WEBVTT 00:00.000 --> 00:14.000 Hello everyone, again, our first talk in our security track is about sandboxing. 00:14.000 --> 00:19.000 We are going now to sandbox our goal modules and that sounds super interesting, so I invited 00:19.000 --> 00:25.000 the security stage who will talk us the all-in-mitty gritty, how we can sandbox our goal libraries. 00:25.000 --> 00:38.000 Thank you, I'm Artichiro Saffron, and today I talk about Komu J, which provides 00:38.000 --> 00:49.000 library sandboxing for goal modules. 00:49.000 --> 01:01.000 We have a bunch of libraries everywhere on the internet, so we can find an enormous number of 01:01.000 --> 01:11.000 big goal modules, and they have very profitable contents, and they have a very profitable number of 01:12.000 --> 01:18.000 interesting tools, but they contain marshes course, so there's a very high chance that you accidentally pull such 01:18.000 --> 01:28.000 marshes goal modules. So goal modules put untrusted goal modules into the jail, and goal 01:28.000 --> 01:36.000 modules can be applied in a very simple two steps. So the first step is to just comment, 01:36.000 --> 01:41.000 directly comment, a slush rush, go into the jail, call on confide, to go to the 01:41.000 --> 02:06.000 goal module, and run the program with Komu J. So let me show my demo. So here is some example 02:06.000 --> 02:21.000 program, so this is expected to print 42 plus 43, it's 85, there is a p.at function, but this 02:21.000 --> 02:31.000 option is from an example stress point in the module, so if you run a program, this actually 02:32.000 --> 03:00.000 executes marshes code, so just go built, so it's poisoned, so in this example 42 plus 43, it doesn't 03:00.000 --> 03:09.000 work with 85, but it opens. So this is an example of an operation code execution, so this 03:09.000 --> 03:14.000 example is, of course, a harvest because it's just a play I commands, but supports that this 03:14.000 --> 03:23.000 option. So this could be, whatever else, such as mining, Bitcoin, or maybe it's 03:23.000 --> 03:37.000 run from here, maybe. So because Poison the goal, that's not just to express why it's content 03:37.000 --> 03:57.000 much as commands with exec.comand, so let's apply Komu J to this, so in dot-to-go, go to 03:57.000 --> 04:26.000 mode, or we have a comment like Komu J confines, and then the program, please. 04:26.000 --> 04:37.000 So it's now 42 plus 43, 85, because Komu J Brooks is a Cisco, that's it's exactly 04:37.000 --> 04:47.000 we, so now the command execution is booked, and so let's go back to the presentation. So 04:47.000 --> 04:55.000 it may talk about the back wound, so the operation source is under a very severe attack, and so 04:55.000 --> 05:00.000 now this is practically impossible to write software without the running or server-party 05:00.000 --> 05:08.000 libraries, so for example, in the case of Toka CRI, there are 100 dependencies, and the demo has 05:08.000 --> 05:15.000 a more than 200 dependencies, and the situation is very similar in the case of tuberculosis 05:15.000 --> 05:26.000 as well, and our batch actors have been trying to inject malicious codes into those dependencies. 05:26.000 --> 05:35.000 And of course, it's not specific to go, so one of our recent notorious example was 05:35.000 --> 05:47.000 the popular incident such happens to XZ and LBZ in 2024, so this was a popular injected 05:47.000 --> 05:57.000 to LBZ in a library by a maintainer project, so in this case, the culprit had been 05:57.000 --> 06:05.000 making harmless contributions for more than two years, so it's a range that just, like, 06:05.000 --> 06:13.000 a good person, but they suddenly injected the back drawer and just created out from the 06:13.000 --> 06:23.000 community, so this example indicates that even widely adopted libraries can be compromised, 06:23.000 --> 06:31.000 and unfortunately, even the project manager cannot be just trusted, so you can just 06:31.000 --> 06:39.000 take a signature of a recent artifact, but when they are mentioned, the same steps are 06:39.000 --> 06:46.000 but actors, we can't just trust the