Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous...
Transcript of Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous...
![Page 1: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/1.jpg)
Todays schedule
● Asynchronous processing & tool-chain approach● Integrity, privilege separation and capabilities.● CarvFS & MinorFS● MattockFS core design● MattockFS as distributed-framework building block● Installation (hands on)● File-system as API (hands on)● Python API (hands on)
![Page 2: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/2.jpg)
MattockFS
Computer-Forensics File-System
CarvFS & MinorFS
![Page 3: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/3.jpg)
A family tree
2002: OCFA Anycast 2006: CarvFS
2006: Sealed Digital Evidence Bag 2008: MinorFS
![Page 4: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/4.jpg)
A family tree
2002: OCFA Anycast 2006: CarvFS
2006: Sealed Digital Evidence Bag 2008: MinorFS
![Page 5: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/5.jpg)
FUSE
![Page 6: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/6.jpg)
Forensic File-System Architecture
ModuleInstance
User-SpaceFile-System
KernelFUSE EXT*
Disks file
![Page 7: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/7.jpg)
CarvFS
Storage requirements traditional file carving CarvFS allows for zero-storage carving Carved files not copied our but designated CarvPath designations
/mnt/carvfs/mp3/18400+4096_S4096_47912+975.crv
![Page 8: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/8.jpg)
Carvpath designations
![Page 9: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/9.jpg)
Examples
● 0+500.crv● 4096+4096_40960+4096.crv● 4096+4096_S8192_40960+4096.crv● 0+40960/1024+512.crv● DBF49D26….B441C18894793.crv● DBF49D26….B441C18894793/1024+512.crv
![Page 10: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/10.jpg)
Issues with CarvFS
Read-only access to forensic disk image In large cases hundreds of mounted image files OCFA hacks
Bypass CarvFS to write to underlying growing archive
Inefficient hybrid CarvFS/CAS storage
![Page 11: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/11.jpg)
MinorFS
● Least Authority set of user-space file-systems– CapFS : Sparse-capability based tree layer
– ViewFS● Provides pseudo-persistent-processes with a private
$HOME● Provides all processes with a private $TMP
![Page 12: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/12.jpg)
CapFS: '..' considered evil
● Special '..' directory normally designates parent● Capabilities: designation implies authorization● The '..' brakes delegation of sub-trees.
![Page 13: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/13.jpg)
MinorFS, the PPP stack.
● AppArmor: – Take away ambient authority to $HOME , $TMP
– Allow processes to keep secrets by limiting access to /proc/${SOMEPID}/
● MinorFS:– Provide secure private storage for VATs to E.
● The E language:– Provide a fine grained distributed object capability
platform.
![Page 14: Todays scheduledfrws.capibara.com/MattockFSDFRWS_03_ancestors.pdfTodays schedule Asynchronous processing & tool-chain approach Integrity, privilege separation and capabilities. CarvFS](https://reader034.fdocuments.net/reader034/viewer/2022050510/5f9b53423ab072105c4ba6dc/html5/thumbnails/14.jpg)
MinorFS and CarvFS
● MinorFS– Shows us the value of sparse capabilities and
FUSE for high-integrity system design.
● CarvFS– Shows us the strength of carvpath annotations as
file names.