The way Tor currently does sandboxing is completely incompatible with FreeBSD Capsicum

Shawn Webb @lattera

Looks like the way # Tor currently does sandboxing is completely incompatible with # FreeBSD # Capsicum .

I’m going to need to really beef up Tor’s internal sandboxing framework. I need to write some abstraction layers. Essentially, Tor needs to ask the sandboxing framework for file descriptors (FDs). FDs could be pre-opened (in the case of Capsicum) or could be opened on-the-fly (in the case of seccomp).

This is going to be a major pain (as is usually the case with Capsicum).

Sep 12, 2017, 00:12 · Web · 2 · 2

Sep 12, 2017, 00:16

Shawn Webb @lattera

Right now, Tor just tells the sandboxing framework “hey, I’m going to need to open this file/resource sometime in the future, so add it to the whitelist.”

Later on in the program lifecycle, Tor’s code will simply call open[at]() on that resource. Since # Capsicum won’t let you create new FDs once cap_enter() is called, this doesn’t work. Capsicum works on a per-FD basis, which means 100% of your FDs must be created and set up with the proper rights prior to calling cap_enter().

Sep 12, 2017, 00:20

Shawn Webb @lattera

So, essentially, I have to do at least two things:

1. Enable pre-opening of FDs during sandbox initialization (don’t know how to handle sockets, yet).

2. Each and every time Tor tries to open a resource, funnel that attempt through the new sandboxing abstraction layer.

There could be more that I have to do, but this is just after one day of research.

This diff, when submitting to upstream, is going to be YUGE. I’m going to feel sorry for whoever has to do the code review.

Sep 12, 2017, 00:22

Shawn Webb @lattera

I love the enhanced security # FreeBSD # Capsicum provides. However, it sure is an epicly major pain to deal with–especially when retrofitting applications for it. Even applications that were developed with other sandboxing frameworks in mind will have issues when integrating Capsicum support.

Sep 12, 2017, 00:25

Shawn Webb @lattera

This also solidifies the need for exploit mitigations that don’t require extreme development efforts by application developers. Exploit mitigations like PaX ASLR and PaX NOEXEC pair well with Capsicum and don’t need source-level modification of (or direct integration with) applications.

Indeed, combining PaX ASLR, PaX NOEXEC, and Capsicum will provide an execution environment that will really piss off attackers.

# FreeBSD # HardenedBSD # infosec

Lobsters责编内容来自:Lobsters (源链) | 更多关于

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 综合编程 » The way Tor currently does sandboxing is completely incompatible with FreeBSD Capsicum

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录