signature, so this case was not about go, but 06:46.000 --> 06:55.000 as Mira attack could happen with go modules, and maybe we already have some malicious 06:55.000 --> 07:08.000 go modules, but we can't know that. And actually, last year, there were hundreds of fake 07:08.000 --> 07:16.000 go modules, were published on GitHub, and those repositories look the genuine, but a content 07:16.000 --> 07:24.000 malicious code, such as WGET Pipe Bash, and for some reports, the numbers of the 07:24.000 --> 07:31.000 GitHub serves even exceeded those of the genuine reports, because the attackers used 07:31.000 --> 07:37.000 both accounts to infiltrate the number of the GitHub serves, so we can't just trust the number of 07:37.000 --> 07:46.000 the GitHub serves, and most of those reports seem now a bunch from GitHub, but some of them are 07:46.000 --> 08:03.000 still alive on GitHub, so here's a search result, so for example, you can find a 08:03.000 --> 08:18.000 more than 60 reports, that matches this search, so I can't show an exact code, but this 08:18.000 --> 08:27.000 repo looks like a genuine one, but they contain malicious codes that substitutes Bash 08:27.000 --> 08:40.000 and WGET, and there's also a campaign of subscriting, so people are now using AI coding 08:40.000 --> 08:47.000 agents, such as codes, to produce the codes, but AI coding agents may hesitate to inject 08:47.000 --> 08:54.000 malicious dependency with multiple participants names, so this is an example person, but 08:54.000 --> 09:02.000 some AI has seen it that they use a library name, a secure host name, a secure host 09:02.000 --> 09:10.000 name, a secure host name, but this library doesn't exist, so I think I could publish 09:10.000 --> 09:18.000 a library with this very plausible participant, and even when it's a safe 09:18.000 --> 09:24.000 agent, it's safe, doesn't have a niche, it can be still deceived by the fake sites on the 09:24.000 --> 09:31.000 internet, or views with such tools of the AI agent, so some sites are just AI subs, they are just 09:31.000 --> 09:44.000 wrong, and some sites are actually published with a malicious intent, so here's some example 09:44.000 --> 09:52.000 of AI subs on the internet, so this says that a cube on this is a 2.0 private rate exist, 09:52.000 --> 09:59.000 and they say that a cube on this 2.0 represents a YAMO with a Python code, but it's just a 09:59.000 --> 10:06.000 fake news, this is a fake news, but it's just very plausible to those who don't know 10:06.000 --> 10:11.000 that a cube on this is actually an open source project, so there's no private beta, and 10:11.000 --> 10:16.000 there's no plan to have a cube on this 2.0, but this is a fake news that is 10:16.000 --> 10:24.000 plausible, and this fake news article contains an installation script of a cube on 10:24.000 --> 10:33.000 this 2.0 private beta, it doesn't exist, but it looked genuine to those who are new to 10:33.000 --> 10:43.000 this, and here's a much worse example, so this is a screenshot of Microsoft 10:43.000 --> 10:52.000 Kupai Road, and a user asked how to download a 7-zip for Windows 11, and the Kupai Road 10:52.000 --> 11:01.000 returned to this answer, so this is a 7-zip publisher, download page, is a 7-zip.com, 11:01.000 --> 11:08.000 but this site is a fake, and contains a malicious code, so 7-zip.com is fake, 11:08.000 --> 11:16.000 the real site is 7-zip.org, but Kupai Road was deceived by some malicious 11:16.000 --> 11:23.000 such results on the internet, so this is not about to go, but the same story could happen 11:23.000 --> 11:32.000 with GoMogers, so some erycoding agents may just download malicious GoMogers from 11:32.000 --> 11:38.000 GitHub and to inject that to your program potentially. 11:38.000 --> 11:46.000 So we have to review all's dependencies, so everybody knows that we have to review all 11:46.000 --> 11:53.000 the dependencies, but it's very questionable, who can actually review all's in, so 11:53.000 --> 12:01.000 we have so many dependencies, so it's not very sticky to review all's the codes. 