CWRAP. Testing your full software stack. Andreas Schneider. February 2nd, Red Hat Inc. Samba Team

Similar documents
CptS 360 (System Programming) Unit 17: Network IPC (Sockets)

FreeIPA Cross Forest Trusts

UNIX Network Programming

Light & NOS. Dan Li Tsinghua University

Contents. Part 1. Introduction and TCP/IP 1. Foreword Preface. xix. I ntroduction 31

codius-sandbox Documentation

Programming with TCP/IP. Ram Dantu

LESSON PLAN. Sub. Code & Name : IT2351 & Network Programming and Management Unit : I Branch: IT Year : III Semester: VI.

SSSD: FROM AN LDAP CLIENT TO SYSTEM SECURITY SERVICES DEAMON

How do we troubleshoot this? How does Esmeralda know how to fix this?

Expressiveness Benchmarking for System-Level Provenance

Sistemas Operativos /2016 Support Document N o 1. Files, Pipes, FIFOs, I/O Redirection, and Unix Sockets

MIT KDC integration. Andreas Schneider Günther Deschner May 21th, Red Hat

SSSD. Client side identity management. LinuxDays 2012 Jakub Hrozek

Z/TPF TCP/IP SOCK Driver 12/14/10. z/tpf TCP/IP SOCKET Driver Users Guide. Copyright IBM Corp. 2010

CHETTINAD COLLEGE OF ENGINEERING AND TECHNOLOGY DEPARTMENT OF MCA QUESTION BANK UNIT 1

Linux OS Fundamentals for the SQL Admin. Anthony E. Nocentino

Interprocess Communication

Linux OS Fundamentals for the SQL Admin. Anthony E. Nocentino

HOW I LEARNED TO LOVE PERF AND SYSTEMTAP

FreeIPA and SSSD. Free software identity management. Red Hat Developers Conference Jakub Hrozek Martin Nagy September 14, 2009

MicroGrid User Guide. Concurrent Systems Architecture Group. University of California, San Diego

Proceedings of the 11 th USENIX Security Symposium

SMB3 Multi-Channel in Samba

NetCheck: Network Diagnoses from Blackbox Traces

Rootless Containers with runc. Aleksa Sarai Software Engineer

LINUX OS FUNDAMENTALS FOR THE SQL ADMIN

IKR SimLib-QEMU: TCP Simulations Integrating Virtual Machines

Overview. Last Lecture. This Lecture. Daemon processes and advanced I/O functions

A Client-Server Exchange

Socket Programming. CSIS0234A Computer and Communication Networks. Socket Programming in C

Network Implementation

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA. Alexander Bokovoy Red Hat Inc. May 4th, 2017

VALLIAMMAI ENGINEERING COLLEGE. SRM Nagar, Kattankulathur QUESTION BANK

CS4700/CS5700 Fundamentals of Computer Networking

Client Server Computing

Motivation of VPN! Overview! VPN addressing and routing! Two basic techniques for VPN! ! How to guarantee privacy of network traffic?!

Today. Operating System Evolution. CSCI 4061 Introduction to Operating Systems. Gen 1: Mono-programming ( ) OS Evolution Unix Overview

Operating System Modifications for User-Oriented Addressing Model

OS Containers. Michal Sekletár November 06, 2016

July 14, EPITA Systems/Security Laboratory (LSE) Code sandboxing. Alpha Abdoulaye - Pierre Marsais. Introduction. Solutions.

OpenVMS UNIX Application Portability Initiative

CS 351 Week 15. Course Review

Operating System Architecture. CS3026 Operating Systems Lecture 03

Lecture 8: Other IPC Mechanisms. CSC 469H1F Fall 2006 Angela Demke Brown

Topics. Lecture 8: Other IPC Mechanisms. Socket IPC. Unix Communication

FreeIPA - Control your identity

Engineering Robust Server Software

IPv6 Porting Applications

Network programming(ii) Lenuta Alboaie

Building blocks for Unix power tools

Practical Steps Implementing Red Hat Identity Management Solution David Sirrine Senior Technical Account Manager, Red Hat Jerel Gilmer SEC June 29,

Today. Operating System Evolution. CSCI 4061 Introduction to Operating Systems. Gen 1: Mono-programming ( ) OS Evolution Unix Overview

Centreon SSH Connector Documentation

Outline. Option Types. Socket Options SWE 545. Socket Options. Out-of-Band Data. Advanced Socket. Many socket options are Boolean flags

History of FreeBSD. FreeBSD Kernel Facilities

PLAYING NICE WITH OTHERS: Samba HA with Pacemaker

NETWORK PROGRAMMING. Ipv4 and Ipv6 interoperability

Overview. Over the next four weeks, we will look at these topics: Building Blocks. Advanced Authentication Issues.

