lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: tss at iki.fi (Timo Sirainen) Subject: Friendly and secure desktop operating system On Tue, 2003-10-14 at 05:41, Valdis.Kletnieks@...edu wrote: > > classifying software simply to "trusted" and "untrusted" isn't enough. I > > don't want my "trusted" web browser accessing files in my home directory > > (due to security holes in it) unless I specifically tell it to upload or > > download them. > > About the only way to do this is to use an OpenSSH-style privsep, where the main > browser runs in ONE compartment, and file up/downloads are handled via a temp > directory/whatever and a separate entity that copies the stuff from temp to home. > And even then you can't do a good job of keeping the main browser from lying to > the helper if the main browser is subverted.... You're thinking about how to do it currently in UNIX world. I'm thinking about adding new concepts in kernel level. systrace would be much more closer to it than chroot jails. But yes, privilege separation is the main point. Preferrably each web page would run in it's own process so any security holes in rendering couldn't affect other currently opened web pages. Web page process would have access equilevant to Java applets - it could mostly just write to limited area in a window and connect to the host where it was loaded from. What is missing from systrace and others is the ability for processes to pass some of it's existing privileges to other processes and ability to drop privileges completely. For example I should be able to make a process that can access only files inside ~/.temp/1/ directory. That process should be able to make another process that can access files only inside ~/.temp/1/2/ directory. Process 1 should be able to grant existing process 2 access to other files inside ~/.temp/1/ as well. The file upload would then be done something like: - You have a File Open/Save service process that has access to all files in your filesystem. This really needs to be free of security holes. It would be also responsible for showing the open/save dialogs in screen. - Web browser's Upload function makes an IPC call to File Open/Save services process. - Open file service process shows the Open-dialog and lets user select the file(s) he wishes to upload. - Open file service process sends read-only file descriptor(s) to web browser process of the selected files via IPC (or maybe it just grants open() syscall access to the file). - Web browser uploads the files, closes file descriptors and it no longer has access to them. Downloading would work pretty much the same.
Powered by blists - more mailing lists