0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/567 Thanks! 1 00:00:09,330 --> 00:00:10,949 Welcome, everyone, to this talk. 2 00:00:10,950 --> 00:00:12,929 Welcome to everyone who is watching on 3 00:00:12,930 --> 00:00:15,239 the livestream or listening, it's great 4 00:00:15,240 --> 00:00:17,459 to see you in this big hole. 5 00:00:17,460 --> 00:00:19,799 Our next guest is FIFA. 6 00:00:19,800 --> 00:00:22,079 FIFA is a security consultant. 7 00:00:24,180 --> 00:00:25,680 Security consultant. 8 00:00:30,580 --> 00:00:32,949 He's also the co-founder of 9 00:00:32,950 --> 00:00:35,529 the company called Plower, it's 10 00:00:35,530 --> 00:00:38,079 specializing in security concepts 11 00:00:38,080 --> 00:00:40,239 and favor belongs to the CCC 12 00:00:40,240 --> 00:00:42,699 inventory, kind of like the down time 13 00:00:42,700 --> 00:00:43,700 of the wiki 14 00:00:48,310 --> 00:00:50,859 for those who are not from Germany. 15 00:00:50,860 --> 00:00:53,349 FIFA has a little blog 16 00:00:53,350 --> 00:00:54,350 in Germany, 17 00:00:55,930 --> 00:00:58,449 a little and pretty 18 00:00:58,450 --> 00:01:00,039 really tiny, really tiny. 19 00:01:00,040 --> 00:01:01,209 Not many people read that. 20 00:01:01,210 --> 00:01:02,210 Or 21 00:01:03,310 --> 00:01:04,310 can we change the subject? 22 00:01:06,190 --> 00:01:08,379 I do want to say, though, that this blog 23 00:01:08,380 --> 00:01:10,479 is the only Web site that comes up 24 00:01:10,480 --> 00:01:12,699 when you and you when you go into 25 00:01:12,700 --> 00:01:14,649 the Berlin Ubon in the Metro. 26 00:01:14,650 --> 00:01:16,449 So this is the fastest loading time of 27 00:01:16,450 --> 00:01:17,450 all Web sites. 28 00:01:25,530 --> 00:01:27,719 And will talk today about 29 00:01:27,720 --> 00:01:29,819 programs that sandbox themselves 30 00:01:29,820 --> 00:01:31,799 and why that is a good idea. 31 00:01:32,940 --> 00:01:35,069 So in this talk check, your privilege 32 00:01:35,070 --> 00:01:37,229 is how to drop more of your privileges 33 00:01:37,230 --> 00:01:39,719 to reduce attack surface. 34 00:01:39,720 --> 00:01:41,730 Please help me welcome FIFA. 35 00:01:51,450 --> 00:01:52,409 Good morning, everyone, thanks for 36 00:01:52,410 --> 00:01:53,789 showing up. 37 00:01:53,790 --> 00:01:56,009 So this talks about how 38 00:01:56,010 --> 00:01:58,199 you can write your own programs, 39 00:01:58,200 --> 00:02:00,359 so even if they are exploited 40 00:02:00,360 --> 00:02:01,979 because you have a bug in them, the 41 00:02:01,980 --> 00:02:03,749 damage is still limited. 42 00:02:03,750 --> 00:02:05,579 And the idea for this is pretty old. 43 00:02:05,580 --> 00:02:07,649 It's probably older than than 44 00:02:07,650 --> 00:02:09,909 when I blogged it in 2007. 45 00:02:09,910 --> 00:02:11,939 But this is the first mention of it I 46 00:02:11,940 --> 00:02:13,289 found in my own blog. 47 00:02:13,290 --> 00:02:14,939 So I've been I've been working on this 48 00:02:14,940 --> 00:02:16,979 for a while or at least thinking about 49 00:02:16,980 --> 00:02:19,349 it. And now the 50 00:02:19,350 --> 00:02:20,849 building blocks have come into place. 51 00:02:20,850 --> 00:02:23,129 So I can show you how 52 00:02:23,130 --> 00:02:24,130 to do this now. 53 00:02:25,290 --> 00:02:27,239 But before we start, let me make one 54 00:02:27,240 --> 00:02:28,229 thing clear. 55 00:02:28,230 --> 00:02:30,359 This is not something you do instead of 56 00:02:30,360 --> 00:02:33,149 making your code good in the first place. 57 00:02:33,150 --> 00:02:35,369 This is something you do after you 58 00:02:35,370 --> 00:02:36,509 make sure the code is good. 59 00:02:36,510 --> 00:02:39,149 It's it's like an insurance. 60 00:02:39,150 --> 00:02:41,129 It can save your ass. 61 00:02:41,130 --> 00:02:43,379 But if you're negligent, then 62 00:02:43,380 --> 00:02:44,649 they won't pay. All right. 63 00:02:44,650 --> 00:02:46,709 So basically, 64 00:02:46,710 --> 00:02:48,869 I'm trying to to show the 65 00:02:48,870 --> 00:02:50,699 problem I'm trying to solve first. 66 00:02:50,700 --> 00:02:52,919 So basically, when you plan software, you 67 00:02:52,920 --> 00:02:55,259 think of it like this and 68 00:02:55,260 --> 00:02:56,699 when it's written, it's more like this. 69 00:03:06,670 --> 00:03:08,829 Basically, we depend on lots of code with 70 00:03:08,830 --> 00:03:10,929 bugs in our daily lives, 71 00:03:10,930 --> 00:03:13,269 and many of those bugs are security 72 00:03:13,270 --> 00:03:14,270 bugs. 73 00:03:17,970 --> 00:03:20,099 And if and if someone tries to 74 00:03:20,100 --> 00:03:21,809 attack something, it's usually something 75 00:03:21,810 --> 00:03:24,299 that has more access rights 76 00:03:24,300 --> 00:03:26,110 than the attacker in the first place. 77 00:03:27,630 --> 00:03:29,819 And when the attack succeeds, 78 00:03:29,820 --> 00:03:31,859 the attacker has gained some privileges 79 00:03:31,860 --> 00:03:32,860 in the system. 80 00:03:33,720 --> 00:03:35,789 So how can we solve 81 00:03:35,790 --> 00:03:37,239 this problem? 82 00:03:37,240 --> 00:03:39,359 And the the obvious idea is that while 83 00:03:39,360 --> 00:03:40,860 make sure there are no bugs in the code. 84 00:03:46,420 --> 00:03:48,099 It's not that simple, it turns out. 85 00:03:53,730 --> 00:03:55,799 The second obvious idea is to 86 00:03:55,800 --> 00:03:58,079 reduce the exposure of your code, make 87 00:03:58,080 --> 00:04:00,509 sure it's on the Internet as a typical 88 00:04:00,510 --> 00:04:02,849 thing people used to say for a while 89 00:04:02,850 --> 00:04:05,099 and make sure it's only reachable 90 00:04:05,100 --> 00:04:07,499 via https after authentication. 91 00:04:07,500 --> 00:04:09,329 So, you know, only people with accounts 92 00:04:09,330 --> 00:04:11,459 can attack you, 93 00:04:11,460 --> 00:04:12,539 which may not 94 00:04:13,800 --> 00:04:14,729 lessen the burden. 95 00:04:14,730 --> 00:04:16,409 A lot of just say, an email provider, 96 00:04:16,410 --> 00:04:17,819 because, you know, everyone can have an 97 00:04:17,820 --> 00:04:20,129 account or maybe 98 00:04:20,130 --> 00:04:21,869 it's an internal micro service and it's 99 00:04:21,870 --> 00:04:23,519 not visible from the Internet 100 00:04:24,690 --> 00:04:27,239 or, you know, it's behind seven proxy's. 101 00:04:29,630 --> 00:04:31,489 Or, you know, people can come up with 102 00:04:31,490 --> 00:04:32,709 pretty wild scenarios. 103 00:04:40,160 --> 00:04:41,779 But no matter what you do, all you can do 104 00:04:41,780 --> 00:04:44,059 is reduce probability of 105 00:04:44,060 --> 00:04:46,159 a hack. You don't rule it 106 00:04:46,160 --> 00:04:46,849 out entirely. 107 00:04:46,850 --> 00:04:49,159 So even if you do all this, 108 00:04:49,160 --> 00:04:51,459 you can still get exploited. 109 00:04:51,460 --> 00:04:53,239 So what can we do to make exploitation 110 00:04:53,240 --> 00:04:54,439 harder? 111 00:04:54,440 --> 00:04:56,089 This is where most of the research right 112 00:04:56,090 --> 00:04:57,869 now is focused. 113 00:04:57,870 --> 00:05:00,119 You can have unexcusable stack, which 114 00:05:00,120 --> 00:05:02,339 is pretty standard these days, 115 00:05:02,340 --> 00:05:04,439 you can have cookies on the stack, 116 00:05:04,440 --> 00:05:06,269 you can have a hardened teeb all those 117 00:05:06,270 --> 00:05:08,759 are standards to SLR 118 00:05:08,760 --> 00:05:11,309 and position independent executables. 119 00:05:11,310 --> 00:05:13,319 Rod protection is kind of the new thing 120 00:05:13,320 --> 00:05:15,479 that people are trying to 121 00:05:15,480 --> 00:05:16,480 make a standard. 122 00:05:17,460 --> 00:05:19,559 You can ban dangerous APIs, which is a 123 00:05:19,560 --> 00:05:21,510 good idea. You can train developers 124 00:05:23,370 --> 00:05:25,049 can have a bug bounty. 125 00:05:25,050 --> 00:05:26,639 That is a good idea too. 126 00:05:26,640 --> 00:05:28,170 If you have them cash lying around, 127 00:05:29,220 --> 00:05:31,409 you can run the code on some architecture 128 00:05:31,410 --> 00:05:32,609 that you hope nobody knows how to 129 00:05:32,610 --> 00:05:33,610 exploit. 130 00:05:36,490 --> 00:05:38,289 But in the end of the day, it's just the 131 00:05:38,290 --> 00:05:40,119 reduction of the risk, it's not actually 132 00:05:40,120 --> 00:05:41,739 you can't really sleep sound. 133 00:05:43,340 --> 00:05:45,199 And the idea I'm going to talk about 134 00:05:45,200 --> 00:05:47,419 today is that maybe you can put your coat 135 00:05:47,420 --> 00:05:50,389 in a straight jacket and draw privileges 136 00:05:50,390 --> 00:05:52,519 so much that even if someone can 137 00:05:52,520 --> 00:05:54,769 find the bug and exploited the excess, 138 00:05:54,770 --> 00:05:57,080 they gain is minimal or nonexistent. 139 00:05:59,070 --> 00:06:01,409 Basically, the less the court can do, 140 00:06:01,410 --> 00:06:03,119 the less the attacker can gain by 141 00:06:03,120 --> 00:06:04,120 attacking. 142 00:06:04,870 --> 00:06:06,489 However, there is a massive difference 143 00:06:06,490 --> 00:06:08,109 between what the court can do and what 144 00:06:08,110 --> 00:06:09,579 the court actually does. 145 00:06:09,580 --> 00:06:11,469 So I'm talking about what the court can 146 00:06:11,470 --> 00:06:12,609 do. 147 00:06:12,610 --> 00:06:14,589 This is not about well, I'm not I'm not 148 00:06:14,590 --> 00:06:16,509 writing files anywhere, so I should be 149 00:06:16,510 --> 00:06:17,469 safe. 150 00:06:17,470 --> 00:06:19,359 No, if someone gets killed execution in 151 00:06:19,360 --> 00:06:21,309 your process and that process can write 152 00:06:21,310 --> 00:06:23,769 somewhere, then that's a problem. 153 00:06:23,770 --> 00:06:25,119 So this is not about what your court 154 00:06:25,120 --> 00:06:27,189 actually tries to do, but 155 00:06:27,190 --> 00:06:28,629 what it could do with the privilege 156 00:06:28,630 --> 00:06:30,099 level. It's running us in the operating 157 00:06:30,100 --> 00:06:31,100 system. 158 00:06:32,810 --> 00:06:34,699 The Paul sexploitation attack is not 159 00:06:34,700 --> 00:06:36,289 limited by what the court was trying to 160 00:06:36,290 --> 00:06:37,999 do. This is very important to understand. 161 00:06:39,700 --> 00:06:41,769 Basically, if you run something like, 162 00:06:41,770 --> 00:06:44,199 say, Ping, it's a satellite program 163 00:06:44,200 --> 00:06:46,599 on your next, then 164 00:06:46,600 --> 00:06:49,119 the service or like an HGP demon 165 00:06:49,120 --> 00:06:51,549 or any any system service, basically, 166 00:06:51,550 --> 00:06:53,769 it's usually running a super user 167 00:06:53,770 --> 00:06:55,899 traditionally, and the 168 00:06:55,900 --> 00:06:57,579 super user has all the access in the 169 00:06:57,580 --> 00:06:59,899 system. So this is really bad. 170 00:06:59,900 --> 00:07:02,349 The obvious first step is to reduce 171 00:07:02,350 --> 00:07:03,419 this a bit. 172 00:07:03,420 --> 00:07:05,799 So this is what the super user can do. 173 00:07:05,800 --> 00:07:07,499 The next step is you drop privileges. 174 00:07:07,500 --> 00:07:09,639 So you run as a normal user in 175 00:07:09,640 --> 00:07:11,019 the system and you still have a lot of 176 00:07:11,020 --> 00:07:12,020 privileges. 177 00:07:13,210 --> 00:07:15,289 But it's better. 178 00:07:15,290 --> 00:07:17,539 And this talk is about maybe we can drop 179 00:07:17,540 --> 00:07:18,540 privileges some more. 180 00:07:19,680 --> 00:07:21,869 And the service can only really do 181 00:07:21,870 --> 00:07:24,179 very tiny things in the system. 182 00:07:24,180 --> 00:07:25,319 That's the idea. 183 00:07:25,320 --> 00:07:27,989 Common patterns for achieving this are 184 00:07:27,990 --> 00:07:30,029 the drugs privileges and then you do all 185 00:07:30,030 --> 00:07:32,129 the really hard and dangerous stuff in 186 00:07:32,130 --> 00:07:34,049 the beginning. Then you drop privileges 187 00:07:34,050 --> 00:07:35,759 and you hope that the buck that the 188 00:07:35,760 --> 00:07:37,649 attacker will find in the cold after your 189 00:07:37,650 --> 00:07:38,999 drug privileges. 190 00:07:39,000 --> 00:07:41,009 And this may be a sound assumption, but 191 00:07:41,010 --> 00:07:42,089 it may not be. 192 00:07:42,090 --> 00:07:43,440 So this is kind of risky. 193 00:07:44,580 --> 00:07:46,079 But it's a common it's a common way to 194 00:07:46,080 --> 00:07:48,329 approach this and the next way 195 00:07:48,330 --> 00:07:49,859 to approach this, I'm going to talk about 196 00:07:49,860 --> 00:07:50,879 all of this in detail. 197 00:07:50,880 --> 00:07:52,479 It's called privilege separation. 198 00:07:52,480 --> 00:07:54,749 When you split up your process and 199 00:07:54,750 --> 00:07:56,759 you remove the dangerous part in a 200 00:07:56,760 --> 00:07:58,169 separate process and make sure that 201 00:07:58,170 --> 00:07:59,969 process can't really do anything. 202 00:07:59,970 --> 00:08:02,279 And another thing that's usually done 203 00:08:02,280 --> 00:08:04,109 is if if you're really helpless because 204 00:08:04,110 --> 00:08:05,999 the you can't trust the app and it's 205 00:08:06,000 --> 00:08:08,069 really big, you put it in AVM or 206 00:08:08,070 --> 00:08:10,199 maybe a container or a jail 207 00:08:10,200 --> 00:08:13,169 and you hope that these mechanisms will 208 00:08:13,170 --> 00:08:14,670 constrain the explosion of it. 209 00:08:16,300 --> 00:08:18,999 But maybe the app can confine itself to 210 00:08:19,000 --> 00:08:21,459 and this is an idea that's pretty new. 211 00:08:21,460 --> 00:08:23,769 I think it's only been 212 00:08:23,770 --> 00:08:25,569 gaining traction in the last few years, 213 00:08:25,570 --> 00:08:26,570 as far as I know. 214 00:08:27,360 --> 00:08:28,779 Oh, and there's a broken service, which 215 00:08:28,780 --> 00:08:30,219 is a common, common idiom. 