Ftp Command Line Manual Windows Username Password Linux

cs642 /operating system security computer security adam everspaugh

Assignment 2 Group 5 Simon Gerber Systems Group Dept. Computer Science ETH Zurich - Switzerland

Socket Programming for TCP and UDP

Operating System Kernels

Internet Security General Unix Security

IPv4 and ipv6 INTEROPERABILITY

Computer Networks SYLLABUS CHAPTER - 2 : NETWORK LAYER CHAPTER - 3 : INTERNETWORKING

LAB #7 Linux Tutorial

Capability and System Hardening

Flush Dns Settings Linux Redhat 5 Step Step

Cyber Security. General Unix Security

Network Virtualisation for Transparent Testing and Experimentation of Distributed Applications

Linux Kernel Application Interface

Secure Architecture Principles

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

FreeIPA. Directory and authentication services the easy way. Christian Stankowic. Free and Open Source software Conference

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Session NM056. Programming TCP/IP with Sockets. Geoff Bryant Process software

Network programming(i) Lenuta Alboaie

EEC-484/584 Computer Networks

Programming Assignment 0

UNIX Sockets. Developed for the Azera Group By: Joseph D. Fournier B.Sc.E.E., M.Sc.E.E.

Linux authentication using the System Security Services Daemon (SSSD) explained

From Tiny Acorns Your first submission to OpenAFS. Simon Wilkinson

CS4514 (C04) HELP Session 1 Introduction to Network Programming (v1.3)

COMP/ELEC 429/556 Introduction to Computer Networks

Cross-realm trusts with FreeIPA v3

Variant-based Competitive Parallel Execution of Sequential Programs

Socket Programming(2/2)

Last time: introduction. Networks and Operating Systems ( ) Chapter 2: Processes. This time. General OS structure. The kernel is a program!

Programming Assignment 1 (30 pts) A Client Dynamically Accessing Servers Using the Net Oracle

FreeBSD Jails vs. Solaris Zones

SOCKET. Valerio Di Valerio

Basic Concepts & OS History

Thesis, antithesis, synthesis

Scheduler Activations. Including some slides modified from Raymond Namyst, U. Bordeaux

A set of processes distributed over a network that communicate via messages. Processes communicate via services offered by the operating system

CS 326: Operating Systems. Networking. Lecture 17

2/12/2013. System Call Tracing WHAT S THAT PROGRAM DOING?

The System Security Services Daemon (SSSD) explained

Transcription:

CWRAP Testing your full software stack February 2nd, 2014 Andreas Schneider Red Hat Inc. Samba Team

Who am I?

. ABOUT ME I'm a Free Software developer working on: Samba - The domain controller and file server FreeIPA - An integrated security information management solution for Linux libssh - The SSH Library cmocka - a unit testing framework for C csync - a bidirectional client-only file synchronizer Twitter: @cryptomilk Blog: http://blog.cryptomilk.org/ Git: http://git.cryptomilk.org/ 3

Do you remember this?

.

.

.

.

.

.

. TEST YOUR CODE

. SEGFAULT

WHAT IS THIS TALK ABOUT?

. TETRIS? Is this about Tetris? 14

. SAMBA? Is this about Tetris? Is this about Samba? 15

. THIS IS ABOUT CWRAP Is this about Tetris? (Is this about Samba?) This is about new project called cwrap 16

WHY DO YOU NEED CWRAP?

. WHAT DOES IT TRY TO SOLVE? Let's assume you have a client and a server application, which requires Unix accounts, and it requires a user change once logged in. 18

. WHAT DOES IT TRY TO SOLVE? Example: You want to test a SSH client/server. 19

. WHAT DOES IT TRY TO SOLVE? What are the issues testing it? Server requires to run on a privileged port. You need a network with several machines for several servers. A you need the same user accounts on each machine. You need to be root to switch users. 20

. WHAT DO WE TRY TO SOLVE? You want to be able to test: Everything on one machine. Run everything as a normal user. Run everything without network interfaces. To just call 'make test'. 21

WHAT IS CWRAP?

