What is Wedge?

Wedge allows fine-grained partitioning of applications on Linux. It consists of two parts: sthreads and Crowbar. With our sthread API, one can create compartments and assign memory and file descriptor permissions to each. Should one wish to introduce compartments in existing legacy applications, our Crowbar tools help determine what memory permissions each compartment needs; a task that would otherwise be very tedious if done manually.

What do sthreads look like?

Here is a sample sthread application. It illustrates how sthreads are prevented from accessing data (e.g. the password) by default, and how exploiting sthreads is harmless if they run with low privilege.
void* sthread(void* arg)
	char buf[1024];

	/* who cares about exploits here!  Even if exploited, the attacker can't
	 * read password, write to stdout, invoke dangerous syscalls (prevented
	 * by SELinux policy), etc.  He can only do what we allowed in the
	 * policy: 1) read arg 2) read stdin.
	while (gets(buf)); 

int real_main(int argc, char *argv[], char *envp[])
	char* password = "sthreads have default-deny permissions, so children \
	                  won't see this buffer unless explicitly granted";
	sc_t policy;
	tag_t label    = tag_new(TAG_LPT);
	char* arg      = smalloc(1000, label);

	strcpy(arg, "arg is labelled so it can be shared (named in a \
		     policy) and children may see it");

	/* prepare the policy for an sthread */
	sc_fd_add(&policy, 0, PROT_READ); /* allow it to read stdin */
	sc_mem_add(&policy, label, PROT_READ); /* grant read to argument */

	/* Attach an SELinux policy that denies all syscalls except for reading
	 * from stdin
	sc_sel_context(&policy, "nobody:nobody_r:only_read_stdin_t");

	/* launch sthread to do dangerous business (e.g. user input parsing) */
	lpthread_create_join(&policy, sthread, arg, NULL);

int main(int argc, char *argv[], char *envp[])
        smain(real_main, argc, argv, envp);

What does Crowbar look like?

What if we want to isolate in an sthread a function (e.g. the client handler) of an existing application? We would need to know all the memory it needs access to, so that we can grant it in the policy, and determine where the memory was allocated, so that we can label it. If a function accesses many memory objects, it could take quite some effort to obtain the necessary information from the code. Crowbar instead readily gives us this information, and here is its output from OpenSSH's client handler:
R  main:sshd.c:742,xmalloc:xmalloc.c:23
R  debug_flag
R  log_level
R  log_on_stderr
RW options
RW rc4_ready
R  sensitive_data
R  startup_pipe
We now know which globals need read acces (e.g. startup_pipe), which read/write (e.g. options) and which mallocs need to be converted to smalloc (e.g. line 742 in sshd.c). We can therefore create an sthread for this function with the permissions it needs.

Installing Wedge

To install sthreads:
  1. Download Wedge: wedge-0.1.tgz (136KB).
  2. Patch the Linux 2.6.19 kernel with our diff, and compile our kernel module.
  3. Compile our userspace Wedge library (libs).
  4. Compile our tests and check whether they pass.
To install and use Crowbar:
  1. Download Pin. We used pin-2.3-16358-gcc.4.0.0-ia32.
  2. Compile crowbar.
  3. Launch pind and cblog to obtain a trace for the application at hand.
  4. Resolve EIPs in the log file to function/file names using lineconv.
  5. Use post to query the log for information.
We also ported OpenSSH 3.1p1 and Apache 1.3.19 with OpenSSL 0.9.6 to Wedge. Patches are included in the tarball should you wish to try them out.

The README file in the tarball contains more details on compiling and using Wedge.

SVN and mailing lists

You can obtain the latest version of our code using SVN:
svn co https://frostie.cs.ucl.ac.uk/repos/wedge/trunk wedge
You can browse our repository here. A wiki and defect tracking system can be found here.

General queries can be sent to the wedge-users@cs.ucl.ac.uk mailing list. Development discussions are held at wedge-dev@cs.ucl.ac.uk. Here are the subscription instructions and Web archives for wedge-users and wedge-dev.


[1] A. Bittau, P. Marchenko, M. Handley, and B. Karp. Wedge: Splitting Applications into Reduced-Privilege Compartments. In NSDI, 2008. (pdf) (html) (bib). Talk slides (pdf).