12:01.000 --> 12:08.000 So, right now, some of the books make this program, it's a jump of a technology to 12:08.000 --> 12:13.000 confine capabilities of a library, so it's similar to the content such as the content 12:13.000 --> 12:20.000 of free BSDJ, but the granularity is different, so the jump of content for processes 12:20.000 --> 12:23.000 while library sandboxing for libraries. 12:23.000 --> 12:32.000 Here, there are several designs of library sandboxing, such as Linux, CECOMP, or WebAssembly, 12:32.000 --> 12:41.000 or it's also possible to have compilation time solution. 12:41.000 --> 12:44.000 And here's an example of similar work in the past. 12:44.000 --> 12:48.000 It's a Google sandbox API. 12:48.000 --> 12:58.000 It works CECOMP and name species, so it's very similar to Jocca containers. 12:58.000 --> 13:06.000 And in this model, a function core and a colleague are extracted in separate processes 13:06.000 --> 13:15.000 that communicate with each other via IPC, but adoption of this model doesn't seem 13:15.000 --> 13:21.000 straightforward, because if you request massively modifying the source course and build scripts 13:21.000 --> 13:27.000 so that the function core and the function core can communicate with each other via IPC. 13:27.000 --> 13:37.000 So, as far as I can see, this is not widely adopted outside Google products. 13:37.000 --> 13:44.000 And next example is our red box, which wraps the library course using WebAssembly, 13:44.000 --> 13:55.000 and it's already adopted in Mozilla FireFox in 2021, and it's used the full sandboxing of libraries 13:55.000 --> 14:01.000 related to graphics, music, and font libraries. 14:01.000 --> 14:07.000 But an adoption of our red box doesn't seem straightforward either. 14:07.000 --> 14:14.000 So, this is that on average, sandboxing a library takes only a few days. 14:14.000 --> 14:19.000 So, it takes multiple days, and that's just a few minutes. 14:19.000 --> 14:26.000 So, it doesn't seem widely adopted outside FireFox. 14:26.000 --> 14:32.000 And next example, it's isolated via, which wraps not only the library course, 14:32.000 --> 14:39.000 using a multiple instances of a BH engine, which is a JavaScript virtual machine, 14:39.000 --> 14:44.000 and it's always adopted by several companies products. 14:44.000 --> 14:48.000 So, adoption is relatively wide in the community of Node.js, 14:48.000 --> 14:51.000 but it's not very easy to get started. 14:51.000 --> 14:58.000 So, because you have to expose several functions for the host of the JavaScript virtual machine, 14:58.000 --> 15:07.000 into the isolated instance of the BH engine. 15:07.000 --> 15:12.000 And in existing or go, there is a depth guard. 15:12.000 --> 15:17.000 It's not a reverse sandbox, but somewhat similar. 15:17.000 --> 15:23.000 It's a linear to enforce a row list or denatist of go modules, 15:23.000 --> 15:27.000 and it's already a wide array adopted to be a Go-AnxCI link. 15:27.000 --> 15:29.000 But this is too strict. 15:29.000 --> 15:36.000 So, there's no way to arrow a module with limited capabilities. 15:36.000 --> 15:42.000 And there's also a very similar project, which is called Go-AnxCI, 15:42.000 --> 15:47.000 but this is not different from my project Go-AnxCI. 15:47.000 --> 15:53.000 So, the similarity of name is just by coincidence. 15:53.000 --> 15:59.000 So, the Go-AnxCI project is to make it easy to get started. 15:59.000 --> 16:06.000 So, no modification to the source code, and later modification to the build script. 16:06.000 --> 16:15.000 And cabbage may apply as a thread of simplicity. 16:15.000 --> 16:20.000 So, under this principle, I designed the Go-AnxCI. 16:20.000 --> 16:24.000 So, it focuses on simplicity and applicable in just two steps. 16:24.000 --> 16:29.000 So, just Go-AnxCI confined comment. 16:29.000 --> 16:37.000 And then run target program is Go-AnxCI run. 16:37.000 --> 16:40.000 So, how it works? 16:40.000 --> 16:45.000 So, it freaks several dangerous system course, 16:45.000 --> 16:51.000 such as five operational systems that open and create. 16:51.000 --> 16:59.000 And for process course, it freaks exactly a or project spawn on the case of macOS. 