From: Mitchell Blank Jr <mitch@sfgoth.com>
To: Helge Hafting <helge.hafting@hist.no>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] relinquish_fs() syscall
Date: Tue, 30 Nov 2004 05:48:22 -0800 [thread overview]
Message-ID: <20041130134822.GD63669@gaz.sfgoth.com> (raw)
In-Reply-To: <41AC67B2.6010601@hist.no>
Helge Hafting wrote:
> So someone finds a way to break into the jailed process.
> This is used to feed some hairy exploit to the unjailed
> process that expects "clean" data from the jailed process.
OK, so by your logic firewalls are useless (since you can just exploit the
firewall and then the host) Oh and you might as well run all your daemons
as root (since an attacker can just use some other exploit to gain root
later)
The entire point of a privsep design is that the unjailed process treats
all data from the jailed process as untrusted. If the attacker gains
full control of the jailed process it should still be a challenge to
trick the unjailed process into doing something harmful.
> Same as before, only now they need a two-stage exploit.
Exactly! Now in order for the attacker to win they need to find a
programming error in the jailed process AND the unjailed process.
This is how defense in depth works.
> You can jail a process doing a "dangerous" job, but you can't
> really jail a "hairy" data stream. Not if data is expected to
> emerge from the jail someday.
That's a bogus argument - the data exiting the jail can come out in a
non-hairy format that is less error-prone to process. You do all the
complicated crypto/compression/parsing/etc inside the jail where a
programming errors cause less damage.
Think about a client communicating with a random network hosts over an
SSL connection - you can move the SSL engine into the jailed process.
Now if your SSL's ASN.1 parser has a buffer overflow and you connect to
a malicious server it can't immediately compromise your account.
-Mitch
prev parent reply other threads:[~2004-11-30 13:45 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-29 11:43 [RFC] relinquish_fs() syscall Mitchell Blank Jr
2004-11-29 11:51 ` Alan Cox
2004-11-29 13:55 ` Mitchell Blank Jr
2004-11-29 15:17 ` Alan Cox
2004-11-30 13:27 ` Mitchell Blank Jr
2004-11-30 13:44 ` Arjan van de Ven
2004-11-30 14:12 ` Mitchell Blank Jr
2004-11-30 13:43 ` Alan Cox
2004-12-05 0:14 ` Rob Landley
2004-11-30 12:29 ` Helge Hafting
2004-11-30 13:48 ` Mitchell Blank Jr [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041130134822.GD63669@gaz.sfgoth.com \
--to=mitch@sfgoth.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=helge.hafting@hist.no \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox