From owner-freebsd-security  Wed Jun 13 13: 3:19 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-13.dsl.lsan03.pacbell.net [63.207.60.13])
	by hub.freebsd.org (Postfix) with ESMTP id 2FD9137B405
	for <security@freebsd.org>; Wed, 13 Jun 2001 13:03:14 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id B745266D15; Wed, 13 Jun 2001 13:03:13 -0700 (PDT)
Date: Wed, 13 Jun 2001 13:03:13 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Alex Popa <razor@ldc.ro>
Cc: security@freebsd.org
Subject: Re: Compiling untrusted source -- what are the risks?
Message-ID: <20010613130313.B64020@xor.obsecurity.org>
References: <20010613092402.A8413@ldc.ro>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="3uo+9/B/ebqu+fSQ"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010613092402.A8413@ldc.ro>; from razor@ldc.ro on Wed, Jun 13, 2001 at 09:24:02AM +0300
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--3uo+9/B/ebqu+fSQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Jun 13, 2001 at 09:24:02AM +0300, Alex Popa wrote:

> The step I am worried about is the compiling, since I do need to have
> the include files and libraries available.  The output should be a
> statically linked file, which would run in a jail (separate one per
> source file) which contains nothing more than the compiled binary, and
> the input file.  The evaluation program will run in a separate jail,
> given only the output file from the program, and maybe an "expected
> results" file.  I plan on using ipfw to block all traffic on that
> machine (will be a dedicated machine) not coming from a few trusted
> uids (like root and the evaluation process).  I also plan setting up
> resource limits, and not running more evaluation jobs at the same time
> (ruins timing).

You could do this step in a jail if you wanted to.  If you're using
user-supplied makefiles, then they can run arbitrary commands.  If
you're using a fixed set of compiler invocations and the standard
toolchain then it should probably be okay (I don't know of any ways to
cause the compiler toolchain to execute arbitrary commands during
compilation).

Kris

--3uo+9/B/ebqu+fSQ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7J8cBWry0BWjoQKURAnVCAJwKwwzjdodfx89BqNVWpeuVy+vvWgCg7/CA
ylR1W9vKquVUuo9DgSk8cxg=
=Dj5c
-----END PGP SIGNATURE-----

--3uo+9/B/ebqu+fSQ--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message