216 00:08:30,220 --> 00:08:32,319 You split up your due process 217 00:08:32,320 --> 00:08:33,999 and you make sure, for example, the left 218 00:08:34,000 --> 00:08:36,129 half of the process can 219 00:08:36,130 --> 00:08:38,379 open files, but it can talk 220 00:08:38,380 --> 00:08:39,849 to the right half and the right half can 221 00:08:39,850 --> 00:08:41,529 open files. And if the left half wants to 222 00:08:41,530 --> 00:08:43,808 open and file, it asks the right half. 223 00:08:43,809 --> 00:08:45,969 And this is very small piece of 224 00:08:45,970 --> 00:08:48,249 code. So it can be more 225 00:08:48,250 --> 00:08:49,409 sure that it's safe. 226 00:08:51,370 --> 00:08:52,959 Dropping privileges is generally 227 00:08:52,960 --> 00:08:55,299 understood as dropping them for good. 228 00:08:55,300 --> 00:08:57,129 So the idea is you can only go down and 229 00:08:57,130 --> 00:08:59,259 privileges, you cannot go up again and 230 00:08:59,260 --> 00:09:01,509 practice. That's not as easy as 231 00:09:01,510 --> 00:09:02,510 you would think. 232 00:09:05,350 --> 00:09:07,539 So traditionally, what we did 233 00:09:07,540 --> 00:09:10,059 is we only look at dropping privileges 234 00:09:10,060 --> 00:09:12,189 for privilege processes, we say, 235 00:09:12,190 --> 00:09:13,749 well, if it's running as some use I.D., 236 00:09:13,750 --> 00:09:15,309 we don't care, that's already pretty 237 00:09:15,310 --> 00:09:16,310 safe. 238 00:09:16,690 --> 00:09:18,399 So this is where traditionally the idea 239 00:09:18,400 --> 00:09:20,589 of dropping privileges comes from, that 240 00:09:20,590 --> 00:09:22,749 you I.D. programs or programs 241 00:09:22,750 --> 00:09:25,179 starting as rules and common examples 242 00:09:25,180 --> 00:09:27,219 of this are paying because it needs raw 243 00:09:27,220 --> 00:09:28,899 succored access and that's restricted to 244 00:09:28,900 --> 00:09:31,089 the super user and the service 245 00:09:31,090 --> 00:09:32,919 used to be running security. 246 00:09:32,920 --> 00:09:35,379 Nowadays, there's other ways to do this 247 00:09:35,380 --> 00:09:37,119 because it needs access to the raw 248 00:09:37,120 --> 00:09:38,529 graphics hardware. 249 00:09:38,530 --> 00:09:40,659 And the third is, extern, which 250 00:09:40,660 --> 00:09:42,549 used to be Sajadi route because it needs 251 00:09:42,550 --> 00:09:44,169 to create to try. 252 00:09:44,170 --> 00:09:46,149 And not only the super user should be 253 00:09:46,150 --> 00:09:47,150 allowed to do this. 254 00:09:48,260 --> 00:09:50,199 Basically the idea, again, is to do the 255 00:09:50,200 --> 00:09:52,389 privilege stuff first and then 256 00:09:52,390 --> 00:09:54,519 drop privileges and hope that all the 257 00:09:54,520 --> 00:09:56,499 attacker can do is attack you after that. 258 00:09:58,750 --> 00:10:00,339 Privilege, separation. 259 00:10:00,340 --> 00:10:02,499 I think the term comes from the 260 00:10:02,500 --> 00:10:04,719 openness of people or basically 261 00:10:04,720 --> 00:10:05,769 the open vista 262 00:10:07,000 --> 00:10:09,189 community has has 263 00:10:09,190 --> 00:10:11,169 imprinted this term. 264 00:10:11,170 --> 00:10:12,489 They invented the concept. 265 00:10:12,490 --> 00:10:14,199 As far as I know. 266 00:10:14,200 --> 00:10:16,519 The idea is to split up your process. 267 00:10:16,520 --> 00:10:18,849 So let's say you have this hugely complex 268 00:10:18,850 --> 00:10:21,099 crypto and passing code that does the 269 00:10:21,100 --> 00:10:22,719 access age low LOW-LEVEL protocol 270 00:10:22,720 --> 00:10:24,639 parsing. And you don't you think it's 271 00:10:24,640 --> 00:10:25,989 safe, but you're not really sure. 272 00:10:25,990 --> 00:10:28,719 So you put this in a separate process 273 00:10:28,720 --> 00:10:30,849 and that process is confined to 274 00:10:30,850 --> 00:10:33,639 a small, empty part in the file system 275 00:10:33,640 --> 00:10:35,889 and you make sure it can't 276 00:10:35,890 --> 00:10:38,319 do anything except passing the protocol. 277 00:10:38,320 --> 00:10:40,599 And then if anything blows up, it's only 278 00:10:40,600 --> 00:10:42,609 that part that blows up and not the whole 279 00:10:42,610 --> 00:10:44,469 thing. The whole thing can do diagnostics 280 00:10:44,470 --> 00:10:46,629 and say, oh, someone tried to hack 281 00:10:46,630 --> 00:10:47,630 me. 282 00:10:52,710 --> 00:10:54,569 The other idea was the the admin 283 00:10:54,570 --> 00:10:56,759 confining a nap in a jail 284 00:10:56,760 --> 00:10:59,129 container or a VM, and 285 00:10:59,130 --> 00:11:01,349 basically this works 286 00:11:01,350 --> 00:11:03,179 on a on the whole system level. 287 00:11:04,290 --> 00:11:05,729 There can be more granularity. 288 00:11:05,730 --> 00:11:07,169 But usually what you do is you take the 289 00:11:07,170 --> 00:11:09,119 whole thing and put it in some kind of 290 00:11:09,120 --> 00:11:11,009 environment, restricted environment. 291 00:11:11,010 --> 00:11:12,839 And this is done by the admin, not by the 292 00:11:12,840 --> 00:11:14,219 app itself. 293 00:11:14,220 --> 00:11:16,109 The problem is, if you have some kind of 294 00:11:16,110 --> 00:11:17,999 rules that several implementations for 295 00:11:18,000 --> 00:11:19,949 this that I'm going to show, if you have 296 00:11:19,950 --> 00:11:22,649 a rule set, this program 297 00:11:22,650 --> 00:11:24,269 can do this and this and this, but 298 00:11:24,270 --> 00:11:25,429 nothing else. 299 00:11:25,430 --> 00:11:27,329 How do you get that rule? 300 00:11:27,330 --> 00:11:29,069 This is surprisingly difficult if it's 301 00:11:29,070 --> 00:11:30,090 not a trivial program 302 00:11:31,260 --> 00:11:33,389 and for easy for 303 00:11:33,390 --> 00:11:35,069 simple processes that can be done. 304 00:11:35,070 --> 00:11:37,379 And it's reasonably easy, but 305 00:11:37,380 --> 00:11:39,089 that's not the ones we're worried about. 306 00:11:39,090 --> 00:11:41,099 Right. So we think about stuff like 307 00:11:41,100 --> 00:11:42,100 Firefox. 308 00:11:44,640 --> 00:11:46,709 Also, in my opinion, 309 00:11:46,710 --> 00:11:48,569 you can't expect the admin to come up 310 00:11:48,570 --> 00:11:51,179 with a set of rules to confine 311 00:11:51,180 --> 00:11:52,259 a program. 312 00:11:52,260 --> 00:11:55,019 It's not the admins job to understand 313 00:11:55,020 --> 00:11:57,089 what every eventuality, 314 00:11:57,090 --> 00:11:59,279 every error code path and this app 315 00:11:59,280 --> 00:12:01,499 does. You don't even know 316 00:12:01,500 --> 00:12:03,809 if you use all the regular functionality 317 00:12:03,810 --> 00:12:05,789 in the program usually. 318 00:12:05,790 --> 00:12:07,349 Are you sure you clicked on every button 319 00:12:07,350 --> 00:12:09,419 and Firefox in your lifetime 320 00:12:09,420 --> 00:12:11,279 and you would have to do that to make 321 00:12:11,280 --> 00:12:13,109 sure that your profile is complete? 322 00:12:13,110 --> 00:12:14,879 So usually what happens in this kind of 323 00:12:14,880 --> 00:12:16,919 scenario is that there are some obscure 324 00:12:16,920 --> 00:12:19,079 error paths you haven't seen yet that 325 00:12:19,080 --> 00:12:20,459 the program would have been able to 326 00:12:20,460 --> 00:12:21,719 handle gracefully. 327 00:12:21,720 --> 00:12:23,879 For example, just for memory 328 00:12:23,880 --> 00:12:26,429 allocation fails and then suddenly 329 00:12:26,430 --> 00:12:28,499 the program behaves differently. 330 00:12:28,500 --> 00:12:30,839 And that's a violation of your profile 331 00:12:30,840 --> 00:12:32,609 and the whole thing blows up. 332 00:12:32,610 --> 00:12:34,469 So this is it's very hard to come up with 333 00:12:34,470 --> 00:12:36,219 this profile. That's why I think it's 334 00:12:36,220 --> 00:12:38,309 it's a misguided idea to do this. 335 00:12:38,310 --> 00:12:40,589 You can still do this on top of 336 00:12:40,590 --> 00:12:43,109 actually having the program sandbox 337 00:12:43,110 --> 00:12:45,449 itself. It's it's an 338 00:12:45,450 --> 00:12:47,519 orthogonal idea, 339 00:12:47,520 --> 00:12:48,929 but I don't think this should be the only 340 00:12:48,930 --> 00:12:51,410 thing we do to constrain applications. 341 00:12:53,380 --> 00:12:55,649 The the other idea is that, well, maybe 342 00:12:55,650 --> 00:12:57,689 not the admin is doing this, but the 343 00:12:57,690 --> 00:13:00,029 distro guy, you know, the Debian package 344 00:13:00,030 --> 00:13:00,989 maintainer does this. 345 00:13:00,990 --> 00:13:03,059 And I don't think that's a good idea to 346 00:13:03,060 --> 00:13:04,769 you can't really expect them to do this. 347 00:13:04,770 --> 00:13:06,539 They're basically, you know, students 348 00:13:06,540 --> 00:13:08,379 doing this in their spare time. 349 00:13:08,380 --> 00:13:11,069 But how would they have a year 350 00:13:11,070 --> 00:13:12,809 to study Firefox and come up with a 351 00:13:12,810 --> 00:13:13,810 profile? 352 00:13:17,000 --> 00:13:19,339 So the the central idea of 353 00:13:19,340 --> 00:13:21,889 all of my talk is the confining itself, 354 00:13:21,890 --> 00:13:24,079 basically, I think it's a werewolf 355 00:13:24,080 --> 00:13:26,459 chaining itself to the wall before 356 00:13:26,460 --> 00:13:28,609 a full moon to make sure that even 357 00:13:28,610 --> 00:13:30,619 if something happens, you know, I'm still 358 00:13:30,620 --> 00:13:33,019 confined here and don't do damage. 359 00:13:33,020 --> 00:13:35,269 So basically what you do is you make sure 360 00:13:35,270 --> 00:13:36,889 there's a little part in the file system, 361 00:13:36,890 --> 00:13:39,019 only the stuff you really need, and 362 00:13:39,020 --> 00:13:40,519 you can only access that part. 363 00:13:40,520 --> 00:13:42,649 There's several ways to do this, to talk 364 00:13:42,650 --> 00:13:43,650 about them. 365 00:13:44,360 --> 00:13:46,549 You cannot open files outside this 366 00:13:46,550 --> 00:13:48,259 part of the file system or maybe you can 367 00:13:48,260 --> 00:13:49,669 open any files at all. 368 00:13:49,670 --> 00:13:51,559 If you don't need doesn't need to open 369 00:13:51,560 --> 00:13:53,479 files, you would think, but it turns out 370 00:13:53,480 --> 00:13:56,749 it does for DNS lookup. 371 00:13:56,750 --> 00:13:58,639 So it's all the devil's in the details 372 00:13:58,640 --> 00:14:00,919 here. It's not it's easier to talk about 373 00:14:00,920 --> 00:14:01,920 it than to actually do it. 374 00:14:02,930 --> 00:14:04,879 Another thing that's usually overlooked 375 00:14:04,880 --> 00:14:06,859 is that even if you can't access the file 376 00:14:06,860 --> 00:14:08,239 system, there's still lots of stuff you 377 00:14:08,240 --> 00:14:09,049 can do. 378 00:14:09,050 --> 00:14:11,449 System five VPC is its own namespace, 379 00:14:11,450 --> 00:14:13,579 for example, which means you could 380 00:14:13,580 --> 00:14:15,709 access shared memory from other processes 381 00:14:15,710 --> 00:14:18,079 if they use System five IPC 382 00:14:18,080 --> 00:14:20,299 or you can send signals, just kill 383 00:14:20,300 --> 00:14:21,769 processes. 384 00:14:21,770 --> 00:14:23,899 Or you could use Petreus, which 385 00:14:23,900 --> 00:14:26,089 is the Unix debug API, to 386 00:14:26,090 --> 00:14:28,189 attach yourself as a debugger to some 387 00:14:28,190 --> 00:14:30,439 process outside of your environment. 388 00:14:30,440 --> 00:14:32,779 So it's not just it's not enough to 389 00:14:32,780 --> 00:14:34,099 limit the filesystem access. 390 00:14:34,100 --> 00:14:35,210 There's more stuff you can do. 391 00:14:38,670 --> 00:14:40,739 So the the 392 00:14:40,740 --> 00:14:42,989 main thing you should take away from 393 00:14:42,990 --> 00:14:44,699 this is that you probably have to 394 00:14:44,700 --> 00:14:46,529 restructure your application the way it 395 00:14:46,530 --> 00:14:47,489 works. 396 00:14:47,490 --> 00:14:49,739 You limit what the main application can 397 00:14:49,740 --> 00:14:51,689 do to reduce the part. 398 00:14:51,690 --> 00:14:53,669 You really have to be sure about to the 399 00:14:53,670 --> 00:14:55,709 broker service. And the broker service 400 00:14:55,710 --> 00:14:58,709 gets messages from the main program, 401 00:14:58,710 --> 00:15:00,929 stuff like I want to open this file 402 00:15:00,930 --> 00:15:03,239 for reading or I want to open 403 00:15:03,240 --> 00:15:04,469 that file for writing in. 404 00:15:04,470 --> 00:15:06,089 The broker service can do additional 405 00:15:06,090 --> 00:15:08,399 checking aside from what the operating 406 00:15:08,400 --> 00:15:09,500 system is doing anyway. 407 00:15:12,590 --> 00:15:15,079 And to make this worthwhile, 408 00:15:15,080 --> 00:15:16,549 you have to make sure that the main 409 00:15:16,550 --> 00:15:18,769 process does not have any way 410 00:15:18,770 --> 00:15:20,959 to actually or any any access rights 411 00:15:20,960 --> 00:15:22,999 to access the file system itself. 412 00:15:23,000 --> 00:15:24,859 And there are several ways to do this I'm 413 00:15:24,860 --> 00:15:25,860 going to talk about. 414 00:15:28,290 --> 00:15:31,019 The problem is that sometimes 415 00:15:31,020 --> 00:15:33,119 there's ways for 416 00:15:33,120 --> 00:15:35,429 the main program to 417 00:15:35,430 --> 00:15:36,899 trick the broker. 418 00:15:36,900 --> 00:15:38,999 So if you do if you just do a 419 00:15:39,000 --> 00:15:40,589 separate process and it's running under 420 00:15:40,590 --> 00:15:42,749 the same user ID, for example, 421 00:15:42,750 --> 00:15:44,909 then you could attach a debugger to it. 422 00:15:44,910 --> 00:15:47,159 One, the main program, if it's being 423 00:15:47,160 --> 00:15:49,709 hacked, could just use Petrelis 424 00:15:49,710 --> 00:15:51,809 to override the 425 00:15:51,810 --> 00:15:54,239 code of code execution flaw in the broker 426 00:15:54,240 --> 00:15:56,169 and just make it to anything at once. 427 00:15:56,170 --> 00:15:58,529 So this is more tricky than I'm 428 00:15:58,530 --> 00:16:00,299 letting on here. 429 00:16:00,300 --> 00:16:02,130 So let's get to the dirty details 430 00:16:03,900 --> 00:16:05,249 first. The old school way. 431 00:16:05,250 --> 00:16:07,679 This is what Ping is supposed 432 00:16:07,680 --> 00:16:09,809 to do. I'm like, let's let's 433 00:16:09,810 --> 00:16:12,389 say in the 90s, this is 434 00:16:12,390 --> 00:16:14,099 what we used to do in the 90s. 435 00:16:14,100 --> 00:16:16,169 Basically what you have is you have two 436 00:16:16,170 --> 00:16:18,659 ideas in the process, 437 00:16:18,660 --> 00:16:20,439 data structure in the operating system 438 00:16:20,440 --> 00:16:21,629 and like some structure somewhere in the 439 00:16:21,630 --> 00:16:23,669 kernel. And it says, well, you have the 440 00:16:23,670 --> 00:16:25,649 real idea and you have the effect of your 441 00:16:25,650 --> 00:16:26,849 ID. 442 00:16:26,850 --> 00:16:29,069 And if the program is run, 443 00:16:29,070 --> 00:16:31,379 it's trading, then the effective 444 00:16:31,380 --> 00:16:33,539 user ID is the one 445 00:16:33,540 --> 00:16:36,059 that the binary is situated to. 446 00:16:36,060 --> 00:16:37,499 So that means if the program does 447 00:16:37,500 --> 00:16:38,879 anything, the kernel doesn't actually 448 00:16:38,880 --> 00:16:40,019 look at the real you. 449 00:16:40,020 --> 00:16:42,179 It looks at the effect of your I.D. 450 00:16:42,180 --> 00:16:44,279 So let's say you understand this 451 00:16:44,280 --> 00:16:45,599 and you want to drop your privileges, 452 00:16:45,600 --> 00:16:48,029 then you could just say set 453 00:16:48,030 --> 00:16:49,019 effective your I.D. 454 00:16:49,020 --> 00:16:52,229 to get your ID, to drop back to 455 00:16:52,230 --> 00:16:54,419 the the actual the real user 456 00:16:54,420 --> 00:16:55,949 ID. And you would think that's enough, 457 00:16:55,950 --> 00:16:56,950 right. 458 00:16:57,690 --> 00:16:59,729 And it turns out, no, it's not enough, 459 00:16:59,730 --> 00:17:01,889 because at some point there's 460 00:17:01,890 --> 00:17:04,108 a start to ID that allows you to 461 00:17:04,109 --> 00:17:06,358 go back even after someone tried 462 00:17:06,359 --> 00:17:09,088 to draw privileges and 463 00:17:09,089 --> 00:17:11,189 this is at some point 464 00:17:11,190 --> 00:17:13,469 the various versions of Unix 465 00:17:13,470 --> 00:17:15,539 and BSD diverged on 466 00:17:15,540 --> 00:17:16,108 this point. 467 00:17:16,109 --> 00:17:18,749 So it was for a time, it was pretty hard 468 00:17:18,750 --> 00:17:20,189 to write code that does it right 469 00:17:21,420 --> 00:17:23,818 at some point in your API was invented. 470 00:17:23,819 --> 00:17:25,200 It's called said Residente. 471 00:17:26,579 --> 00:17:28,769 You can said all three user 472 00:17:28,770 --> 00:17:31,169 IDs with this, and that's actually 473 00:17:31,170 --> 00:17:33,089 OK. That's a good way to draw privileges. 474 00:17:33,090 --> 00:17:35,249 However, it's not enough to do 475 00:17:35,250 --> 00:17:35,489 this. 476 00:17:35,490 --> 00:17:36,990 You need to check the return value 477 00:17:38,640 --> 00:17:40,979 and if you don't, things 478 00:17:40,980 --> 00:17:42,539 can go badly. 479 00:17:42,540 --> 00:17:44,849 Also, it may not be enough to 480 00:17:44,850 --> 00:17:47,249 to reset the user I.D. 481 00:17:47,250 --> 00:17:48,869 There may be group pages that are 482 00:17:48,870 --> 00:17:50,209 privileged too. 483 00:17:50,210 --> 00:17:52,499 So the devil is all in the details 484 00:17:52,500 --> 00:17:54,629 here. So what can happen if 485 00:17:54,630 --> 00:17:56,779 I'm the super user and I want to set 486 00:17:56,780 --> 00:17:58,499 Razu ideas with some user idea? 487 00:17:58,500 --> 00:17:59,640 How can this ever fail? 488 00:18:00,870 --> 00:18:03,119 There is system wide, limited 489 00:18:03,120 --> 00:18:04,809 resource limits for you ID. 490 00:18:04,810 --> 00:18:06,929 So there could be a limit that 491 00:18:06,930 --> 00:18:08,969 there can only be 10 processes for giving 492 00:18:08,970 --> 00:18:09,989 you I.D. 493 00:18:09,990 --> 00:18:11,009 and if that your I.D. 494 00:18:11,010 --> 00:18:13,319 already has 10 processes running and 495 00:18:13,320 --> 00:18:15,329 routers trying to draw privileges to that 496 00:18:15,330 --> 00:18:17,279 your ID, then that will fail. 497 00:18:17,280 --> 00:18:18,869 And if you don't check the return value 498 00:18:18,870 --> 00:18:20,819 at that point, you might as well not have 499 00:18:20,820 --> 00:18:22,170 dropped privileges in the first place. 500 00:18:23,670 --> 00:18:25,859 So if you do any of this, be very 501 00:18:25,860 --> 00:18:28,289 careful to understand 502 00:18:28,290 --> 00:18:29,939 all side effects and things you have to 503 00:18:29,940 --> 00:18:30,940 watch out for. 504 00:18:32,370 --> 00:18:34,019 It actually used to be even worse than 505 00:18:34,020 --> 00:18:36,179 that because there was different 506 00:18:36,180 --> 00:18:38,459 calls that refuted that 507 00:18:38,460 --> 00:18:40,079 looked like it was the right thing, but 508 00:18:40,080 --> 00:18:40,979 it doesn't. 509 00:18:40,980 --> 00:18:43,349 And in many programs today, 510 00:18:43,350 --> 00:18:46,229 you'll find backwards compatibility 511 00:18:46,230 --> 00:18:48,329 code if said reside is not found 512 00:18:48,330 --> 00:18:49,379 by configure. 513 00:18:49,380 --> 00:18:51,539 And in many cases that code path is 514 00:18:51,540 --> 00:18:53,969 pretty bad. So my advice 515 00:18:53,970 --> 00:18:56,039 is if if someone tries to build 516 00:18:56,040 --> 00:18:57,929 your program on a system that doesn't 517 00:18:57,930 --> 00:18:59,609 have said raise your ID and just fail to 518 00:18:59,610 --> 00:19:02,239 build, we need to get this everywhere. 519 00:19:02,240 --> 00:19:04,259 There's no way even so. 520 00:19:04,260 --> 00:19:05,969 Well, let me give you an example. 521 00:19:05,970 --> 00:19:08,129 This is from an airport security advisory 522 00:19:08,130 --> 00:19:09,130 a while ago. 523 00:19:10,150 --> 00:19:12,479 It says, basically, the issue was 524 00:19:12,480 --> 00:19:14,909 that the set rigid 525 00:19:14,910 --> 00:19:16,869 system called fail to drop privileges. 526 00:19:17,880 --> 00:19:19,589 Well, that's that's what it's there for. 527 00:19:19,590 --> 00:19:21,749 Right. So very careful 528 00:19:21,750 --> 00:19:24,209 with this actually test that works 529 00:19:24,210 --> 00:19:26,339 and make sure 530 00:19:26,340 --> 00:19:27,660 you check all the return values. 531 00:19:29,530 --> 00:19:31,059 So what have we actually dropped 532 00:19:31,060 --> 00:19:33,579 privileges, let's say we are paying 533 00:19:33,580 --> 00:19:35,799 and we get a raw socket 534 00:19:35,800 --> 00:19:37,059 in the beginning and then we drop 535 00:19:37,060 --> 00:19:38,979 privileges and then someone attacks us 536 00:19:38,980 --> 00:19:41,049 successfully, then 537 00:19:41,050 --> 00:19:42,699 maybe we're not running as rude anymore. 538 00:19:42,700 --> 00:19:43,700 But 539 00:19:44,860 --> 00:19:47,259 what is what happens if all the attacker 540 00:19:47,260 --> 00:19:49,279 wanted was the wrong socket? 541 00:19:49,280 --> 00:19:50,280 We still have that. 542 00:19:51,160 --> 00:19:53,349 So dropping privileges more 543 00:19:53,350 --> 00:19:55,069 than than going back to you. 544 00:19:56,290 --> 00:19:58,479 Also, the 545 00:19:58,480 --> 00:20:00,519 concept of, well, we do the dangerous 546 00:20:00,520 --> 00:20:02,679 stuff first may be more difficult than 547 00:20:02,680 --> 00:20:04,479 it looks like. So, for example, what 548 00:20:04,480 --> 00:20:06,609 about passing command line arguments? 549 00:20:06,610 --> 00:20:08,769 You can have bugs. They're actually the 550 00:20:08,770 --> 00:20:11,169 you served back there and they said, 551 00:20:11,170 --> 00:20:13,269 well, we have to do that first and 552 00:20:13,270 --> 00:20:15,399 then we do the hardware and stuff 553 00:20:15,400 --> 00:20:16,750 and then we do our privileges. 554 00:20:17,770 --> 00:20:19,959 So this is dangerous to pass in command 555 00:20:19,960 --> 00:20:21,009 line arguments. 556 00:20:21,010 --> 00:20:23,139 And what if if the 557 00:20:23,140 --> 00:20:25,029 attacker is using environment variables, 558 00:20:28,510 --> 00:20:30,289 what if the bug is in the dynamic link or 559 00:20:30,290 --> 00:20:32,119 the very examples of this tool? 560 00:20:32,120 --> 00:20:33,939 So that's before even your man is 561 00:20:33,940 --> 00:20:34,899 running. 562 00:20:34,900 --> 00:20:37,509 So dropping privileges is 563 00:20:37,510 --> 00:20:39,160 it's a harder concept than it looks like. 564 00:20:41,500 --> 00:20:43,179 And if all the attacker wanted, as I 565 00:20:43,180 --> 00:20:45,039 said, is the wrong socket, then there's 566 00:20:45,040 --> 00:20:45,999 not much you can do. 567 00:20:46,000 --> 00:20:47,319 The code still has to be good. 568 00:20:50,010 --> 00:20:51,239 So let's talk about privilege, 569 00:20:51,240 --> 00:20:52,409 separation. 570 00:20:52,410 --> 00:20:54,299 Let's say you have Web servers and it 571 00:20:54,300 --> 00:20:56,459 wants to convert uploaded images 572 00:20:56,460 --> 00:20:59,129 to, let's say, create thumbnails or 573 00:20:59,130 --> 00:21:01,709 make sure it's all a JPEG without 574 00:21:01,710 --> 00:21:03,959 metadata or whatever you want 575 00:21:03,960 --> 00:21:06,269 to remove EXIF, something 576 00:21:06,270 --> 00:21:07,499 like that. 577 00:21:07,500 --> 00:21:09,689 But the way to do that would be to 578 00:21:09,690 --> 00:21:11,759 support all these image formats and 579 00:21:11,760 --> 00:21:12,999 nobody wants to write that code. 580 00:21:13,000 --> 00:21:15,479 So what people do is download libraries 581 00:21:15,480 --> 00:21:17,459 to do that. And those are big pieces of 582 00:21:17,460 --> 00:21:19,439 code. Many of them have had security 583 00:21:19,440 --> 00:21:20,879 problems in the past. 584 00:21:20,880 --> 00:21:23,159 There is basically not many reasons 585 00:21:23,160 --> 00:21:24,809 to trust them now. 586 00:21:24,810 --> 00:21:27,659 So that might be a good idea 587 00:21:27,660 --> 00:21:28,899 for privilege separation. 588 00:21:28,900 --> 00:21:30,989 You move that in a separate process 589 00:21:30,990 --> 00:21:33,149 and that process has no privileges and 590 00:21:33,150 --> 00:21:35,099 it doesn't have to access the file system 591 00:21:35,100 --> 00:21:37,229 in any way because it gets the 592 00:21:37,230 --> 00:21:39,359 image or some socket or pipe or whatever 593 00:21:39,360 --> 00:21:41,699 and gives you the result back of another 594 00:21:41,700 --> 00:21:43,289 socket. So this could be locked down. 595 00:21:46,750 --> 00:21:48,759 There's a difference between using all 596 00:21:48,760 --> 00:21:50,739 the libraries directly and using some 597 00:21:50,740 --> 00:21:52,419 kind of wrapper around them, which is 598 00:21:52,420 --> 00:21:54,219 even more popular or something like image 599 00:21:54,220 --> 00:21:56,499 magic, in any case, 600 00:21:56,500 --> 00:21:58,059 no matter how you do it, that's a huge 601 00:21:58,060 --> 00:21:59,559 code base that shouldn't really be 602 00:21:59,560 --> 00:22:01,809 trusted. So if you do this 603 00:22:01,810 --> 00:22:03,459 at some point, that might be a good idea 604 00:22:03,460 --> 00:22:04,930 to think about separation. 605 00:22:06,740 --> 00:22:08,629 So the idea is to move all that image 606 00:22:08,630 --> 00:22:10,759 manipulation stuff in a separate process 607 00:22:10,760 --> 00:22:12,249 and lock that process down. 608 00:22:15,820 --> 00:22:17,949 So by locking down, what do we mean by 609 00:22:17,950 --> 00:22:20,079 that? And so the 610 00:22:20,080 --> 00:22:22,059 obvious things are the filesystem access 611 00:22:22,060 --> 00:22:24,159 obviously system five IPC other 612 00:22:24,160 --> 00:22:26,979 processes into process communications, 613 00:22:26,980 --> 00:22:29,139 make sure no new 614 00:22:29,140 --> 00:22:31,269 channels of IPC can be opened. 615 00:22:31,270 --> 00:22:33,189 Only the ones you gave the process when 616 00:22:33,190 --> 00:22:35,689 you created it can still be used 617 00:22:35,690 --> 00:22:37,509 if you want to limit network access, 618 00:22:37,510 --> 00:22:40,059 because if the attacker can get 619 00:22:40,060 --> 00:22:42,159 a shell, then maybe 620 00:22:42,160 --> 00:22:44,349 it wants to create a little shell 621 00:22:44,350 --> 00:22:46,689 and a network socket, even if it doesn't 622 00:22:46,690 --> 00:22:48,069 have access to bin Shell. 623 00:22:48,070 --> 00:22:50,229 And that might still be bad that you 624 00:22:50,230 --> 00:22:51,939 need. That needs to go away. 625 00:22:51,940 --> 00:22:53,649 Maybe there's a routing problem. 626 00:22:53,650 --> 00:22:55,509 So the service is only supposed to be a 627 00:22:55,510 --> 00:22:57,909 micro service that's visible from 628 00:22:57,910 --> 00:23:00,489 your one holes in the DMZ, 629 00:23:00,490 --> 00:23:02,379 but it has a default route somewhere that 630 00:23:02,380 --> 00:23:03,489 doesn't need to be there. 631 00:23:03,490 --> 00:23:05,109 So maybe that's that could be locked 632 00:23:05,110 --> 00:23:07,479 down. Too many 633 00:23:07,480 --> 00:23:07,869 ideas. 634 00:23:07,870 --> 00:23:09,039 What you could try to lock down 635 00:23:11,200 --> 00:23:13,039 common approaches for this is either name 636 00:23:13,040 --> 00:23:15,339 spaces or a 637 00:23:15,340 --> 00:23:16,359 prison in the guard. 638 00:23:16,360 --> 00:23:18,549 So the namespace ideas 639 00:23:18,550 --> 00:23:20,169 that you put together, some kind of fake 640 00:23:20,170 --> 00:23:22,539 file system that looks 641 00:23:22,540 --> 00:23:24,399 like a real file system but only has the 642 00:23:24,400 --> 00:23:26,619 parts in it that the process really 643 00:23:26,620 --> 00:23:27,620 needs. 644 00:23:29,320 --> 00:23:31,419 And that fake file system then 645 00:23:31,420 --> 00:23:33,609 becomes the actual file system that that 646 00:23:33,610 --> 00:23:35,099 processes. 647 00:23:35,100 --> 00:23:37,059 This is one of the ways you can do this. 648 00:23:38,380 --> 00:23:39,609 And usually 649 00:23:40,690 --> 00:23:42,909 stuff like ATC hosts 650 00:23:42,910 --> 00:23:45,129 or ATC resolved dot 651 00:23:45,130 --> 00:23:47,019 com and stuff like that could be used if 652 00:23:47,020 --> 00:23:48,849 you're the process you're trying to lock 653 00:23:48,850 --> 00:23:51,129 down, uses DNS lookups, for example. 654 00:23:51,130 --> 00:23:53,019 So these kind of files you would need in 655 00:23:53,020 --> 00:23:54,969 your fake file system, too. 656 00:23:54,970 --> 00:23:57,279 And if your fake file 657 00:23:57,280 --> 00:23:59,469 system is an average one, you would 658 00:23:59,470 --> 00:24:01,719 have a file like var 659 00:24:01,720 --> 00:24:03,459 J one etsi holst's. 660 00:24:06,770 --> 00:24:08,959 The namespace concept can also be used 661 00:24:08,960 --> 00:24:11,329 for you I.D. and PED's, so 662 00:24:11,330 --> 00:24:14,029 the difference here would be if you have 663 00:24:14,030 --> 00:24:16,639 something like a container and 664 00:24:16,640 --> 00:24:18,319 in that container there's an inert 665 00:24:18,320 --> 00:24:20,709 running with that in it, have 666 00:24:20,710 --> 00:24:22,879 the PID one or 667 00:24:22,880 --> 00:24:25,339 not, if you have more than one jail, 668 00:24:25,340 --> 00:24:27,739 can you have more than one one? 669 00:24:27,740 --> 00:24:29,839 So this is a detail question 670 00:24:29,840 --> 00:24:30,799 that may not matter. 671 00:24:30,800 --> 00:24:32,269 Maybe you don't even need an in it in 672 00:24:32,270 --> 00:24:33,739 your in your jail. 673 00:24:33,740 --> 00:24:35,629 But if you have a namespace and every 674 00:24:35,630 --> 00:24:38,269 every container has its own 675 00:24:38,270 --> 00:24:40,609 PID namespace, then there is no risk 676 00:24:40,610 --> 00:24:43,189 that any interaction like kill 677 00:24:43,190 --> 00:24:45,379 or any signals, 678 00:24:45,380 --> 00:24:47,509 any trace and anything 679 00:24:47,510 --> 00:24:49,279 that takes a pad could ever affect 680 00:24:49,280 --> 00:24:50,509 anything outside the jail. 681 00:24:55,010 --> 00:24:57,229 The other approaches to have some kind 682 00:24:57,230 --> 00:24:59,479 of prison, the 683 00:24:59,480 --> 00:25:01,579 best FreeBSD, he came up with the 684 00:25:01,580 --> 00:25:03,859 name jail for this, you have some kind 685 00:25:03,860 --> 00:25:06,019 of unique permission checks during 686 00:25:06,020 --> 00:25:08,209 open. This is done on Windows the same 687 00:25:08,210 --> 00:25:09,709 way. This is an old concept. 688 00:25:09,710 --> 00:25:11,659 If you can do open, you get a file 689 00:25:11,660 --> 00:25:13,219 descriptor back. And when you do read and 690 00:25:13,220 --> 00:25:15,379 write on that file descriptor, even if 691 00:25:15,380 --> 00:25:16,789 you at that point you couldn't do the 692 00:25:16,790 --> 00:25:19,009 open again because your 693 00:25:19,010 --> 00:25:20,569 drug privileges, if you have a file 694 00:25:20,570 --> 00:25:22,699 descriptor, you can still do what you 695 00:25:22,700 --> 00:25:24,439 were allowed to do at the time of the 696 00:25:24,440 --> 00:25:26,539 open. So all the access checks are 697 00:25:26,540 --> 00:25:28,789 actually done and open and not read 698 00:25:28,790 --> 00:25:31,079 or write, all read or write checks 699 00:25:31,080 --> 00:25:33,480 if the Open asked for permission. 700 00:25:34,670 --> 00:25:36,859 So the idea would be that 701 00:25:36,860 --> 00:25:39,260 you disallow the open in the first place 702 00:25:40,430 --> 00:25:42,529 in the part you want to restrict, and 703 00:25:42,530 --> 00:25:44,149 then you have some kind of guard. 704 00:25:44,150 --> 00:25:46,639 And if the code that you want to restrict 705 00:25:46,640 --> 00:25:49,009 means and open it can talk to the guard 706 00:25:49,010 --> 00:25:51,319 and the guard or the broker service 707 00:25:51,320 --> 00:25:53,629 says, well, let's open holes 708 00:25:53,630 --> 00:25:55,609 for reading, that's OK. 709 00:25:55,610 --> 00:25:57,019 But it is Yoho's for writing. 710 00:25:57,020 --> 00:25:58,020 That's not OK. 711 00:25:59,270 --> 00:26:01,309 So this is the other way to do this. 712 00:26:02,660 --> 00:26:04,969 You can do pretty much the same thing for 713 00:26:04,970 --> 00:26:07,909 four sockets, and 714 00:26:07,910 --> 00:26:10,099 as long as the end result is a file 715 00:26:10,100 --> 00:26:11,959 descriptor, it can be passed between 716 00:26:11,960 --> 00:26:14,060 processes using Unix domain sockets. 717 00:26:17,500 --> 00:26:18,759 So descriptive, passing 718 00:26:20,110 --> 00:26:22,209 the concept is easy, but how to do 719 00:26:22,210 --> 00:26:24,279 it is actually pretty crafty and 720 00:26:24,280 --> 00:26:26,319 I would advise against trying to do this 721 00:26:26,320 --> 00:26:27,729 yourself. 722 00:26:27,730 --> 00:26:29,859 Go find some code that doesn't 723 00:26:29,860 --> 00:26:32,589 for example, you can use mine. 724 00:26:32,590 --> 00:26:35,079 It's it's available in this library. 725 00:26:35,080 --> 00:26:36,579 This is pretty hairy. You can look at it. 726 00:26:36,580 --> 00:26:38,769 It's like an effective desert. 727 00:26:38,770 --> 00:26:40,059 It's really horrible. 728 00:26:40,060 --> 00:26:42,009 I mean, you can try, but you probably 729 00:26:42,010 --> 00:26:43,659 won't run on some kind of operating 730 00:26:43,660 --> 00:26:44,629 system you never heard of. 731 00:26:44,630 --> 00:26:45,699 And it's bad. 732 00:26:45,700 --> 00:26:47,889 So this these 733 00:26:47,890 --> 00:26:49,989 it's just three lines of 734 00:26:49,990 --> 00:26:52,299 code, basically, but it's different. 735 00:26:52,300 --> 00:26:54,459 Three lines of code for almost every 736 00:26:54,460 --> 00:26:55,629 flavor of Unix out there. 737 00:26:55,630 --> 00:26:56,859 So it's pretty hairy. 738 00:26:58,540 --> 00:27:00,459 But if we abstract that away, then it 739 00:27:00,460 --> 00:27:01,460 should be OK. 740 00:27:02,740 --> 00:27:05,209 So how do we restrict filesystem access? 741 00:27:06,940 --> 00:27:09,009 The old solution is 742 00:27:09,010 --> 00:27:10,059 called change route. 743 00:27:12,430 --> 00:27:14,529 What you do is you create an empty route 744 00:27:14,530 --> 00:27:16,779 andred only directory evangel or 745 00:27:16,780 --> 00:27:19,119 VMT or whatever you want to call it, 746 00:27:19,120 --> 00:27:21,279 and then in the service you say changed 747 00:27:21,280 --> 00:27:23,499 gear to that route, that empty 748 00:27:23,500 --> 00:27:25,449 directory. Then you close all the open 749 00:27:25,450 --> 00:27:26,450 files. 750 00:27:27,990 --> 00:27:29,879 You say change routes to the same 751 00:27:29,880 --> 00:27:32,309 directory and then you drop privileges 752 00:27:32,310 --> 00:27:33,899 because if you drop privileges, first 753 00:27:33,900 --> 00:27:35,549 change route cannot be done, change what 754 00:27:35,550 --> 00:27:37,259 needs to and privileges. 755 00:27:38,760 --> 00:27:40,229 So this is part of the stuff that needs 756 00:27:40,230 --> 00:27:42,929 to be done before dropping privileges. 757 00:27:42,930 --> 00:27:44,549 So let's say you do this and then the 758 00:27:44,550 --> 00:27:47,069 process tries to open food, 759 00:27:47,070 --> 00:27:48,869 then this food will be relative to the 760 00:27:48,870 --> 00:27:50,189 current path. 761 00:27:50,190 --> 00:27:51,779 That is obvious. 762 00:27:51,780 --> 00:27:53,689 But if you tried to open the door to 763 00:27:53,690 --> 00:27:56,069 slash food, that 764 00:27:56,070 --> 00:27:58,079 doesn't work because that's the one thing 765 00:27:58,080 --> 00:27:59,609 change route. Make sure it doesn't work 766 00:28:00,630 --> 00:28:03,059 or if it's a symbolic link that contains 767 00:28:03,060 --> 00:28:04,979 dot, dot, slash, that also doesn't work 768 00:28:04,980 --> 00:28:07,139 so that you can't escape 769 00:28:07,140 --> 00:28:09,539 from this part of the food system unless 770 00:28:09,540 --> 00:28:11,249 you have an open descriptor that already 771 00:28:11,250 --> 00:28:12,799 points outside the food system. 772 00:28:15,930 --> 00:28:18,179 So that sounds pretty peachy, it's 773 00:28:18,180 --> 00:28:19,979 all rainbows and unicorns, but no, it's 774 00:28:19,980 --> 00:28:22,469 not, you can escape a change, ROGELL 775 00:28:22,470 --> 00:28:24,779 if you are rude yourself, 776 00:28:24,780 --> 00:28:26,759 because then change route doesn't does 777 00:28:26,760 --> 00:28:28,289 not nest on your earnings. 778 00:28:28,290 --> 00:28:29,789 So if you would do a different change 779 00:28:29,790 --> 00:28:32,129 route while holding a file descriptor 780 00:28:32,130 --> 00:28:33,270 to your change route, 781 00:28:34,350 --> 00:28:35,350 you're out. 782 00:28:35,970 --> 00:28:37,979 This is the code that doesn't just so 783 00:28:37,980 --> 00:28:38,980 you've seen it once. 784 00:28:40,470 --> 00:28:41,470 Um. 785 00:28:43,080 --> 00:28:45,249 So if you process inside the change 786 00:28:45,250 --> 00:28:48,089 room, environment can or can obtain 787 00:28:48,090 --> 00:28:49,829 it has or can obtain a handle or 788 00:28:49,830 --> 00:28:51,719 descriptor to a directory outside the 789 00:28:51,720 --> 00:28:53,400 jail, it can escape the change route, 790 00:28:54,510 --> 00:28:56,789 either with change there or if changed 791 00:28:56,790 --> 00:28:57,929 or in this case. 792 00:28:57,930 --> 00:28:59,999 So that's the change there is 793 00:29:00,000 --> 00:29:01,000 the second way. 794 00:29:02,810 --> 00:29:04,639 Change route itself does not change 795 00:29:04,640 --> 00:29:06,889 there, you have to do both if 796 00:29:06,890 --> 00:29:09,679 you don't do both and it's ineffective 797 00:29:09,680 --> 00:29:12,199 and you need to check the return values 798 00:29:12,200 --> 00:29:13,200 again, 799 00:29:15,200 --> 00:29:17,179 even if you are confined to a change 800 00:29:17,180 --> 00:29:17,659 route. 801 00:29:17,660 --> 00:29:19,969 All it does is limit filesystem access 802 00:29:19,970 --> 00:29:21,710 succored and 803 00:29:22,880 --> 00:29:24,959 signals and stuff still works. 804 00:29:24,960 --> 00:29:26,929 So it's not a good solution and only is 805 00:29:26,930 --> 00:29:28,819 for filesystem. It's not comprehensive. 806 00:29:28,820 --> 00:29:29,820 You need to do more. 807 00:29:32,110 --> 00:29:34,959 More trouble with change route is that 808 00:29:34,960 --> 00:29:37,659 a library functions might access 809 00:29:37,660 --> 00:29:39,069 files without telling you first. 810 00:29:39,070 --> 00:29:41,559 The most notorious is the DNS 811 00:29:41,560 --> 00:29:43,899 APIs get hosted by name 812 00:29:43,900 --> 00:29:45,549 depending on the operating system. 813 00:29:45,550 --> 00:29:47,859 They may try to open a ton of files 814 00:29:47,860 --> 00:29:49,989 like resolve dot com and 815 00:29:49,990 --> 00:29:52,659 resolve conflicts of interest 816 00:29:52,660 --> 00:29:53,739 or whatever. 817 00:29:53,740 --> 00:29:55,989 So you have to look at what 818 00:29:55,990 --> 00:29:57,879 the lipsey you're using actually tried to 819 00:29:57,880 --> 00:30:00,009 open here to and make sure those files 820 00:30:00,010 --> 00:30:02,199 are in the change from jail to. 821 00:30:04,150 --> 00:30:06,139 Particularly troublesome for this is if 822 00:30:06,140 --> 00:30:08,229 the program you're trying to jail isn't 823 00:30:08,230 --> 00:30:10,719 written in a compiled language, 824 00:30:10,720 --> 00:30:12,939 but, say Perl and Perl 825 00:30:12,940 --> 00:30:15,099 may try to open some other like 826 00:30:15,100 --> 00:30:17,259 modules if the program starts 827 00:30:17,260 --> 00:30:19,269 with you, something something some kind 828 00:30:19,270 --> 00:30:21,069 of power module, then probably try to 829 00:30:21,070 --> 00:30:22,989 load that or Python is the same thing. 830 00:30:22,990 --> 00:30:24,909 So scripting languages are pretty tricky. 831 00:30:24,910 --> 00:30:26,739 You would have to have all this Perl code 832 00:30:26,740 --> 00:30:28,959 in the jail in the change food 833 00:30:28,960 --> 00:30:31,659 environment to Sjoberg and loaded. 834 00:30:31,660 --> 00:30:33,969 And at that point, the risk that 835 00:30:33,970 --> 00:30:35,919 someone in the jail could modify those 836 00:30:35,920 --> 00:30:37,279 files. 