16:59.000 --> 17:05.000 And it also freaks network system course, such as connect and listen. 17:05.000 --> 17:15.000 And Go-AnxCI unwinds the course that to identify the Go function that involves the Cisco. 17:15.000 --> 17:22.000 So, in the F binary, there is a section called Go-T-C in top. 17:22.000 --> 17:25.000 So, this section contains symbols. 17:25.000 --> 17:29.000 It blends binary is stripped in the case of the goal. 17:29.000 --> 17:40.000 And if the function belongs to module is a confined list, Go-AnxCI blocks the system core. 17:40.000 --> 17:42.000 So, this is how it works. 17:42.000 --> 17:51.000 So, Go-AnxCI observes some exactly a Cisco using something a weird binary. 17:51.000 --> 18:01.000 And Go-AnxCI unwinds the course that to identify the function that course it is minus a Cisco. 18:01.000 --> 18:15.000 And Go-AnxCI observes the module is confined by checking this Go-AnxCI commands. 18:15.000 --> 18:26.000 And Go-AnxCI injects a number of e-prom to block this xb system core. 18:26.000 --> 18:34.000 And current range, Go-AnxCI supports Linux and the Dowing for AMD 64 and ARM 64. 18:34.000 --> 18:43.000 But in the case of a Dowing AMD 64, Jerry's Inter Mac, there is no support for stripped binary. 18:43.000 --> 18:51.000 But for ARM Mac, there is support for stripped binary, that's where. 18:51.000 --> 18:55.000 And she is a deep dive into its implementation. 18:55.000 --> 19:04.000 So, for Linux, the second red dress is used to focus the system course. 19:04.000 --> 19:10.000 And the P2S, P2Dator is used to unwind the course stack. 19:10.000 --> 19:20.000 So, I don't use a second user-notif, which is similar to the second red dress, because in the case of the second user-notif, 19:20.000 --> 19:24.000 it's a frame-point information. 19:24.000 --> 19:28.000 So, I had to use it as a second red dress. 19:28.000 --> 19:32.000 And, I didn't use Randerok. 19:32.000 --> 19:43.000 It's a modern feature of the Linux kernel to controls the capability of file and network system course. 19:43.000 --> 20:02.000 But Randerok is not used here, because there is no way to associate goal modules with specific Linux suites to be controlled via Dandruk. 20:02.000 --> 20:10.000 And, in the case of Mac OS, Go-AnxCI uses the insert library to focus the scores. 20:10.000 --> 20:15.000 So, this is a quiet balance of everyday pre-loads on Linux. 20:15.000 --> 20:20.000 But the story is different in the case of Mac OS. 20:20.000 --> 20:37.000 So, there is no need to support static binary on Mac OS, because in the case of Mac OS, the system course always invoked the system, which is equivalent of TPC. 20:37.000 --> 20:44.000 And, if you call it a general foot-downing.dip, that is the insolent-peer library, 20:44.000 --> 20:52.000 unwinds the core stack using a di-rd-a-kitch image to address thread function. 20:52.000 --> 21:06.000 And, unlike Linux, unwindings core stack is quite complicated, because in the case of Mac OS, the core stack switches when calling the system. 21:06.000 --> 21:14.000 So, it stresses the structure G that represents the current goal routine. 21:14.000 --> 21:33.000 And, it passes the member of the structure G to fetch m.dip core SP and m.dip core PC to align core stack for system course. 21:34.000 --> 21:41.000 And, this is quite complicated. So, how to fix the pointers of the structure G. 21:41.000 --> 21:47.000 So, we have to fix the value of the runtime.dip variable. 21:47.000 --> 21:55.000 And, then, with TSTR register, and we can compute the address of the structure G. 21:55.000 --> 22:02.000 And, for fixing the value of the runtime, the TSTR is very complicated. 22:02.000 --> 22:06.000 So, in the case of the binary, that is not stripped. 22:06.000 --> 22:10.000 We can just fix the symbols of the global variables. 22:10.000 --> 22:14.000 The goal-themed tab section. 22:14.000 --> 22:21.000 But, in the case of the strip binary, we don't have symbols of the global variables. 22:21.000 --> 22:29.000 But, we still have symbols of global functions in goal PC and tab section. 22:29.000 --> 22:35.000 So, we can just find the pointer to the runtime.dip function. 