Built three privilege separated test applications.
Wrote a privilege separated fib implementation (fib_priv_sep.c).
- Pretty basic separation as the program is trivial. In the later cp example I did privilege separate the arguments, but I didn’t for the purpose of fib.
- Starting to build up a structure. The files are structured to have a
mainimplementation reminiscent of the eventual shim, while the functions like
real_mainwould come from the eventual binary.
Wrote a privilege separated echo implementation (echo_priv_sep.c).
- This brings in some of the more advanced ideas like IPC. Currently I’m using pipes to pass the fds between processes.
- Another advanced idea in this program is the idea that the shim will need to spin up long running “broker” processes. Proper process separation in the echo application requires the ability to spin up new processes on demand. This application shows how that can be done.
- A well-privileged cloned process is spun up, and a pipe created to that for carrying arguments to the unprivileged process.
- This process uses its privilege to spin up new processes for each child request (in this case, per TCP flow).
CLONE_FSto keep the file descriptor tables synced in certain circumstances but not others. Still shares some fds that it could not though (due to copy-on-write).
Wrote a privilege separated cp implementation (cp_priv_sep.c).
- The cp implementation mainly focuses on separating out the argument processing, something not done in either of the others. This isn’t particularly well suited to C, as it’s non-trivial to serialize and deserialize things into pipes. Another alternative is sharing virtual memory down and then working from there. For now, I’m sharing a struct with a couple ofpointers.
I think the best goal is to try and turn these C samples into something more general. There are three main parts so far:
- Multiple entry-points in different processes with different clone specs.
- Broker processes to spawn more later on.
For now, I think the most useful thing will be a shim which takes an external spec. The final goal is to pull this from the ELF and incorporate it in the binary, but for now something simple like JSON would be easier to work with.
Introduction to Systems Research
- Read Exokernel (Engler et al., 1995), Multikernel (Baumann et al., 2009) and Unikernel (Madhavapeddy et al., 2013). Reviewed Multikernel.
- Some interesting ideas, and a particular theme was that all of the authors appear to think that users of operating systems think like systems programmers. Something to be aware of in this project too!