Research Project

Process Isolation

  • Built the shim in Rust (clone_shim).

    • Wrote a quite nice to use wrapper for the clone3 syscall in (relatively) safe Rust (clone.rs).

    • Wrote the basis of specification, that should be extensible enough for future features (specification.rs).

      • Currently this reads only JSON specifications, but Rust’s serde library has support for a variety of binary formats to try later on.
    • Started tying things together. Currently on the running at startup launches work, but they do launch and it’s a strong basis to add more features from.

  • Built a Rust application to track subprocess creation (forktop).

    • Currently a bit of a proof of concept. ptrace gives me all of the events needed to track processes, but I need to flip the app design on its head to build a nice interface.
    • This was my first experience of writing Rust for this system call heavy code I’d been writing in C. It’s amazing how such similar code with nearly identical effects is so vastly more ergonomic, primarily due to the error handling.

Up Next

  • Get the shim to the level that it can run the existing C applications.

    • This requires support for networking.
      • I think this is going to need a distinction between compile time specifications and runtime specifications. Consider poking a port through, choosing this at runtime would be a configuration nightmare. Having a second specification or some env overrides would allow changing the port but maintaining security.
    • This requires support for filesystems.
      • This shouldn’t be too bad, but is going to involve me getting more tightly to grips with mount namespaces, something I still find quite confusing.
      • For now I’m focusing on static file support, e.g. bind mounting in /etc/dnsmasq.conf to /config, or $PWD to /, or / to /.
      • I’m considering dynamic bind support, but I’m struggling to convince myself that it can be completely secure, so will leave it for the moment.
    • Fully support namespaces so that the basic no privileges entrypoint is as deprivileged as possible. Worth reading up on how other solutions do this for each case.
    • Read up on effective capabilities. Although the shim binary will be super privileged, even a full set of privileges for an entrypoint should never exceed the launcher’s privileges.
  • Get a nice TUI for the forktop Proof of Concept.

    • Add a shell hotkey once the process tree is working. I want a hotkey that jumps into a process, forks and execs a shell, then returns that process to normal running. This is the best way at runtime to really test the permissions of a process dynamically.

Modules

Introduction to Systems Research

  • Read Xen (Barham et al., 2003), Container-based operating system virtualization (Soltesz et al., 2007), LightVM (Manco et al., 2017). Presented Xen.
  • Read ZooKeeper (Hunt et al., 2010), Raft (Ongaro and Ousterhout., 2014), and Chubby (Burrows, 2006). Reviewed ZooKeeper.
  • I’m not sure there were any huge takeaways for my project here, but certainly interesting reads.