow,

21:55.660 --> 22:04.060
maybe next year, and get to the same kind of familiar with that, so I think I made it in time,

22:04.060 --> 22:13.100
thanks for your time, a long year, we have talked to him a lot, oh no one off here, okay,

22:14.060 --> 22:18.460
are there any important questions that cannot wait for the whole one track, I got one in

22:18.460 --> 22:28.780
front, please be state silence. Hi, so you can't hear me? Come here, come here mate,

22:30.460 --> 22:35.580
so what I generally don't like about these kind of things, they have a lot of infrastructure codes,

22:35.580 --> 22:40.700
basically in your normal code, the tracks from what you try to do, so when I can see,

22:41.580 --> 22:46.700
they've already asked some very good reasons to do this, and not use like other things like

22:46.700 --> 22:52.780
containers to just, yeah, so when would you actually use this? Okay, yeah, for my perspective,

22:52.780 --> 22:57.020
as a developer, I know what I put to the able to do, if I containerize it, the container

22:57.020 --> 23:02.540
may be running as a very two-proveded user, or otherwise they use something like SA, they don't

23:02.540 --> 23:08.380
have a policy for the whole thing, but I, as an developer, have to inside, so I can say,

23:08.460 --> 23:13.500
at this point, I need this privilege, and at this other point, I don't need them, so I can be

23:13.500 --> 23:19.660
more granular, could be a super-nastrophic, of course, I mean, what do you have to have?

23:19.660 --> 23:23.100
I would have to stay up, stay up, I might run in these separate containers and have a container.

23:23.100 --> 23:27.500
Oh yeah, if you have a moody, Microsoft's singing, yeah, it boils down to the same.

23:27.500 --> 23:31.180
Yeah, but I see BPM power, if you get these close, so.

23:31.180 --> 23:34.460
Yeah, it boils to the same, it's another way to get there, definitely.

23:34.460 --> 23:38.060
Yeah, but I can guess if you run something like

23:38.060 --> 23:42.220
get here, what do you want to say, think something that doesn't run container, yeah, it's run.

23:42.220 --> 23:46.700
Yeah, so yeah, for bigger applications to split them up, because yeah, I look at some things I have

23:46.700 --> 23:50.860
to work with, and for so why are they able to do this, what kind of do it better, and yeah,

23:50.860 --> 23:54.460
so that's all I ended up there.