22:35.000 --> 22:37.000 And, just call this function. 22:37.000 --> 22:40.000 So, this is the border function. 22:40.000 --> 22:44.000 So, there is a no return value. 22:44.000 --> 22:54.000 But, when calling runtime.dip, the value of the runtime to TSTR is a Dict. 22:54.000 --> 22:58.000 And, to temporary, register X to 7. 22:58.000 --> 23:05.000 So, we can just fix the pointer to the structure G in this way. 23:05.000 --> 23:08.000 But, this is quite complicated. 23:08.000 --> 23:10.000 And, she is a benchmark reserved. 23:10.000 --> 23:16.000 So, in the case of the benchmark, or what hit was about 4%. 23:16.000 --> 23:23.000 And, also, in the case of macOS, the robot hit was about 9%. 23:23.000 --> 23:30.000 So, there is still room to improve the performance. 23:30.000 --> 23:34.000 And, the robot share comes with lots of caveats. 23:34.000 --> 23:41.000 So, it is not applicable to a goal binary built by known trust versus sad property. 23:41.000 --> 23:45.000 Because, the symbol information might be fake. 23:45.000 --> 23:51.000 And, there is no isolation of file descriptors across modules. 23:51.000 --> 23:57.000 So, a confined module can still read or write an existing file descriptor. 23:57.000 --> 24:06.000 And, also, the third binary mustn't be depressed during the execution of the process. 24:06.000 --> 24:17.000 And, of course, it is not applicable to module, just impose unsafe or reflect a fragment or a goal in clean or see or assembly. 24:17.000 --> 24:21.000 So, there is lots of caveats. 24:21.000 --> 24:26.000 So, share is a command, go to share, analyze. 24:26.000 --> 24:31.000 It is a static, analyze that you detect incompatible imports. 24:31.000 --> 24:35.000 So, for example, go back to all the strategies. 24:35.000 --> 24:38.000 It is not compatible with go to share. 24:38.000 --> 24:43.000 Because, it uses unsafe course. 24:47.000 --> 24:50.000 And, here is adaption status of go to share. 24:50.000 --> 24:55.000 It is currently used by several projects under my augmented steps, 24:55.000 --> 24:58.000 such as Dima, the Exposure Machine project. 24:58.000 --> 25:00.000 And, not a city here. 25:00.000 --> 25:02.000 It provides continuity, city here. 25:02.000 --> 25:05.000 It is a command and interface for continuity. 25:05.000 --> 25:10.000 And, also, my experimental project, which is alcohol-horses home-vure, 25:10.000 --> 25:15.000 which improves the security of the home-vure package manager. 25:15.000 --> 25:21.000 And, I think, who was to see wider adaptions. 25:21.000 --> 25:28.000 And, here is a hint to distribute go-motor share, which is a target program. 25:28.000 --> 25:35.000 And, I have a side-topic strike, but I don't have time to cover this side-topics. 25:35.000 --> 25:43.000 But, one more time, future rock I am planning is to switch away from the runtime model to Compilation time model. 25:43.000 --> 25:48.000 So, runtime side-topics thing is fragile and has lots of limitations. 25:48.000 --> 25:55.000 So, the future plan is to just implement this in the Compilation time mode. 25:55.000 --> 26:06.000 And, maybe, I will use aspects oriented program model for implementing go-motor share in the Compilation time mode. 26:06.000 --> 26:10.000 And, we also have to support other languages. 26:10.000 --> 26:18.000 And, share is also as a approach to prevent supply chain attacks, which is a social reputation checker for go-motors. 26:18.000 --> 26:20.000 So, I don't have time to cover this. 26:20.000 --> 26:28.000 But, this kind of social approach is a complementary to technological approaches, such as go-motor share. 26:28.000 --> 26:37.000 So, this reflects a result of dependencies having already used by trust-worthy projects. 26:38.000 --> 26:40.000 So, this is a recap or my talk. 26:40.000 --> 26:41.000 So, process is under attack. 26:41.000 --> 26:46.000 It is a martial arts algorithm and go-motor share puts onto a set of go-motor intuitive share. 26:46.000 --> 26:50.000 So, if you have any questions and feel free to talk me, it is a whole way. 26:50.000 --> 26:51.000 Thank you. 26:51.000 --> 26:53.000 Thank you.