. WHAT IS CWRAP? cwrap is.. a set of tools to create a fully isolated network environment to test client/server components on a single host, complete with synthetic account information, hostname resolution and privilege separation support. The heart of cwrap consists of three libraries you can preload to any executable. 23

. WHAT IS PRELOADING? Preloading is a feature of the dynamic linker. It is available on most Unices. It loads a user specified, shared library before all others. The library to preload is defined by the environment variable LD_PRELOAD=libwurst.so. The symbols of the preloaded library are bound first. See man ld.so 24

. SYMBOL BINDING Your application uses a function from a library. 1. Linker first looks if the application provides it. 2. Preloaded libraries are searched in the given order. LD_PRELOAD=libwurst.so:libbrot.so). 3. Libraries in linking order are searched (see ldd /path/to/your/application). Trace with: LD_DEBUG=symbols ls 25

. SYMBOL BINDING Your application uses the function open(2). 1. Your application doesn't provide it. 2. LD_PRELOAD=libcwrap.so provides open(2). 3. Linked libc.so provides open(2). The open(2) symbol from libcwrap.so gets bound! 26

. THE PRELOADABLE LIBRARIES OF CWRAP cwrap provides three libraries you can preload: socket_wrapper Fakes socket communication nss_wrapper Fakes nsswitch calls uid_wrapper Fakes privilege separation 27

THE WRAPPERS IN DETAIL

. SOCKET_WRAPPER When preloaded and enabled: Redirects all network communication to happen over Unix sockets. Support for IPv4 and IPv6 socket and addressing emulation. Ablility to capture network traffic in pcap format. The idea and the first incarnation of socket_wrapper has been written by Jelmer Vernooij in 2005. It made it possible to run the Samba torture suite against smbd in 'make test'. 29

. SOCKET_WRAPPER It wraps nearly all libc function responsible for socket communication. socket(2), setsockopt(2), getsockopt(2) bind(2), listen(2), accept(2) write(2), read(2), writev(2), readv(2) send(2), recv(2), sendto(2), recvfrom(2), sendmsg(2), recvmsg(2) close(2)... 30

. SOCKET_WRAPPER TODO TODO or IN_PROGRESS IP_PKTINFO support for recvmsg() (IN_PROGRESS). Support for fd-passing in sendmsg()/recvmsg(). More tests. 31

SOCKET_WRAPPER DEMO

. NSS_WRAPPER When preloaded and enabled: Provides account information for users and groups. Can do network name resolution using a hosts file. Allows loading and testing of NSS modules. 33

. NSS_WRAPPER It wraps most nsswitch functions. getpwnam(3), getpwnam_r(3), getpwuid(3), getpwuid_r(3) getgrnam(3), getgrnam_r(3), getgrgid(3), getgrgid_r(3) initgroups(3) getaddrinfo(3), getnameinfo(3) gethostbyname(3), gethostbyname_r(3), gethostbyaddr(3), gethostbyaddr_r(3) gethostname(3)... 34

. NSS_WRAPPER TODO Support for hosts nsswitch modules. 35

NSS_WRAPPER DEMO

. UID_WRAPPER When preloaded and enabled: Allows uid switching as a normal user. You can start any application making it believe it is running as root. Support for user/group changing in the local thread using the syscalls (like glibc). uid_wrapper has been completely rewritten to support the last two features. 37

. UID_WRAPPER It wraps most user switching functions setuid(2), seteuid(2), setreuid(2), setresuid(2) getuid(2), geteuid(2) setgid(2), setegid(2), setregid(2), setresgid(2) getgid(2), getegid(2) setgroups(2), getgroups(2)... 38

UID_WRAPPER DEMO

. HOW ARE THE WRAPPERS TESTED? The wrappers are all tested using cmocka, a unit testing framwork for C with support for mock objects (http://cmocka.org). You can simply test them using 'make test'. All wrappers have a code coverage above 75%. There are nightly build of the master branch. Testing Dashboard: http://mock.cryptomilk.org 40

. SUPPORTED PLATFORMS Linux (opensuse, CentOS) BSD (FreeBSD) Solaris (OpenIndiana) If you want a platform supported, create a nightly build and submit results to the dashboard. 41

. WHO USES CWRAP? Samba (Doesn't use the preloaded version yet) MIT KRB5 (Work in progress by Nalin Dahyabhai) libssh (Test libssh against OpenSSH, I'm working on it) SSSD (Jakub Hrozek wants to use in SSSD) 42

. LINKS Website: http://cwrap.org/ Mailinglist: https://lists.samba.org/mailman/listinfo/samba-technical IRC: #cwrap @ freenode 43

Questions & Answers http://cwrap.org/ http://cmocka.org/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback