web browser suid [was Preemptive strategies]

Jan Dvorak jan.dvorak at sitronicsts.com
Wed Oct 1 00:23:47 PDT 2008


On Wednesday 01 October 2008 02:59:57 Robert Connolly wrote:
> We
> would also need to run around finding copies of updated libraries and
> programs which are in different chroots, unless we use hardlinks.. but
> this is a problem with different mount points.

It is possible to write a FUSE file system for this. One that takes a file 
with fnmatch() patterns and only exports matching paths. It would work 
across mount points etc., but will be a bit slower, so you can only use 
it for binaries and libraries. You can even make it a bit more 
intelligent and when the program completely loads, it can signalize the 
file system to shutdown it's access to some paths. Well, it would be fast 
enough for web browser and such. Apache would require `mount --bind` to 
work efficiently.

> I gotta say, running Lynx as a shared object while disallowing text
> relocations in the kernel,

It's not only text relocations, it's completely NX heap.

> with aslr, compiled with stack protection, 
> run time buffer checking, pointer checking with libmudflap, on a system
> that only allows users to run files owned by the admin, in an empty
> change-root jail possibly mounted as an encrypted loop offset, with a
> random key, to enforce storage use, all enforced by access controls,
> would be stunning.

Now we need some way to prevent user from logging in to screw it all. :-)

> The same could be done with irc clients. The only 
> way I can think of topping this is with my idea to setup a decoy
> system, with a plausibly deniable encrypted system in the decoy free
> space (aes converted to base64, so it doesn't make any sense if it's
> read raw).

I say, go for device-mapper and LVM, we can have much more fun that 
way! :-D



More information about the hlfs-dev mailing list