837 00:30:37,280 --> 00:30:39,369 Right. So the file permissions have to be 838 00:30:39,370 --> 00:30:41,859 carefully watched. 839 00:30:41,860 --> 00:30:43,959 And even worse, usually the 840 00:30:43,960 --> 00:30:46,059 way to to put the files in the 841 00:30:46,060 --> 00:30:48,219 jail is to hotlink them. 842 00:30:48,220 --> 00:30:49,929 So if you do a hard link and someone 843 00:30:49,930 --> 00:30:51,999 modifies the file in the 844 00:30:52,000 --> 00:30:54,339 change jail, that also modifies the file 845 00:30:54,340 --> 00:30:55,349 outside the jail. 846 00:30:56,380 --> 00:30:57,999 So even if they don't manage to leave the 847 00:30:58,000 --> 00:31:00,519 jail, they might still 848 00:31:00,520 --> 00:31:02,049 compromise your system. 849 00:31:02,050 --> 00:31:03,429 So you have to be very careful about 850 00:31:03,430 --> 00:31:04,430 this. 851 00:31:07,750 --> 00:31:09,909 So let's get to the solutions different 852 00:31:09,910 --> 00:31:12,219 operating systems have for this, 853 00:31:12,220 --> 00:31:14,319 one of the first ideas, and I think 854 00:31:14,320 --> 00:31:15,909 it's a pretty good idea, is to be a 855 00:31:15,910 --> 00:31:17,199 secure level. 856 00:31:17,200 --> 00:31:19,569 So it basically the same the same idea 857 00:31:19,570 --> 00:31:21,699 as I talked 858 00:31:21,700 --> 00:31:22,719 about inside the process. 859 00:31:22,720 --> 00:31:24,729 You do the dangerous stuff first, like 860 00:31:24,730 --> 00:31:26,889 mounting filesystems and doing 861 00:31:26,890 --> 00:31:28,839 a filesystem check. 862 00:31:28,840 --> 00:31:31,629 Those need to be able to access a raw 863 00:31:31,630 --> 00:31:33,339 device, a block device. 864 00:31:33,340 --> 00:31:35,619 But after you do filesystem check, maybe 865 00:31:35,620 --> 00:31:36,699 you don't need it anymore. It's a 866 00:31:36,700 --> 00:31:38,619 production server, so you might as well 867 00:31:38,620 --> 00:31:40,809 turn off the the capability in 868 00:31:40,810 --> 00:31:43,239 the whole system to open ROBLOX 869 00:31:43,240 --> 00:31:45,319 block devices and secure that. 870 00:31:45,320 --> 00:31:46,779 We can do this basically. 871 00:31:46,780 --> 00:31:48,789 You can only increase it, only RWD can 872 00:31:48,790 --> 00:31:50,889 increase it and nobody can decrease 873 00:31:50,890 --> 00:31:52,209 it without rebooting. 874 00:31:52,210 --> 00:31:53,499 That's the idea. 875 00:31:53,500 --> 00:31:55,149 That also means you have to disallow 876 00:31:55,150 --> 00:31:57,219 access to def came and stuff 877 00:31:57,220 --> 00:31:59,319 like that and secured 878 00:31:59,320 --> 00:32:00,320 evidence that you. 879 00:32:03,760 --> 00:32:06,139 Then I talked about change jail, 880 00:32:06,140 --> 00:32:08,069 something like Change Ruth on steroids, 881 00:32:09,100 --> 00:32:11,619 Israel has their own filesystem rules 882 00:32:11,620 --> 00:32:13,509 and additionally, you can set IP 883 00:32:13,510 --> 00:32:15,459 addresses for different jails. 884 00:32:15,460 --> 00:32:17,799 So in the end, you can have a root 885 00:32:17,800 --> 00:32:20,409 user in the jail. 886 00:32:20,410 --> 00:32:23,059 But without the problems that 887 00:32:23,060 --> 00:32:25,179 are interchangeable, environment has 888 00:32:25,180 --> 00:32:27,069 solved. The root in the jail isn't 889 00:32:27,070 --> 00:32:28,659 actually considered rude in the whole 890 00:32:28,660 --> 00:32:29,859 system. 891 00:32:29,860 --> 00:32:31,899 It's like a middle thing and there is 892 00:32:31,900 --> 00:32:33,429 some kind of namespace stuff. 893 00:32:33,430 --> 00:32:35,619 This is still in progress. 894 00:32:35,620 --> 00:32:37,030 Jails are being extended 895 00:32:38,350 --> 00:32:39,339 right now, basically. 896 00:32:39,340 --> 00:32:41,529 So keep keep a watch on the 897 00:32:41,530 --> 00:32:42,619 capabilities of jails. 898 00:32:42,620 --> 00:32:43,660 They're still being worked on. 899 00:32:46,150 --> 00:32:48,639 The admin that sets up those jails can 900 00:32:48,640 --> 00:32:51,309 specify, for example, if System five 901 00:32:51,310 --> 00:32:53,559 IPC access is allowed 902 00:32:53,560 --> 00:32:55,809 or sockets are allowed 903 00:32:55,810 --> 00:32:57,249 and things like that. 904 00:32:57,250 --> 00:32:58,789 So this is a pretty good thing. 905 00:32:58,790 --> 00:33:01,239 And it has been used for building 906 00:33:01,240 --> 00:33:03,519 a container style 907 00:33:03,520 --> 00:33:05,619 hosting on on privacy 908 00:33:05,620 --> 00:33:06,620 for a while now. 909 00:33:10,170 --> 00:33:12,569 The one of the problems with 910 00:33:12,570 --> 00:33:14,339 well, maybe it's not a problem, but it's 911 00:33:14,340 --> 00:33:16,499 it's it makes me feel a bit uneasy is 912 00:33:16,500 --> 00:33:18,539 that there is no actual names faces. 913 00:33:18,540 --> 00:33:20,999 It's like a flag on 914 00:33:21,000 --> 00:33:22,799 the process. 915 00:33:22,800 --> 00:33:24,899 They extended the structure 916 00:33:24,900 --> 00:33:26,969 in Crono for a process to say this is 917 00:33:26,970 --> 00:33:29,039 relative to J5. 918 00:33:29,040 --> 00:33:31,289 So theoretically, you could still 919 00:33:31,290 --> 00:33:33,839 say kill five and 920 00:33:33,840 --> 00:33:35,249 five is outside your jail. 921 00:33:35,250 --> 00:33:37,019 But there is a check for that. 922 00:33:37,020 --> 00:33:38,459 But it still means there has to be a 923 00:33:38,460 --> 00:33:40,529 check at every place where you do 924 00:33:40,530 --> 00:33:42,479 something with Paddys in the ground. 925 00:33:42,480 --> 00:33:45,029 So that's I think it's a bit risky, but 926 00:33:45,030 --> 00:33:46,679 apparently it's pretty stable and I'm not 927 00:33:46,680 --> 00:33:48,839 aware of any issues they had 928 00:33:48,840 --> 00:33:49,840 there. 929 00:33:51,180 --> 00:33:53,309 Paddy, one is always in it 930 00:33:53,310 --> 00:33:55,439 in the the whole not in 931 00:33:55,440 --> 00:33:57,179 any of the jails. 932 00:33:57,180 --> 00:33:59,459 If you tried to kill one inside 933 00:33:59,460 --> 00:34:01,709 the jail, that fails because 934 00:34:01,710 --> 00:34:03,549 Paddy one does not belong to that jail. 935 00:34:03,550 --> 00:34:05,159 That's not work. So it's it's like a 936 00:34:05,160 --> 00:34:07,739 namespace light, you could say maybe. 937 00:34:07,740 --> 00:34:09,809 But it means if if 938 00:34:09,810 --> 00:34:12,059 there is two processes in 939 00:34:12,060 --> 00:34:14,019 different jails, they can't have the same 940 00:34:14,020 --> 00:34:15,020 pide. 941 00:34:15,560 --> 00:34:17,529 That's like a slide in Foley. 942 00:34:17,530 --> 00:34:19,819 No, it's not clear how much of 943 00:34:19,820 --> 00:34:21,468 a problem that is, but, you know, just to 944 00:34:21,469 --> 00:34:23,109 understand how that works. 945 00:34:26,880 --> 00:34:29,279 So let's get to the APIs to restrict 946 00:34:29,280 --> 00:34:30,569 what a process can do, 947 00:34:31,920 --> 00:34:34,079 capsicum, the freebasing way for 948 00:34:34,080 --> 00:34:36,178 this and this is actually 949 00:34:36,179 --> 00:34:37,649 a pretty neat API. 950 00:34:37,650 --> 00:34:39,718 The whole idea is that you split 951 00:34:39,719 --> 00:34:41,819 off the broker service 952 00:34:41,820 --> 00:34:44,099 and you use capsicum to make sure that 953 00:34:44,100 --> 00:34:46,559 all global namespace accesses 954 00:34:46,560 --> 00:34:49,198 like open file or 955 00:34:49,199 --> 00:34:50,999 create succored fail. 956 00:34:51,000 --> 00:34:53,249 And the only way to get descriptors 957 00:34:53,250 --> 00:34:55,379 to files you want to open is by going 958 00:34:55,380 --> 00:34:56,380 through the broker. 959 00:34:57,470 --> 00:34:59,659 I have to make sure that 960 00:34:59,660 --> 00:35:01,459 the there are some more restrictions, 961 00:35:01,460 --> 00:35:02,419 actually in capsicums. 962 00:35:02,420 --> 00:35:05,089 For example, you can say Petrus 963 00:35:05,090 --> 00:35:08,209 is not allowed or 964 00:35:08,210 --> 00:35:10,639 you can say succored operations 965 00:35:10,640 --> 00:35:12,559 are only the only succored operations are 966 00:35:12,560 --> 00:35:14,389 allowed. So you can have some more 967 00:35:15,410 --> 00:35:16,699 fine grained control. 968 00:35:16,700 --> 00:35:18,440 But it's not completely fine-grained. 969 00:35:19,460 --> 00:35:21,889 You can say, for example, Mr. 970 00:35:21,890 --> 00:35:23,089 Zijlaard, if you wanted to. 971 00:35:26,860 --> 00:35:29,169 OpenBSD came up with an API call 972 00:35:29,170 --> 00:35:30,170 team. 973 00:35:30,910 --> 00:35:33,219 The idea is similar to 974 00:35:33,220 --> 00:35:35,619 to capsicum, but it restricts 975 00:35:35,620 --> 00:35:37,419 some some more. 976 00:35:37,420 --> 00:35:39,609 My problem with this API is that 977 00:35:39,610 --> 00:35:41,889 they have these flags that they needed. 978 00:35:41,890 --> 00:35:44,109 And if you need some other way to 979 00:35:44,110 --> 00:35:46,539 restrict the process, you can. 980 00:35:46,540 --> 00:35:48,789 All you have is the flags 981 00:35:48,790 --> 00:35:50,919 that they provide 982 00:35:50,920 --> 00:35:52,059 for you. 983 00:35:52,060 --> 00:35:54,069 So it's not it's not programable. 984 00:35:54,070 --> 00:35:56,799 And you could say it's not as flexible as 985 00:35:56,800 --> 00:35:58,899 Linux, but if 986 00:35:58,900 --> 00:36:00,939 all you need is those flags and for most 987 00:36:00,940 --> 00:36:02,859 people that should be enough, then it's 988 00:36:02,860 --> 00:36:03,860 actually not that bad. 989 00:36:04,900 --> 00:36:07,029 The problem is that these are defined. 990 00:36:07,030 --> 00:36:09,399 So if you want to support different 991 00:36:09,400 --> 00:36:11,469 versions of Open BSD, then you 992 00:36:11,470 --> 00:36:12,909 have an effective hell. 993 00:36:12,910 --> 00:36:15,069 If this flag is available, then use 994 00:36:15,070 --> 00:36:16,209 it otherwise not so. 995 00:36:16,210 --> 00:36:18,459 It's portability is a bit bad. 996 00:36:18,460 --> 00:36:20,170 It feels a bit like a crutch to me. 997 00:36:21,310 --> 00:36:23,089 And the open Binsey people agreed. 998 00:36:23,090 --> 00:36:25,359 So they have a new API now. 999 00:36:25,360 --> 00:36:26,409 It's called Pledge. 1000 00:36:28,200 --> 00:36:29,459 And what do you do with pledges? 1001 00:36:29,460 --> 00:36:31,649 You basically the same as the flags, but 1002 00:36:31,650 --> 00:36:33,719 you put it in a string and that 1003 00:36:33,720 --> 00:36:35,909 string is then passed by the coroner. 1004 00:36:35,910 --> 00:36:38,009 And if you try to pledge 1005 00:36:38,010 --> 00:36:39,149 something that the coroner doesn't 1006 00:36:39,150 --> 00:36:41,279 understand, then there is no effective 1007 00:36:41,280 --> 00:36:43,369 help. However, the coroner needs to power 1008 00:36:43,370 --> 00:36:45,779 strings now, which is also dangerous. 1009 00:36:45,780 --> 00:36:46,780 So 1010 00:36:47,850 --> 00:36:49,229 I'm not sure if this is actually an 1011 00:36:49,230 --> 00:36:51,699 advancement of our time. 1012 00:36:51,700 --> 00:36:53,879 But, you know, and it's there there 1013 00:36:53,880 --> 00:36:56,309 is one pretty good idea in pledge 1014 00:36:56,310 --> 00:36:57,899 that is in no other system. 1015 00:36:57,900 --> 00:36:59,999 You can also give a list of 1016 00:37:00,000 --> 00:37:02,369 paths and fire system 1017 00:37:02,370 --> 00:37:05,249 accesses will only succeed 1018 00:37:05,250 --> 00:37:07,199 if the finding them you're trying to open 1019 00:37:07,200 --> 00:37:09,479 is in one of those paths. 1020 00:37:09,480 --> 00:37:11,849 So you don't need to set up a jail 1021 00:37:11,850 --> 00:37:13,379 or a change room environment. 1022 00:37:13,380 --> 00:37:15,539 You can say, you know, ATC 1023 00:37:15,540 --> 00:37:18,359 host is OK, otherwise, 1024 00:37:18,360 --> 00:37:20,879 you know, my home directory is OK, 1025 00:37:20,880 --> 00:37:23,219 but all other slash temp 1026 00:37:23,220 --> 00:37:25,379 is OK, I guess that kind of 1027 00:37:25,380 --> 00:37:25,619 list. 1028 00:37:25,620 --> 00:37:27,719 But my program never needs to 1029 00:37:27,720 --> 00:37:30,839 look into, you know, user being, 1030 00:37:30,840 --> 00:37:33,119 for example. You could say that in place. 1031 00:37:33,120 --> 00:37:34,709 That's a pretty neat thing I would like 1032 00:37:34,710 --> 00:37:36,090 to see in the other airports still. 1033 00:37:37,870 --> 00:37:39,329 So let's come to Linux, 1034 00:37:41,260 --> 00:37:43,449 Linux as a as a pretty early 1035 00:37:43,450 --> 00:37:45,579 concept of capabilities, that was 1036 00:37:45,580 --> 00:37:47,589 from the time when we didn't think about 1037 00:37:47,590 --> 00:37:51,099 restricting more than 1038 00:37:51,100 --> 00:37:52,479 dropping privileges. 1039 00:37:52,480 --> 00:37:54,729 So the idea with capabilities is instead 1040 00:37:54,730 --> 00:37:56,589 of dropping privileges, we make sure we 1041 00:37:56,590 --> 00:37:58,029 don't give you a privilege you don't need 1042 00:37:58,030 --> 00:37:59,139 in the first place. 1043 00:37:59,140 --> 00:38:01,029 It never really took off. 1044 00:38:01,030 --> 00:38:03,199 So the idea was you could have a 1045 00:38:03,200 --> 00:38:05,409 ping that doesn't really have super user 1046 00:38:05,410 --> 00:38:07,719 privileges. It just has the part 1047 00:38:07,720 --> 00:38:09,969 it needs to create real sockets. 1048 00:38:09,970 --> 00:38:12,069 It could, for example, 1049 00:38:12,070 --> 00:38:14,289 access the 1050 00:38:14,290 --> 00:38:15,489 disk device or something. 