NAME
compartmentalization,
c18n —
library-based software
compartmentalization
DESCRIPTION
This document contains instructions for using the library-based compartmentalization (c18n) prototype.
To launch a dynamically-linked pure-capability application with library-based compartmentalization, use the special runtime linker located at /libexec/ld-elf-c18n.so.1. This can be done either explicitly, by invoking
/libexec/ld-elf-c18n.so.1
executableor implicitly, by setting the INTERP field of the program header of the target executable to the special linker's path. Said INTERP field can be inspected by invoking
readelf -l
executableand can be set during the linking phase of compilation, typically by supplying the following option
-Wl,--dynamic-linker=/libexec/ld-elf-c18n.so.1to the compiler. Alternatively, use the patchelf utility to directly modify the INTERP field of an executable, although it is reportedly unreliable at times.
Environment variables recognized by rtld(1) adopt the prefix LD_C18N_ when compartmentalization is enabled. For example, LD_LIBRARY_PATH becomes LD_C18N_LIBRARY_PATH.
Compartmentalization currently depends on modified versions of Standard C Library (libc, -lc) and 1:1 Threading Library (libthr, -lthr). These are located in /usr/lib/c18n. The modified runtime linker automatically searches from these paths first so that modified libraries are used.
COMPARTMENT TRANSITION TRACING
Compartment transitions can be traced with the ktrace(1) facility. To generate a trace, set the environment variable LD_C18N_UTRACE_COMPARTMENT and invoke the executable with ktrace(1).
CAUTION: Compartment transition tracing is only intended for debugging and analysis purposes. Turning it on will reduce security.
COMPARTMENT TRANSITION OVERHEAD SIMULATION
To simulate the overhead of making a system call during each compartment transition, set the environment variable LD_C18N_COMPARTMENT_OVERHEAD and invoke the executable. Each compartment transition will then make a getpid(2) system call.
CAUTION: Compartment transition overhead simulation is only intended for performance analysis purposes. Turning it on will reduce security.
BENCHMARK ABI VARIANT
A variant of the runtime linker that uses the benchmark ABI is provided at /libexec/ld-elf64cb-c18n.so.1. Environment variables recognized by this variant need to be prefixed with LD_64CB_C18N_.
NOTE: The current implementation is not fully optmized for performance, nor is it tested as extensively as the normal variant and may thus contain subtle bugs. Compartment transition tracing is unreliable under the benchmark ABI. Please report any bug to help improve the implementation.
LIMITATIONS
This work is of an experimental nature. The author has tested it on applications such as tmux(1), but instabilities might occur when running complex pieces of software.
Importantly, this prototype does not provide complete isolation between compartments. For example, they are allowed to make arbitrary system calls to obtain privileges.
Below is a list of known limitations and problems. For more up-to-date information, visit https://github.com/CTSRD-CHERI/cheripedia/wiki/Library-based-Compartmentalisation.
- Calling longjmp(3) in a signal handler does not work if the 1:1 Threading Library (libthr, -lthr) is not linked to the application. This happens in sh(1), for example. A workaround is to PRELOAD 1:1 Threading Library (libthr, -lthr).
- Stack unwinding is not expected to work. This includes C++ exceptions, stack tracing in debuggers, and usage of library “libunwind”.
- sigaltstack(2) does not work as expected. This impacts some applications that use an alternative stack to handle stack-overflow exceptions.
- getcontext(3), setcontext(3), and related functions do not work as expected. This impacts certain threading and coroutine libraries.
AUTHORS
Dapeng Gao <dapeng.gao@cl.cam.ac.uk>