Date: Fri, 31 May 2002 04:07:14 +0200 From: Frank van Vliet <karin@root66.org> To: Bjoern Fischer <bfischer@Techfak.Uni-Bielefeld.DE> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: sandboxing untrusted binaries Message-ID: <20020531040714.G86421@root66.org> In-Reply-To: <20020530025817.GA4390@no-support.loc>; from bfischer@Techfak.Uni-Bielefeld.DE on Thu, May 30, 2002 at 04:58:18AM %2B0200 References: <20020530025817.GA4390@no-support.loc>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Bjoern, On Thu, May 30, 2002 at 04:58:18AM +0200, Bjoern Fischer wrote: > OpenBSD has a new interesting feature: systrace. It is a system call > policy generator for "sandboxing" untrusted or semi-trusted binaries. The idea of sandboxing binaries is nice ofcourse but there is a conceptual drawback. I think you can divide the programs you run in two groups: the group of extra privileged programs which need that for changing passwords or for allowing users to log into their shell (ssh etc). the group of normal programs ran by a user interacting with the outside world like a browser. The problem is, a program needs privileges in order to perform its function. if this function is to change passwords, it needs privileges to actually change those passwords. The same thing goes for capabilities: you can finetune exactly what is allowed, but the main thing a program is supposed to do will still be allowed. If that program was ment to do something which requires root, and you disable everything else so the program can only do that little thing like changing passwords, an attacker gaining control of the process will still be able to do enough to hack the box. You can make it harder for him, but if the binary had to run with root privileges, and you disable all other privileges, an exploiter can still hack the box. If you could drop all privileges, the binary shouldn't be ran as root in the first place. This all goes for the first group of programs i just mentioned. The second group is more for trying to keep hackers from gaining local access. The examples provided by systrace are for this group of programs. But, the same concept applies: the binary needs to run local and access local files and even write to files. A webbrowser still needs to execute xpdf, the user still needs to be able to specify what program to run for pdf's. You can limit the possibilities, but, the minimal capabilities a program needs to function is always enough for a hacker. > The whole idea looks interesting. The implementation details look > relatively simple (read: not too complicated). Anyone interested in > having a closer look and maybe porting it? I have coded similar things for linux, the main problem is the performance hit. For every system call, you will need to check against the policy and systrace even provides regular expression filters etc. This is a major performance hit for most daemons. > Or I will try to port it myself if at least one core member says: > "Interesting technology, send a patch..." I'm not sure if the performance hit will be worth the limiting of possibilities for hackers. They will still get in, it will only take a more specialized shellcode. Looking forward for others' views, Frank van Vliet karin@root66.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020531040714.G86421>