Cristian-Matei Toader:
Hello,
My name is Cristian Toader, and I feel very excited about designing and implementing a capabilities based sandbox for the central Tor project, as part of the GSOC program.
Welcome!
About myself:
I have been a Linux enthusiast for almost 6 years and have first started using Tor around 3 years ago.
I am currently studying in the UK. In approximately one month I will be graduating the Computer Science programme at the University of Surrey, and plan on pursuing a master's degree in Advanced Computer Science at the University of Cambridge for the following academic year.
I have completed a placement year at Qualcomm (UK) LTD which involved implementing and testing security solutions for the Linux Android OS. These were based on cryptography and the TrustZone run-mode of the ARM processors. Most of the development during the placement year was performed in C, with some tests written in Java and C++ for the upper layers.
That sounds great - I've been doing some work on Tor on ARM lately. I think this kind of experience is really useful - which ARM SOC boards are you familiar with?
About the project:
The project I will be working on as part of GSOC is based on the "Run With Limited Capabilities" proposal [1] mentored by Nick Mathewson (nickm) and Andrea Shepard (athena). The project is still in the planning stage. I will start working on an appropriate design as soon as I finish my last exams, which is the 3rd of June.
As part of the project I will need to:
- investigate research papers regarding capability based sandboxes
- get familiar with the Tor code structure
- decide on whether there should be different states starting from which
the tor program only has a limited set of capabilities, depending on what syscalls it should be able to perform; or maybe have a more complex approach based on a trusted process representing a root of trust (with no network interactions) which controls the capabilities of the processes it launches
- integrate an appropriate solution
- develop and run tests for the project
This sounds great. I've experimented a bit with (lib)seccomp filters, seatbelt, AppArmor, SELinux and other related systems as they apply to TBB, tlsdate and tor itself. I'm happy to code review, to generally think over the designs and so on.
A constraint agreed with nickm, would be that once the program capabilities are set they should not be modifiable (otherwise a potential attacker could have the option of first enabling capabilities and then execute privileged code).
Sure - this is something seen with ROP gadgets - is there a write protected area of memory? First, mark it as unprotected, then carry on, etc.
Some additional details can be found in tickets #7005 [2], #5219 [3], and #5220 [4].
I will try to keep everyone updated. I am looking forward to advice and suggestions. If anyone needs to contact me, this is my primary email, my irc.oftc.net username is ctoader, and I am geographically located in GMT+2.
Sounds good - i'm 'ioerror' on #tor-dev - feel free to reach out to me or others.
Welcome to the Tor community!
All the best, Jacob