| Abstract |
In many designs, the slightest error in the source code may become an exploitable vulnerability granting an attacker barely or not at all restricted access to a system. In this talk, using vsftpd and Google Chrome Linux as examples, we will firstly show how to design your code to be more robust to well-known classes of vulnerabilities and secondly, how to generically mitigate the consequences of such a vulnerability by dropping privileges and reducing attack surfaces. There are a surprising number of options in Linux to manage privileges, but using them tends to be nuanced. This talk will discuss the technical aspects of various options and explain how to mix them to raise the bar to a system compromise from a sophisticated attacker. While Mandatory Access Control systems are readily available, three of them being merged in the current Linux kernel tree, the ability to drop privileges in a "discretionary" way has to often rely on ancient mechanisms (which may not have been designed for security). We will show the state of the art on Linux and how well-known mechanisms, such as switching to an unprivileged uid, using chroot() and capabilities may or may not be suitable to achieve decent privilege dropping. We will discuss their drawbacks, availabilities to non-root processes and how an incorrect usage could be exploited by an attacker to circumvent security measures. We will then explain and demonstrate designs, some of them using novel ideas or obscure features that can allow developers to put error-prone parts of their code inside a sandbox, using vsftpd and the Google Chrome Linux sandbox as examples. We will discuss their limitations and how further kernel support could improve them.
|
top
