pyroniasys / libpyronia Goto Github PK
View Code? Open in Web Editor NEWLibrary for Pyronia function-granular privilege separation in language runtimes
License: Apache License 2.0
Library for Pyronia function-granular privilege separation in language runtimes
License: Apache License 2.0
Need clear documentation on how to use the API:
Many applications and their dependencies spawn child processes for additional functionality. To provide seamless access control across such an execution boundary, the child procoesses should run inside a Pyronia sandbox. Two types of subprocesses are supported: Python and native executables.
API to implement:
spawn_in_sandbox(library, command, is_python)
: Query the kernel for the permissions of the library, generate a sandbox policy with the library permissions and subprocess type from a policy template, load the policy into the kernel, and exec the command.The stack tracer thread is a means to ensure that the interpreter does not lie about the call stack, but a malicious library could still tamper with the callstack before the SI thread collects the information to send back to the LSM.
Questions that need to be answered to solve this problem:
Corresponds to pyronia-lsm/#3
To protect data flows within an application end-to-end (from source to sink), we need to create library function sandboxes for those functions that need to operate on sensitive in-memory data objects. To implement this feature, we leverage the existing memory domain mechanism to place sensitive data objects into memory domains. Then in the interpreter, whenever it's about to execute a sandboxed function, it adjusts the access privileges to the appropriate memory domains before entering the sandbox.
Per our design document, the Python interpreter will allocate any security critical state (internal interpreter state and stack frames) into a separate memory domain interpreter_dom, and revoke the main thread's access to interpreter_dom, unless the interpreter is allocating new stack frames or editing internal state.
API to implement:
memdom_priv_add()
from libsmvmemdom_priv_del()
from libsmvWhenever an application spawns a child process, starts a new thread, or handles operations asynchronously, the function call context of the parent process is lost for system calls. Therefore, the language runtime must have a way of preserve the calling context of the parent by attaching the context to the child process, thread or asynchronous operation. This will then enable the kernel to make access control decisions with sufficient context.
API to implement:
There are several execution scenarios in which the callstack context is lost due to "segmented" execution (subporocess exec, new thread, asynchronous function call). In these scenarios, the runtime saves the callstack proactively by sending it to the LSM so that the kernel may use the saved callstack as well as the newly collected callstack (if applicable) to make its access control decision.
Corresponds to pyronia-lsm/#4
API to implement:
The Pyronia kernel module communicates with userspace via a Netlink socket (see pyroniasys/pyronia-linux#8).
API to implement:
Moved from pyronia-lsm/#7
Some language features are considered dangerous in the context of library-level MAC, and should no longer be supported by the language.
Isolating each native extension into a separate memory domain protects its internal states against other potentially malicious native extensions running in the same address space.
To implement this, the language runtime must allocate each native extension into a separate domain at import time, and run native extension functions in separate SMVthreads. Since native extensions and their dependencies are most commonly dynamically loaded, the import system must instead create separate copies of each shared library and load them as part of an extensions memory domain, to guarantee full isolation of native extensions.
API to implement:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.