1051 00:38:18,190 --> 00:38:19,929 Never really got anywhere, as far as I 1052 00:38:19,930 --> 00:38:22,239 know, there's a combined thing 1053 00:38:22,240 --> 00:38:23,499 that's available in the U.S. 1054 00:38:23,500 --> 00:38:25,389 and then of is called trace, it's also 1055 00:38:25,390 --> 00:38:26,390 pretty old. 1056 00:38:27,280 --> 00:38:29,499 The idea is that you have a wide profile 1057 00:38:29,500 --> 00:38:31,329 that says, for example, that Eskandar 1058 00:38:31,330 --> 00:38:33,369 opened your retail reading. 1059 00:38:33,370 --> 00:38:35,619 These are system calls and 1060 00:38:35,620 --> 00:38:37,809 write because it needs to to 1061 00:38:37,810 --> 00:38:39,760 write the output to send it out. 1062 00:38:41,380 --> 00:38:43,479 But if it tries to do anything aside from 1063 00:38:43,480 --> 00:38:45,369 that, an alarm is raised. 1064 00:38:45,370 --> 00:38:46,959 That's the idea with stress. 1065 00:38:46,960 --> 00:38:49,029 However, the profile does not 1066 00:38:49,030 --> 00:38:50,679 come with the program and the program 1067 00:38:50,680 --> 00:38:52,449 cannot set its own profile. 1068 00:38:52,450 --> 00:38:54,369 This is something the admin provides or 1069 00:38:54,370 --> 00:38:56,020 that it's provided at installation time. 1070 00:38:58,880 --> 00:39:00,319 This is what a profile looks like in 1071 00:39:00,320 --> 00:39:01,320 practice. 1072 00:39:01,940 --> 00:39:03,169 You don't need to read the fine print 1073 00:39:03,170 --> 00:39:05,299 just to show you basically what 1074 00:39:05,300 --> 00:39:06,599 kind of what to expect. 1075 00:39:06,600 --> 00:39:08,359 It's it's a text file. 1076 00:39:10,560 --> 00:39:12,719 So stress, the problem 1077 00:39:12,720 --> 00:39:15,719 is where does the profit come from? 1078 00:39:15,720 --> 00:39:17,729 So in the answer as well, the EDVIN has 1079 00:39:17,730 --> 00:39:20,339 some kind of training training mode. 1080 00:39:20,340 --> 00:39:22,439 And I talked about the problems with 1081 00:39:22,440 --> 00:39:23,369 that earlier. 1082 00:39:23,370 --> 00:39:24,869 I don't think that's a good solution 1083 00:39:24,870 --> 00:39:27,059 because you don't getting coverage 1084 00:39:27,060 --> 00:39:28,019 from a program. 1085 00:39:28,020 --> 00:39:30,359 Your road yourself is already hard 1086 00:39:30,360 --> 00:39:32,129 and most people can never get full 1087 00:39:32,130 --> 00:39:34,289 coverage with their unit tests. 1088 00:39:34,290 --> 00:39:36,029 How do you expect the admin that doesn't 1089 00:39:36,030 --> 00:39:37,769 know the code to do it? 1090 00:39:37,770 --> 00:39:39,749 So I think it's a it's a bad idea. 1091 00:39:42,650 --> 00:39:44,989 Then there is Colonel Patch 1092 00:39:44,990 --> 00:39:46,159 series called G.R. 1093 00:39:46,160 --> 00:39:48,409 Security that offers 1094 00:39:48,410 --> 00:39:50,479 features that are 1095 00:39:50,480 --> 00:39:52,729 conceptually similar to strains. 1096 00:39:52,730 --> 00:39:54,829 It's not part of the kernel, so I'm not 1097 00:39:54,830 --> 00:39:55,819 advocating it here. 1098 00:39:55,820 --> 00:39:57,919 I think if you want to have 1099 00:39:57,920 --> 00:40:00,079 this kind of thing, it should 1100 00:40:00,080 --> 00:40:02,239 be in the stock system and 1101 00:40:02,240 --> 00:40:03,919 not need any external stuff. 1102 00:40:03,920 --> 00:40:05,329 And it cannot be used to serve 1103 00:40:05,330 --> 00:40:06,330 SoundWorks. 1104 00:40:07,800 --> 00:40:09,719 And then there's AC Linux that's also 1105 00:40:09,720 --> 00:40:11,399 pretty well known, it's conceptually the 1106 00:40:11,400 --> 00:40:12,689 same as history, it's a little more 1107 00:40:12,690 --> 00:40:14,849 powerful, but again, can be used 1108 00:40:14,850 --> 00:40:15,930 to Sandburg's yourself 1109 00:40:16,950 --> 00:40:17,249 up. 1110 00:40:17,250 --> 00:40:18,989 Armor is a little it's another not 1111 00:40:18,990 --> 00:40:20,369 invented here type of thing. 1112 00:40:20,370 --> 00:40:22,549 Does a similar thing also not used 1113 00:40:22,550 --> 00:40:24,569 for self sandboxing. 1114 00:40:24,570 --> 00:40:26,879 And the actual API for leniency 1115 00:40:26,880 --> 00:40:28,949 would use to sell itself is called second 1116 00:40:28,950 --> 00:40:31,559 filter. It's based on Secombe. 1117 00:40:31,560 --> 00:40:33,419 And this is a start up business model 1118 00:40:33,420 --> 00:40:35,789 from 2005 when someone said, well, 1119 00:40:35,790 --> 00:40:38,129 you could sell your specific cycles 1120 00:40:38,130 --> 00:40:40,759 for, say, scientific computing 1121 00:40:40,760 --> 00:40:43,409 and cloud computing or something. 1122 00:40:43,410 --> 00:40:45,599 But since you can trust foreign 1123 00:40:45,600 --> 00:40:47,789 code, we'll make sure that the phone 1124 00:40:47,790 --> 00:40:49,889 code can do anything 1125 00:40:49,890 --> 00:40:51,179 and didn't catch on. 1126 00:40:51,180 --> 00:40:53,849 But on this basis, they invented 1127 00:40:53,850 --> 00:40:56,519 mold to our second filter 1128 00:40:56,520 --> 00:40:59,129 and it uses Berkely packet filters with 1129 00:40:59,130 --> 00:41:01,159 who knows what the Berkeley packet filter 1130 00:41:01,160 --> 00:41:02,309 is. 1131 00:41:02,310 --> 00:41:04,400 OK, pretty much more than I expected. 1132 00:41:05,940 --> 00:41:08,189 It's a bytecode VM basically is really 1133 00:41:08,190 --> 00:41:09,190 horrible. 1134 00:41:10,110 --> 00:41:11,879 It's a step machine, very limited 1135 00:41:11,880 --> 00:41:13,229 instruction set. 1136 00:41:13,230 --> 00:41:15,179 There is tooling, but you have to look 1137 00:41:15,180 --> 00:41:16,710 for it and it's still pretty horrible. 1138 00:41:18,210 --> 00:41:20,459 But Linux kind of recently got agit 1139 00:41:20,460 --> 00:41:22,439 for it, so they figured it's fast. 1140 00:41:22,440 --> 00:41:23,440 We should use it more. 1141 00:41:24,510 --> 00:41:26,939 This is what the program looks like 1142 00:41:26,940 --> 00:41:27,940 in. 1143 00:41:28,570 --> 00:41:30,429 In DCPI dump, which is what it was 1144 00:41:30,430 --> 00:41:32,499 actually intended for, if you say 1145 00:41:32,500 --> 00:41:34,689 Port 22, then there's a little 1146 00:41:34,690 --> 00:41:36,859 bytecode compiled that looks at 1147 00:41:36,860 --> 00:41:39,219 the packet and says, OK, this is i.p, 1148 00:41:39,220 --> 00:41:41,799 this is TCP or UDP 1149 00:41:41,800 --> 00:41:44,289 and there is a port 22. 1150 00:41:44,290 --> 00:41:45,909 So it's pretty gross. 1151 00:41:47,710 --> 00:41:50,229 And the idea with Secombe of 1152 00:41:50,230 --> 00:41:52,059 psychomotor mature second filter is that 1153 00:41:52,060 --> 00:41:54,459 instead of a packet, you 1154 00:41:54,460 --> 00:41:56,979 give a memory buffer that contains 1155 00:41:56,980 --> 00:41:59,259 the Cisco number and 1156 00:41:59,260 --> 00:42:01,269 all the arguments to the Sasko. 1157 00:42:01,270 --> 00:42:02,949 And then you can write a little program 1158 00:42:02,950 --> 00:42:05,019 or bytecode that looks at these arguments 1159 00:42:05,020 --> 00:42:07,119 and says, no, this is called no, it's 1160 00:42:07,120 --> 00:42:08,549 not allowed. 1161 00:42:08,550 --> 00:42:10,659 There are some more details 1162 00:42:10,660 --> 00:42:12,099 going on. 1163 00:42:12,100 --> 00:42:14,259 But if it boils down 1164 00:42:14,260 --> 00:42:16,449 to this, you have some it's macro 1165 00:42:16,450 --> 00:42:17,889 hell and it's really horrible. 1166 00:42:17,890 --> 00:42:19,729 But I thought you should see it at least 1167 00:42:19,730 --> 00:42:20,730 once. 1168 00:42:21,580 --> 00:42:23,989 You would do something like allow 1169 00:42:23,990 --> 00:42:25,879 us to called open, allows us to call 1170 00:42:25,880 --> 00:42:28,029 exit. And that's it is the easy 1171 00:42:28,030 --> 00:42:29,889 mode. When you don't look at the 1172 00:42:29,890 --> 00:42:32,529 arguments, there's some trickery 1173 00:42:32,530 --> 00:42:34,899 that was 1174 00:42:34,900 --> 00:42:35,829 a security problem. 1175 00:42:35,830 --> 00:42:37,959 And second filter initially where 1176 00:42:37,960 --> 00:42:39,669 you would have a platform that allows 1177 00:42:39,670 --> 00:42:41,889 different kinds of binaries, 32 1178 00:42:41,890 --> 00:42:43,329 and 64 bit. So you have to do an 1179 00:42:43,330 --> 00:42:45,219 additional check. But never mind that 1180 00:42:45,220 --> 00:42:46,220 here. 1181 00:42:47,350 --> 00:42:49,029 And then you construct a program like 1182 00:42:49,030 --> 00:42:51,099 this, you have all 1183 00:42:51,100 --> 00:42:53,469 these jumpers or BBF 1184 00:42:53,470 --> 00:42:55,899 statement, you see Valdese, 1185 00:42:55,900 --> 00:42:58,839 for example, is a load and 1186 00:42:58,840 --> 00:43:00,610 jump as a condition of jump. 1187 00:43:01,980 --> 00:43:04,030 Fred says, OK, program is finished here. 1188 00:43:06,440 --> 00:43:08,509 And you set it up with PR control, which 1189 00:43:08,510 --> 00:43:10,639 is, as far as I know, nonspecific 1190 00:43:10,640 --> 00:43:11,640 sitcom. 1191 00:43:14,500 --> 00:43:16,839 The plus side is that it works, 1192 00:43:16,840 --> 00:43:19,089 and if you abstract it away, it doesn't 1193 00:43:19,090 --> 00:43:20,170 even smell that bad. 1194 00:43:21,340 --> 00:43:23,019 It's actually quite efficient because of 1195 00:43:23,020 --> 00:43:25,419 the jet and it's reasonably 1196 00:43:25,420 --> 00:43:27,489 powerful on 1197 00:43:27,490 --> 00:43:30,159 on the control side. 1198 00:43:30,160 --> 00:43:32,409 What the hell were they thinking? 1199 00:43:32,410 --> 00:43:34,299 I mean, if you expect people to write 1200 00:43:34,300 --> 00:43:36,099 code like this, then the complexity of 1201 00:43:36,100 --> 00:43:38,169 the checking code shouldn't 1202 00:43:38,170 --> 00:43:39,729 approach the complexity of the code 1203 00:43:39,730 --> 00:43:40,689 you're trying to lock down. 1204 00:43:40,690 --> 00:43:42,249 Otherwise, you know, there will be bugs 1205 00:43:42,250 --> 00:43:43,250 in there. 1206 00:43:44,810 --> 00:43:46,959 There's all kinds of words if you try to 1207 00:43:46,960 --> 00:43:49,029 use it, because for it, 1208 00:43:49,030 --> 00:43:51,159 for historic reasons, there's 1209 00:43:51,160 --> 00:43:53,469 different ways to do many things. 1210 00:43:53,470 --> 00:43:56,109 For example, exit versus exit group 1211 00:43:56,110 --> 00:43:58,119 or a map and map to 1212 00:43:59,200 --> 00:44:00,249 all kinds of stuff. 1213 00:44:00,250 --> 00:44:02,559 And in the end, what you usually do 1214 00:44:02,560 --> 00:44:04,479 is you allow both, even if only one of 1215 00:44:04,480 --> 00:44:06,339 them is called because they do the same 1216 00:44:06,340 --> 00:44:08,169 thing. But it's all the stuff you need to 1217 00:44:08,170 --> 00:44:09,760 know to use a computer. 1218 00:44:10,810 --> 00:44:13,029 And for a map, there's an actual 1219 00:44:13,030 --> 00:44:15,369 that's the worst problem because MB has 1220 00:44:15,370 --> 00:44:16,929 more arguments than there were free 1221 00:44:16,930 --> 00:44:18,069 registers, i.e. 1222 00:44:18,070 --> 00:44:19,249 386. 1223 00:44:19,250 --> 00:44:21,639 So the first MB version of the 1224 00:44:21,640 --> 00:44:23,439 first version of the maps is called 1225 00:44:23,440 --> 00:44:25,599 didn't actually use the registers, 1226 00:44:25,600 --> 00:44:28,089 but it used a pointer to a buffer 1227 00:44:28,090 --> 00:44:30,399 and you can't inspect that buffer 1228 00:44:30,400 --> 00:44:31,819 from second filter. 1229 00:44:31,820 --> 00:44:34,449 So if someone uses the old map, 1230 00:44:34,450 --> 00:44:36,819 there's no way to to 1231 00:44:36,820 --> 00:44:39,009 use a computer to restrict that. 1232 00:44:39,010 --> 00:44:40,489 Look at the argument. So this is bad. 1233 00:44:40,490 --> 00:44:42,459 Unfortunately, you can use this in a 1234 00:44:42,460 --> 00:44:44,730 while, so you should be okay. 1235 00:44:47,260 --> 00:44:49,239 If you want to inspect arguments, it 1236 00:44:49,240 --> 00:44:51,369 looks like this, so in this case, 1237 00:44:51,370 --> 00:44:52,959 we have open and we want to make sure 1238 00:44:52,960 --> 00:44:55,119 only open for reading is allowed. 1239 00:44:55,120 --> 00:44:57,309 So, I mean, it's pretty ugly. 1240 00:44:57,310 --> 00:44:59,799 You can see that. But you can you can 1241 00:44:59,800 --> 00:45:02,769 attempt to extract anyway. 1242 00:45:02,770 --> 00:45:04,959 So let's say I want to allow open, but 1243 00:45:04,960 --> 00:45:07,209 only for ATC resolved, which 1244 00:45:07,210 --> 00:45:09,999 is a common thing you want to do, 1245 00:45:10,000 --> 00:45:11,919 can be done with a computer because you 1246 00:45:11,920 --> 00:45:14,139 can inspect memory 1247 00:45:14,140 --> 00:45:16,329 and you may be asking why, why 1248 00:45:16,330 --> 00:45:18,399 don't they allow that? And even if 1249 00:45:18,400 --> 00:45:20,109 it could be done, it will still be 1250 00:45:20,110 --> 00:45:21,159 insecure. 1251 00:45:21,160 --> 00:45:22,809 And think of the scene 1252 00:45:23,890 --> 00:45:26,169 if you do the check first and say, OK, 1253 00:45:26,170 --> 00:45:28,359 this is resolved 1254 00:45:28,360 --> 00:45:30,609 and then you allow the opensource call 1255 00:45:30,610 --> 00:45:32,799 to happen, then there's a time between 1256 00:45:32,800 --> 00:45:35,559 your check and the open where another 1257 00:45:35,560 --> 00:45:37,959 thread of the same process could change 1258 00:45:37,960 --> 00:45:39,069 the buffer. 1259 00:45:39,070 --> 00:45:41,289 So even if they allowed this check, 1260 00:45:41,290 --> 00:45:42,519 this wouldn't work. 1261 00:45:42,520 --> 00:45:45,339 So you can't inspect Buffer's 1262 00:45:45,340 --> 00:45:46,539 with second filter. 1263 00:45:46,540 --> 00:45:48,759 And it's a good thing if you need 1264 00:45:48,760 --> 00:45:50,739 to do that, you need to do a broker 1265 00:45:50,740 --> 00:45:52,119 service, basically. 1266 00:45:53,470 --> 00:45:54,470 Um. 1267 00:45:56,020 --> 00:45:57,699 So you could there's some things you 1268 00:45:57,700 --> 00:45:58,719 could attempt. 1269 00:45:58,720 --> 00:46:00,099 So, for example, you could look down a 1270 00:46:00,100 --> 00:46:02,259 map and say it 1271 00:46:02,260 --> 00:46:04,839 has to be a read only page 1272 00:46:04,840 --> 00:46:06,939 for the argument or only 1273 00:46:06,940 --> 00:46:08,439 this address is allowed. 1274 00:46:08,440 --> 00:46:10,569 And when I set up the second filter, then 1275 00:46:10,570 --> 00:46:12,099 only that address is allowed as an 1276 00:46:12,100 --> 00:46:14,169 argument, but it gets 1277 00:46:14,170 --> 00:46:16,269 really hairy and I wouldn't 1278 00:46:16,270 --> 00:46:17,949 advise for it. 1279 00:46:17,950 --> 00:46:19,929 So if we think about this, for example, 1280 00:46:19,930 --> 00:46:21,699 and protect what be this is called to 1281 00:46:21,700 --> 00:46:23,979 change read only map to a 1282 00:46:23,980 --> 00:46:25,419 map. So we would have to disallow that 1283 00:46:25,420 --> 00:46:26,420 too. 1284 00:46:27,460 --> 00:46:29,679 But you would have to make sure that if 1285 00:46:29,680 --> 00:46:31,809 someone calls an unmap on an overlapping 1286 00:46:31,810 --> 00:46:33,909 area, that doesn't work. 1287 00:46:33,910 --> 00:46:35,779 So it gets really hairy really fast. 1288 00:46:35,780 --> 00:46:37,449 So let's say don't do this. 1289 00:46:37,450 --> 00:46:39,549 However, fortunately, 1290 00:46:39,550 --> 00:46:41,529 Linux is not Unix and doing this in the 1291 00:46:41,530 --> 00:46:43,809 broker is comparatively easy because 1292 00:46:43,810 --> 00:46:45,909 you can just do an open in 1293 00:46:45,910 --> 00:46:48,219 the broker and then look at the 1294 00:46:48,220 --> 00:46:50,379 full path of the file 1295 00:46:50,380 --> 00:46:51,670 via the file system. 1296 00:46:53,300 --> 00:46:55,009 So that would be one way to do it, 1297 00:46:55,010 --> 00:46:57,049 basically, or you knew his name Space's, 1298 00:46:57,050 --> 00:46:58,270 which is probably the better way. 1299 00:47:02,440 --> 00:47:04,749 So, yeah, basically, this 1300 00:47:04,750 --> 00:47:05,999 is how you would deal with a broker, 1301 00:47:07,480 --> 00:47:08,949 you have to ask yourself the question, 1302 00:47:08,950 --> 00:47:11,049 have we really locked anything down if 1303 00:47:11,050 --> 00:47:12,249 we do all this trouble? 1304 00:47:13,390 --> 00:47:15,279 Because let's say in the end, you have 1305 00:47:15,280 --> 00:47:17,379 something like Firefox 1306 00:47:17,380 --> 00:47:19,779 and there's a safe as 1307 00:47:19,780 --> 00:47:22,119 function in Firefox, and 1308 00:47:22,120 --> 00:47:24,249 the idea of that is to allow writing 1309 00:47:24,250 --> 00:47:26,259 anywhere in the file system. 1310 00:47:26,260 --> 00:47:27,260 How do you lock that down? 1311 00:47:28,410 --> 00:47:30,569 So even if you even if you put that 1312 00:47:30,570 --> 00:47:33,179 on the broker service, someone who 1313 00:47:33,180 --> 00:47:35,429 attacks Firefox could still 1314 00:47:35,430 --> 00:47:37,559 well, couldn't write, but it can ask 1315 00:47:37,560 --> 00:47:38,789 the broker service for writing. 1316 00:47:38,790 --> 00:47:40,859 And since it's the idea to 1317 00:47:40,860 --> 00:47:43,049 allow writing everywhere to 1318 00:47:43,050 --> 00:47:45,179 broker service will allow it or 1319 00:47:45,180 --> 00:47:47,459 let's say not us, but open 1320 00:47:47,460 --> 00:47:50,039 local files, you 1321 00:47:50,040 --> 00:47:52,139 are allowed to say open 1322 00:47:52,140 --> 00:47:54,149 and give a file to Firefox. 1323 00:47:54,150 --> 00:47:56,579 So the broker would have to allow opening 1324 00:47:56,580 --> 00:47:57,689 files. 1325 00:47:57,690 --> 00:48:00,029 And that means even files 1326 00:48:00,030 --> 00:48:02,129 that may not be suitable for 1327 00:48:02,130 --> 00:48:05,009 Firefox, like your SDH Private key 1328 00:48:05,010 --> 00:48:07,259 Firefox can open those right. 1329 00:48:07,260 --> 00:48:09,389 So even if you lock down Firefox 1330 00:48:09,390 --> 00:48:11,489 and Firefox is just a 1331 00:48:11,490 --> 00:48:14,459 metaphor here for complex processes. 1332 00:48:14,460 --> 00:48:16,349 Let's say my sequel is the same thing. 1333 00:48:16,350 --> 00:48:18,479 My secret should have permissions 1334 00:48:18,480 --> 00:48:20,129 to open files because it's needed for 1335 00:48:20,130 --> 00:48:21,209 some functionality. 1336 00:48:21,210 --> 00:48:22,829 You may be able to lock that away in 1337 00:48:22,830 --> 00:48:26,189 special cases when you don't need it, but 1338 00:48:26,190 --> 00:48:27,869 you can't just do that, you know, for 1339 00:48:27,870 --> 00:48:30,029 everyone. So 1340 00:48:30,030 --> 00:48:32,309 it's it's a problem that may you 1341 00:48:32,310 --> 00:48:34,439 may be able to lock down more if you know 1342 00:48:34,440 --> 00:48:36,539 more details about your application. 1343 00:48:36,540 --> 00:48:38,639 And that's one of my arguments, because 1344 00:48:38,640 --> 00:48:40,079 the admin usually doesn't. 1345 00:48:40,080 --> 00:48:41,080 The programmer does. 1346 00:48:42,720 --> 00:48:44,489 The big elephant in the room is kind of 1347 00:48:44,490 --> 00:48:45,490 bugs. 1348 00:48:46,470 --> 00:48:48,749 We have a high profile kernel back around 1349 00:48:48,750 --> 00:48:51,329 every six to 12 months. 1350 00:48:51,330 --> 00:48:53,549 And if we rely on some 1351 00:48:53,550 --> 00:48:56,229 security mechanism like namespace 1352 00:48:56,230 --> 00:48:58,439 as our second filter, 1353 00:48:58,440 --> 00:49:00,419 the next vulnerability might be in there. 1354 00:49:00,420 --> 00:49:01,469 It's complex code. 1355 00:49:01,470 --> 00:49:03,479 Complex code has bugs, right? 1356 00:49:03,480 --> 00:49:05,969 So the expectation is 1357 00:49:05,970 --> 00:49:08,189 most unfond bugs are 1358 00:49:08,190 --> 00:49:10,469 in obscure places. 1359 00:49:10,470 --> 00:49:12,779 So my example for this would be X 25 1360 00:49:12,780 --> 00:49:14,369 succored handling because nobody uses 1361 00:49:14,370 --> 00:49:15,379 that anymore. 1362 00:49:15,380 --> 00:49:16,589 There are probably still bugs in there 1363 00:49:16,590 --> 00:49:18,719 because nobody cares if we lock that 1364 00:49:18,720 --> 00:49:21,539 away, we gain something. 1365 00:49:21,540 --> 00:49:24,089 So there is a value not just in 1366 00:49:24,090 --> 00:49:26,339 restricting permissions and there's also 1367 00:49:26,340 --> 00:49:28,739 value on top of that in 1368 00:49:28,740 --> 00:49:30,899 restricting kind of APIs that 1369 00:49:30,900 --> 00:49:33,179 are visible to the program and locking 1370 00:49:33,180 --> 00:49:35,309 away APIs that might have 1371 00:49:35,310 --> 00:49:36,839 a problem in the future. 1372 00:49:36,840 --> 00:49:39,509 That is also when even if we don't 1373 00:49:39,510 --> 00:49:41,699 gain anything tangible now, it's 1374 00:49:41,700 --> 00:49:43,070 insurance against the future. 1375 00:49:44,610 --> 00:49:46,769 So the first rule of second 1376 00:49:46,770 --> 00:49:49,139 filter is block future calls to second 1377 00:49:49,140 --> 00:49:50,140 filter. 1378 00:49:51,960 --> 00:49:54,059 So as an example, I try to 1379 00:49:54,060 --> 00:49:56,219 lock down my ping implementations to get 1380 00:49:56,220 --> 00:49:58,829 a handle on all this functionality. 1381 00:49:58,830 --> 00:50:00,779 And so the first thing you do is you get 1382 00:50:00,780 --> 00:50:02,579 a raw socket and you drop privileges 1383 00:50:03,960 --> 00:50:06,149 and after that you want to want to lock 1384 00:50:06,150 --> 00:50:08,159 down what the attacker can do. 1385 00:50:08,160 --> 00:50:10,109 So before you do command line passing. 1386 00:50:10,110 --> 00:50:12,359 Right. So you lock that down. 1387 00:50:12,360 --> 00:50:14,519 The documentation says if you apply to 1388 00:50:14,520 --> 00:50:16,739 filters with second filter and then both 1389 00:50:16,740 --> 00:50:17,699 are applied. 1390 00:50:17,700 --> 00:50:19,319 So I thought, oh, that's good. 1391 00:50:19,320 --> 00:50:21,419 Um, I can do several 1392 00:50:21,420 --> 00:50:23,549 stages. The first stage drops stuff 1393 00:50:23,550 --> 00:50:25,739 I never need, but 1394 00:50:25,740 --> 00:50:28,019 filesystem access I can only block after 1395 00:50:28,020 --> 00:50:30,149 I did the DNS lock up and that I can 1396 00:50:30,150 --> 00:50:32,459 only do after I pass the command line. 1397 00:50:32,460 --> 00:50:34,559 So I have more privilege than 1398 00:50:34,560 --> 00:50:36,809 I really need during the time I 1399 00:50:36,810 --> 00:50:38,339 pass the command line. 1400 00:50:38,340 --> 00:50:40,439 So I did several calls to Second Filter 1401 00:50:40,440 --> 00:50:42,719 and I found out that it didn't 1402 00:50:42,720 --> 00:50:43,719 work as advertised. 1403 00:50:43,720 --> 00:50:46,139 So this is a caveat 1404 00:50:46,140 --> 00:50:48,539 that you should know I could install 1405 00:50:48,540 --> 00:50:50,819 a filter that this allowed further 1406 00:50:50,820 --> 00:50:53,069 calls to second filter twice, so 1407 00:50:53,070 --> 00:50:54,309 obviously didn't get applied. 1408 00:50:55,320 --> 00:50:58,559 So check your have a unit test for your 1409 00:50:58,560 --> 00:51:00,030 lockdown mechanisms to. 1410 00:51:02,820 --> 00:51:05,219 On Windows, that theoretically 1411 00:51:05,220 --> 00:51:08,039 you can do this, but it's so hard 1412 00:51:08,040 --> 00:51:10,139 that I would recommend against it if you 1413 00:51:10,140 --> 00:51:11,879 are really dead set on trying to do this 1414 00:51:11,880 --> 00:51:14,249 on Windows. Go read the chrome sandbox 1415 00:51:14,250 --> 00:51:16,499 implementation. It's open source. 1416 00:51:16,500 --> 00:51:18,479 It's really hairy. 1417 00:51:18,480 --> 00:51:20,729 And I wouldn't feel safe 1418 00:51:20,730 --> 00:51:22,919 if I had any of that cold, to 1419 00:51:22,920 --> 00:51:24,419 be honest, in my project. 1420 00:51:24,420 --> 00:51:26,849 So if you can at all 1421 00:51:26,850 --> 00:51:28,889 to avoid windows for that, for this 1422 00:51:30,210 --> 00:51:32,309 you might the way to do this might 1423 00:51:32,310 --> 00:51:34,109 be to use their Eppalock down. 1424 00:51:34,110 --> 00:51:35,879 Then it's not your fault if the lock down 1425 00:51:35,880 --> 00:51:38,009 isn't good, but trying to do 1426 00:51:38,010 --> 00:51:39,719 this yourself is. But it's not a good 1427 00:51:39,720 --> 00:51:40,720 idea, I think. 1428 00:51:41,580 --> 00:51:43,739 So to sum it up, 1429 00:51:43,740 --> 00:51:45,509 I think we're in a pretty good place from 1430 00:51:45,510 --> 00:51:47,279 the functionality because we can do most 1431 00:51:47,280 --> 00:51:50,129 of the stuff we want to do 1432 00:51:50,130 --> 00:51:52,109 on Linux previously and open Vista at 1433 00:51:52,110 --> 00:51:53,549 least. 1434 00:51:53,550 --> 00:51:55,979 Fine-grained lockdown is possible, 1435 00:51:55,980 --> 00:51:57,539 but it's very hard and fidgety. 1436 00:51:58,790 --> 00:52:01,219 On the other hand, if we write code, 1437 00:52:01,220 --> 00:52:02,659 that code is usually also hard and 1438 00:52:02,660 --> 00:52:04,309 fidgety, so I don't think that's much of 1439 00:52:04,310 --> 00:52:05,310 an argument. 1440 00:52:06,170 --> 00:52:08,629 If you are a paranoid software, paranoid 1441 00:52:08,630 --> 00:52:10,339 software author, you can sacrifice some 1442 00:52:10,340 --> 00:52:12,949 performance to gain more security. 1443 00:52:12,950 --> 00:52:15,259 The trailblazer here is open 1444 00:52:15,260 --> 00:52:17,489 at this age and their sandbox 1445 00:52:17,490 --> 00:52:19,789 source code is should be 1446 00:52:19,790 --> 00:52:22,549 something you study if you want to 1447 00:52:22,550 --> 00:52:23,719 find out how to do this. 1448 00:52:24,860 --> 00:52:26,749 Personally, I feel I can sleep well at 1449 00:52:26,750 --> 00:52:28,609 night knowing that I logged on my code 1450 00:52:28,610 --> 00:52:30,139 with the stuff and tested that the 1451 00:52:30,140 --> 00:52:32,089 lockdown actually works. 1452 00:52:32,090 --> 00:52:33,169 Your mileage may vary. 1453 00:52:34,760 --> 00:52:35,760 Closing words, 1454 00:52:36,890 --> 00:52:39,169 use this in your own code, I think 1455 00:52:39,170 --> 00:52:41,779 this should be the shipping or deployment 1456 00:52:41,780 --> 00:52:43,909 equivalent of having unit tests, 1457 00:52:43,910 --> 00:52:45,169 everyone should have this. 1458 00:52:45,170 --> 00:52:47,479 If your process is too big to apply 1459 00:52:47,480 --> 00:52:49,460 this reasonably, then split it up. 1460 00:52:51,430 --> 00:52:53,379 We I think we shouldn't and we should 1461 00:52:53,380 --> 00:52:55,659 strive for a future in 10 1462 00:52:55,660 --> 00:52:57,759 years or something when nobody ships 1463 00:52:57,760 --> 00:52:59,919 software that has doesn't have some 1464 00:52:59,920 --> 00:53:01,750 kind of lock down mechanism like this. 1465 00:53:02,850 --> 00:53:05,009 If your code fails after updates 1466 00:53:05,010 --> 00:53:07,649 because you locked down tightly 1467 00:53:07,650 --> 00:53:09,389 and it needs more permissions now than 1468 00:53:09,390 --> 00:53:10,390 you were doing it right, 1469 00:53:11,880 --> 00:53:13,469 because that means your lockdown was very 1470 00:53:13,470 --> 00:53:15,239 precise, that's how it should be. 1471 00:53:15,240 --> 00:53:17,729 So this is there is work involved. 