lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: tss at iki.fi (Timo Sirainen)
Subject: Friendly and secure desktop operating system

On Tue, 2003-10-14 at 05:41, Valdis.Kletnieks@...edu wrote:
> > classifying software simply to "trusted" and "untrusted" isn't enough. I
> > don't want my "trusted" web browser accessing files in my home directory
> > (due to security holes in it) unless I specifically tell it to upload or
> > download them.
> 
> About the only way to do this is to use an OpenSSH-style privsep, where the main
> browser runs in ONE compartment, and file up/downloads are handled via a temp
> directory/whatever and a separate entity that copies the stuff from temp to home.
> And even then you can't do a good job of keeping the main browser from lying to
> the helper if the main browser is subverted....

You're thinking about how to do it currently in UNIX world. I'm thinking
about adding new concepts in kernel level. systrace would be much more
closer to it than chroot jails.

But yes, privilege separation is the main point. Preferrably each web
page would run in it's own process so any security holes in rendering
couldn't affect other currently opened web pages. Web page process would
have access equilevant to Java applets - it could mostly just write to
limited area in a window and connect to the host where it was loaded
from.

What is missing from systrace and others is the ability for processes to
pass some of it's existing privileges to other processes and ability to
drop privileges completely. For example I should be able to make a
process that can access only files inside ~/.temp/1/ directory. That
process should be able to make another process that can access files
only inside ~/.temp/1/2/ directory. Process 1 should be able to grant
existing process 2 access to other files inside ~/.temp/1/ as well.

The file upload would then be done something like:

- You have a File Open/Save service process that has access to all files
in your filesystem. This really needs to be free of security holes. It
would be also responsible for showing the open/save dialogs in screen.

- Web browser's Upload function makes an IPC call to File Open/Save
services process.

- Open file service process shows the Open-dialog and lets user select
the file(s) he wishes to upload.

- Open file service process sends read-only file descriptor(s) to web
browser process of the selected files via IPC (or maybe it just grants
open() syscall access to the file).

- Web browser uploads the files, closes file descriptors and it no
longer has access to them.

Downloading would work pretty much the same.



Powered by blists - more mailing lists