menios
menios copied to clipboard
pbalduino
Implement capability-based security system for microkernel IPC
Goal
Implement a capability-based security system to control access to resources and services in a microkernel architecture.
Context
Capabilities provide fine-grained access control essential for microkernel security. Unlike traditional permission models, capabilities are unforgeable tokens that grant specific rights to specific resources.
Definition of Done
- Capability structure: Unforgeable capability tokens with type and permissions
- Capability transfer: Secure transfer of capabilities via IPC messages
- Capability validation: Fast validation of capability authenticity
- Capability revocation: Ability to revoke capabilities when needed
- Resource protection: All system resources protected by capabilities
- Capability inheritance: Controlled inheritance across process creation
- Capability storage: Secure per-process capability storage
- Delegation: Controlled capability delegation between processes
Capability Structure
struct capability {
uint64_t object_id; // Unique object identifier
uint32_t permissions; // Permission bits
uint32_t owner; // Owning process ID
uint64_t generation; // Anti-reuse generation number
uint64_t expiry; // Expiration timestamp
uint8_t signature[16]; // HMAC signature for authenticity
};
// Permission bits
#define CAP_READ 0x001
#define CAP_WRITE 0x002
#define CAP_EXECUTE 0x004
#define CAP_DELETE 0x008
#define CAP_GRANT 0x010 // Can grant to others
#define CAP_REVOKE 0x020 // Can revoke from others
Capability Types
// Object types
#define CAP_TYPE_FILE 1
#define CAP_TYPE_MEMORY 2
#define CAP_TYPE_DEVICE 3
#define CAP_TYPE_SERVICE 4
#define CAP_TYPE_PROCESS 5
#define CAP_TYPE_NETWORK 6
System Calls
// Capability management
capability_t create_capability(uint64_t object_id, uint32_t perms);
int grant_capability(pid_t process, capability_t cap);
int revoke_capability(capability_t cap);
int validate_capability(capability_t cap, uint32_t required_perms);
// Capability queries
int list_capabilities(capability_t *caps, size_t max_count);
int capability_info(capability_t cap, struct cap_info *info);
Implementation Details
Capability Storage
- Per-process capability table
- Hash table for fast lookup
- Reference counting for shared capabilities
- Secure storage protection
Capability Validation
bool validate_capability(struct capability *cap, uint32_t required_perms) {
// Check permissions
if ((cap->permissions & required_perms) != required_perms)
return false;
// Check expiration
if (cap->expiry && get_time() > cap->expiry)
return false;
// Verify signature
uint8_t computed_sig[16];
hmac_sha1(cap, sizeof(*cap) - 16, kernel_key, computed_sig);
return memcmp(cap->signature, computed_sig, 16) == 0;
}
Capability Transfer
- Secure transfer via IPC messages
- Capability delegation chains
- Controlled capability amplification
- Anti-confusion deputy protections
Resource Protection
- All kernel objects protected by capabilities
- Mandatory capability checks on access
- No ambient authority (except initial capabilities)
- Principle of least privilege enforcement
Testing Strategy
- Test capability creation and validation
- Test capability transfer via IPC
- Test permission enforcement
- Test capability revocation
- Test delegation chains
- Test anti-forgery protections
- Test performance of capability operations
Dependencies
- Message passing IPC: Issue #106 - Need IPC for capability transfer
- Cryptographic support: Need HMAC for capability signatures
- Process management: Need process identification for capability ownership
- Memory management: Need secure memory for capability storage
- Timer system: Issue #101 - Need timestamps for capability expiry
Integration Points
- Integrate with all system calls for access control
- Add capability checks to resource access
- Implement capability inheritance for process creation
- Support capability-based service discovery
Security Considerations
- Cryptographically secure capability signatures
- Protection against capability forgery
- Secure key management for HMAC
- Protection against time-of-check-time-of-use attacks
- Capability confinement and least privilege
Files to Create/Modify
- src/kernel/security/capability.c - Core capability implementation
- src/kernel/security/capability.h - Capability interface
- src/kernel/security/hmac.c - HMAC implementation for signatures
- include/security/capability.h - Userspace capability interface
Error Handling
- EPERM for insufficient capabilities
- EINVAL for malformed capabilities
- ENOENT for non-existent objects
- ETIMEDOUT for expired capabilities
- EACCES for revoked capabilities
Performance Considerations
- Fast capability validation (< 100 cycles)
- Efficient capability lookup structures
- Minimal memory overhead per capability
- Optimized HMAC computation
- Cache-friendly capability tables
Advanced Features
- Capability compression: Compact representation for common patterns
- Capability derivation: Derive restricted capabilities from broader ones
- Capability sets: Grouped capabilities for batch operations
- Capability domains: Hierarchical capability organization
- Audit logging: Security audit trail for capability operations
Usage Examples
// Create file capability
capability_t file_cap = create_capability(file_obj_id, CAP_READ | CAP_WRITE);
// Grant capability to another process
grant_capability(target_pid, file_cap);
// Validate capability before file operation
if (validate_capability(file_cap, CAP_READ)) {
// Proceed with file read
read_file(file_obj_id, buffer, size);
}
// Revoke capability
revoke_capability(file_cap);
Microkernel Integration
- File server: Capabilities for files and directories
- Device drivers: Capabilities for hardware devices
- Network server: Capabilities for network resources
- Memory manager: Capabilities for memory regions
- Process manager: Capabilities for process control
Related Issues
- Essential for microkernel security model
- Required for Issue #106 (message passing IPC)
- Foundation for secure server architecture
- Enables fine-grained access control