1472 00:53:17,730 --> 00:53:19,799 Don't get me wrong, this is hard work. 1473 00:53:19,800 --> 00:53:22,709 And you need to be very concentrated 1474 00:53:22,710 --> 00:53:24,749 and you need to check whether you 1475 00:53:24,750 --> 00:53:27,419 actually achieved what you wanted. 1476 00:53:27,420 --> 00:53:29,639 But you can do it and I think you should 1477 00:53:29,640 --> 00:53:30,640 do it. 1478 00:53:31,820 --> 00:53:33,909 Any questions, I think we 1479 00:53:33,910 --> 00:53:34,929 only have five minutes, OK? 1480 00:53:43,550 --> 00:53:46,039 So we have about 1481 00:53:46,040 --> 00:53:48,169 eight minutes, you can always 1482 00:53:48,170 --> 00:53:50,389 send me an email or I would be available. 1483 00:53:50,390 --> 00:53:52,019 You're in the front. 1484 00:53:52,020 --> 00:53:54,289 Let's start with a question 1485 00:53:54,290 --> 00:53:55,290 from the Internet. 1486 00:53:57,440 --> 00:53:59,659 OK, the first question from the Internet 1487 00:53:59,660 --> 00:54:01,789 is if you saw the 1488 00:54:01,790 --> 00:54:03,949 talk on cloud, Abbi, and 1489 00:54:03,950 --> 00:54:05,089 what are your thoughts on this? 1490 00:54:07,290 --> 00:54:09,449 On what we talk on Cloud 1491 00:54:09,450 --> 00:54:10,450 Abai 1492 00:54:12,460 --> 00:54:14,279 or Cloud API, I didn't actually see the 1493 00:54:14,280 --> 00:54:15,329 talk, I'm sorry, but I will look at the 1494 00:54:15,330 --> 00:54:15,929 video. 1495 00:54:15,930 --> 00:54:17,459 I think they're basically using the same 1496 00:54:17,460 --> 00:54:18,929 mechanisms. 1497 00:54:18,930 --> 00:54:21,449 I still wouldn't trust the 1498 00:54:21,450 --> 00:54:23,459 the announcement they make that you can 1499 00:54:23,460 --> 00:54:25,649 run untrusted code if you lock it down. 1500 00:54:25,650 --> 00:54:26,609 I wouldn't go that far. 1501 00:54:26,610 --> 00:54:28,649 But basically what they do is the same 1502 00:54:28,650 --> 00:54:30,299 thing. They use these mechanisms to lock 1503 00:54:30,300 --> 00:54:32,399 down and that's the way you have to go if 1504 00:54:32,400 --> 00:54:33,630 you do cloud computing 1505 00:54:34,890 --> 00:54:35,890 requirements better. 1506 00:54:36,750 --> 00:54:39,029 So what was your exact criticism 1507 00:54:39,030 --> 00:54:40,709 of the second two? 1508 00:54:40,710 --> 00:54:42,479 Is that the design of the virtual 1509 00:54:42,480 --> 00:54:44,399 machine, the instruction set, or the fact 1510 00:54:44,400 --> 00:54:46,379 that you have to use these macros to 1511 00:54:46,380 --> 00:54:47,789 write your code? 1512 00:54:47,790 --> 00:54:49,109 Well, actually, it turns out you don't 1513 00:54:49,110 --> 00:54:50,129 need to use the macros. 1514 00:54:50,130 --> 00:54:51,809 There's a library that abstracts it. 1515 00:54:51,810 --> 00:54:53,969 But since the whole reason to use 1516 00:54:53,970 --> 00:54:55,379 this stuff is because you don't trust 1517 00:54:55,380 --> 00:54:57,119 your libraries. I didn't mention it. 1518 00:54:57,120 --> 00:54:58,589 I think you shouldn't be using libraries 1519 00:54:58,590 --> 00:54:59,579 to abstract this away. 1520 00:54:59,580 --> 00:55:01,799 My criticism is that you need too much 1521 00:55:01,800 --> 00:55:03,149 context to use it. 1522 00:55:03,150 --> 00:55:05,339 So the open Vista API is 1523 00:55:05,340 --> 00:55:06,629 pretty good in this respect. 1524 00:55:06,630 --> 00:55:08,879 You have it's very easy to use 1525 00:55:08,880 --> 00:55:11,339 and there's not much you can fuck up. 1526 00:55:11,340 --> 00:55:13,469 And I would I would hope I would 1527 00:55:13,470 --> 00:55:15,569 hope that there's some way to do 1528 00:55:15,570 --> 00:55:17,069 this more easily in Linux to. 1529 00:55:19,070 --> 00:55:20,539 We could survive it. 1530 00:55:20,540 --> 00:55:23,209 What is your take on GFR 1531 00:55:23,210 --> 00:55:24,409 application sandboxing 1532 00:55:25,520 --> 00:55:26,659 on which one is 1533 00:55:27,800 --> 00:55:30,019 the one the clone project is doing for 1534 00:55:30,020 --> 00:55:32,269 larger applications that normally 1535 00:55:32,270 --> 00:55:33,209 don't run this route? 1536 00:55:33,210 --> 00:55:35,389 But as a normal user, I haven't 1537 00:55:35,390 --> 00:55:36,549 actually looked at the details. 1538 00:55:36,550 --> 00:55:37,879 I don't know. Sorry. 1539 00:55:37,880 --> 00:55:40,339 OK, microphone 1540 00:55:40,340 --> 00:55:41,479 four, please. 1541 00:55:41,480 --> 00:55:44,149 So my question is, are these 1542 00:55:44,150 --> 00:55:46,409 privileged dropping happens at runtime? 1543 00:55:46,410 --> 00:55:47,899 You have to code it into the binary 1544 00:55:47,900 --> 00:55:50,719 yourself. Now, there are some 1545 00:55:50,720 --> 00:55:52,879 processes, tools where you 1546 00:55:52,880 --> 00:55:55,219 know that right from the beginning 1547 00:55:55,220 --> 00:55:56,869 you don't need to certain kinds of 1548 00:55:56,870 --> 00:55:58,939 excesses. Wouldn't it make sense to have 1549 00:55:58,940 --> 00:56:01,199 a kind of like the Satcom binary code 1550 00:56:01,200 --> 00:56:03,649 being a special section in the ILF binary 1551 00:56:03,650 --> 00:56:06,349 and half loaded by the kernel right 1552 00:56:06,350 --> 00:56:07,789 from the beginning? 1553 00:56:07,790 --> 00:56:09,079 Yeah, yeah. That would be awesome. 1554 00:56:09,080 --> 00:56:10,789 But we don't have the tooling yet. 1555 00:56:10,790 --> 00:56:12,199 So if someone would hack that, that would 1556 00:56:12,200 --> 00:56:13,200 be nice. 1557 00:56:14,200 --> 00:56:15,819 Another question from the Internet, 1558 00:56:15,820 --> 00:56:18,729 please, yet the question is, 1559 00:56:18,730 --> 00:56:20,979 what do you think about running a target 1560 00:56:20,980 --> 00:56:23,259 application in like hardened, dorky words 1561 00:56:23,260 --> 00:56:25,600 like LSM second see groups? 1562 00:56:27,710 --> 00:56:29,769 Yeah, I mean, that's the it's a 1563 00:56:29,770 --> 00:56:31,869 good idea. However, 1564 00:56:31,870 --> 00:56:34,030 how do you know that. 1565 00:56:35,080 --> 00:56:37,029 I mean it doesn't really lock down 1566 00:56:37,030 --> 00:56:39,279 everything they use names, faces, which 1567 00:56:39,280 --> 00:56:41,439 is good, but 1568 00:56:41,440 --> 00:56:43,119 if you have a kernel back there's more 1569 00:56:43,120 --> 00:56:45,489 you can do to to avoid 1570 00:56:45,490 --> 00:56:47,589 it. I mean not in all cases but 1571 00:56:47,590 --> 00:56:49,899 I don't feel as safe 1572 00:56:49,900 --> 00:56:52,029 with Dukkha then I would feel with 1573 00:56:52,030 --> 00:56:54,289 Dukkha and an application that also does 1574 00:56:54,290 --> 00:56:56,379 second filter to restrict itself more. 1575 00:56:57,950 --> 00:57:00,529 Microphone three, thank you, everything 1576 00:57:00,530 --> 00:57:01,249 you explained. 1577 00:57:01,250 --> 00:57:03,199 Looks like I need to call all these 1578 00:57:03,200 --> 00:57:05,339 features from see, is there 1579 00:57:05,340 --> 00:57:07,729 some way to call those restriction 1580 00:57:07,730 --> 00:57:09,919 APIs from some high level types of 1581 00:57:09,920 --> 00:57:11,319 memory safe languages? 1582 00:57:12,890 --> 00:57:15,319 Probably, however, you need insight 1583 00:57:15,320 --> 00:57:17,329 in what the runtime of those languages 1584 00:57:17,330 --> 00:57:19,399 does, and that's a whole other can of 1585 00:57:19,400 --> 00:57:20,400 worms, 1586 00:57:21,560 --> 00:57:23,539 usually from high level, more high level 1587 00:57:23,540 --> 00:57:25,519 languages. You can always call C code in 1588 00:57:25,520 --> 00:57:26,899 some way or other. 1589 00:57:26,900 --> 00:57:28,249 So it should be possible 1590 00:57:29,810 --> 00:57:30,949 microphone to please. 1591 00:57:32,030 --> 00:57:34,579 And my question kind of 1592 00:57:34,580 --> 00:57:37,009 relates to the previous one. 1593 00:57:37,010 --> 00:57:39,109 So when you mentioned results 1594 00:57:39,110 --> 00:57:40,670 of being 1595 00:57:42,020 --> 00:57:44,269 read, your names on them look 1596 00:57:44,270 --> 00:57:46,909 up. So is there any attempt 1597 00:57:46,910 --> 00:57:49,039 to kind of make this modular when 1598 00:57:49,040 --> 00:57:51,259 you have a library and 1599 00:57:51,260 --> 00:57:53,539 you at least need to document or 1600 00:57:53,540 --> 00:57:56,449 specify in some way what 1601 00:57:56,450 --> 00:57:58,759 this and that call needs in terms 1602 00:57:58,760 --> 00:58:01,219 of operating system services? 1603 00:58:01,220 --> 00:58:02,449 So you can do it? 1604 00:58:02,450 --> 00:58:04,849 I'm not aware of any of those, but 1605 00:58:04,850 --> 00:58:06,949 most operating systems document 1606 00:58:06,950 --> 00:58:08,749 this in some way or another in their own 1607 00:58:08,750 --> 00:58:09,799 documentation. 1608 00:58:09,800 --> 00:58:11,629 However, if you write software usually 1609 00:58:11,630 --> 00:58:13,789 wanted to be more portable and 1610 00:58:13,790 --> 00:58:15,409 you know, it works with this version of 1611 00:58:15,410 --> 00:58:17,929 Lipsey. So there's a tradeoff here 1612 00:58:17,930 --> 00:58:20,359 to be more precise in your blocking 1613 00:58:20,360 --> 00:58:22,459 or to be more portable. 1614 00:58:22,460 --> 00:58:24,079 And I think that's a bad thing to have. 1615 00:58:24,080 --> 00:58:25,130 It gives the wrong incentive. 1616 00:58:26,600 --> 00:58:28,399 And in question from the Internet, 1617 00:58:28,400 --> 00:58:29,509 please. 1618 00:58:29,510 --> 00:58:31,429 Yes, it's not really from the Internet, 1619 00:58:31,430 --> 00:58:33,199 but from one of the agents down here. 1620 00:58:33,200 --> 00:58:34,610 So I'm going to hand him the microphone. 1621 00:58:36,690 --> 00:58:37,429 Yeah. 1622 00:58:37,430 --> 00:58:39,110 So you mentioned that 1623 00:58:41,540 --> 00:58:44,059 you mentioned using Brockhurst services 1624 00:58:44,060 --> 00:58:46,279 to actually hand off opening 1625 00:58:46,280 --> 00:58:48,620 files and how it doesn't help with 1626 00:58:50,270 --> 00:58:52,819 sorry, with processes 1627 00:58:52,820 --> 00:58:55,519 that might need to open arbitrary files, 1628 00:58:55,520 --> 00:58:56,899 something we are doing with our 1629 00:58:56,900 --> 00:58:59,249 Pomeroy's. We are working on using Brocco 1630 00:58:59,250 --> 00:59:01,219 services where it's actually a broadcast 1631 00:59:01,220 --> 00:59:03,559 service which prompts a user fall, 1632 00:59:03,560 --> 00:59:05,869 which files need to be open, 1633 00:59:05,870 --> 00:59:08,029 which avoids having 1634 00:59:08,030 --> 00:59:10,129 the service lied about needing to open 1635 00:59:10,130 --> 00:59:11,130 the file. 1636 00:59:11,660 --> 00:59:13,519 When I say broker servers, I didn't mean 1637 00:59:13,520 --> 00:59:15,469 it in a way that the operating system 1638 00:59:15,470 --> 00:59:17,629 started something, but I meant it that 1639 00:59:17,630 --> 00:59:18,979 the application of Faulkes in the 1640 00:59:18,980 --> 00:59:21,859 beginning and then one of the 1641 00:59:21,860 --> 00:59:24,109 two processes is the broker 1642 00:59:24,110 --> 00:59:26,299 for the other half. So I'm I don't 1643 00:59:26,300 --> 00:59:28,459 mean I think if you want the admin 1644 00:59:28,460 --> 00:59:30,439 to install anything so your app is more 1645 00:59:30,440 --> 00:59:32,419 secure, you shouldn't rely on that 1646 00:59:32,420 --> 00:59:34,219 because there will be mistakes made and 1647 00:59:34,220 --> 00:59:36,259 you want your app to be secure in any 1648 00:59:36,260 --> 00:59:38,179 event. So you should do it yourself as 1649 00:59:38,180 --> 00:59:39,180 the programmer. 1650 00:59:40,220 --> 00:59:41,409 Microphone eight, please. 1651 00:59:43,610 --> 00:59:46,129 So isn't it a problem 1652 00:59:46,130 --> 00:59:48,529 that most of these privileged dropping 1653 00:59:48,530 --> 00:59:50,779 mechanisms require you to 1654 00:59:50,780 --> 00:59:53,539 have super user privileges, doesn't 1655 00:59:53,540 --> 00:59:55,519 create an additional time of 1656 00:59:55,520 --> 00:59:57,649 vulnerability for a program 1657 00:59:57,650 --> 00:59:59,899 that never actually needs super 1658 00:59:59,900 --> 01:00:01,759 user privileges, but would like to lock 1659 01:00:01,760 --> 01:00:03,209 itself down? 1660 01:00:03,210 --> 01:00:05,269 I don't think most of the the API 1661 01:00:05,270 --> 01:00:06,499 is to require a super user. 1662 01:00:06,500 --> 01:00:08,389 So the second filter doesn't I think 1663 01:00:08,390 --> 01:00:10,639 Taman pledged and I'm not sure about 1664 01:00:10,640 --> 01:00:12,739 capsicum, but I don't think it does 1665 01:00:12,740 --> 01:00:15,109 change routers in jail does because 1666 01:00:15,110 --> 01:00:17,000 those are meant for different things. 1667 01:00:18,290 --> 01:00:20,389 But if you write something 1668 01:00:20,390 --> 01:00:22,729 like Paing and 1669 01:00:22,730 --> 01:00:25,159 you have an exterior mechanism 1670 01:00:25,160 --> 01:00:26,869 to get your socket and you don't need to 1671 01:00:26,870 --> 01:00:28,849 run his route, then you can use most of 1672 01:00:28,850 --> 01:00:30,919 these APIs without being 1673 01:00:30,920 --> 01:00:31,920 rude. 1674 01:00:32,570 --> 01:00:34,549 Thank you very much in favor. 1675 01:00:34,550 --> 01:00:35,929 Thank you very much for this talk.