[tor-dev] Run With Limited Capabilities - GSOC

Jacob Appelbaum jacob at appelbaum.net
Sat Jun 29 19:24:07 UTC 2013

Cristian-Matei Toader:
> Hello,
> My name is Cristian Toader, and I feel very excited about designing and
> implementing a capabilities based sandbox for the central Tor project, as
> part of the GSOC program.


> ----
> About myself:
> I have been a Linux enthusiast for almost 6 years and have first started
> using Tor around 3 years ago.
> I am currently studying in the UK. In approximately one month I will be
> graduating the Computer Science programme at the University of Surrey, and
> plan on pursuing a master's degree in Advanced Computer Science at the
> University of Cambridge for the following academic year.
> I have completed a placement year at Qualcomm (UK) LTD which involved
> implementing and testing security solutions for the Linux Android OS. These
> were based on cryptography and the TrustZone run-mode of the ARM
> processors. Most of the development during the placement year was performed
> in C, with some tests written in Java and C++ for the upper layers.

That sounds great - I've been doing some work on Tor on ARM lately. I
think this kind of experience is really useful - which ARM SOC boards
are you familiar with?

> ----
> About the project:
> The project I will be working on as part of GSOC is based on the "Run With
> Limited Capabilities" proposal [1] mentored by Nick Mathewson (nickm) and
> Andrea Shepard (athena). The project is still in the planning stage. I will
> start working on an appropriate design as soon as I finish my last exams,
> which is the 3rd of June.
> As part of the project I will need to:
>   - investigate research papers regarding capability based sandboxes
>   - get familiar with the Tor code structure
>   - decide on whether there should be different states starting from which
> the tor program only has a limited set of capabilities, depending on what
> syscalls it should be able to perform; or maybe have a more complex
> approach based on a trusted process representing a root of trust (with no
> network interactions) which controls the capabilities of the processes it
> launches
>   - integrate an appropriate solution
>   - develop and run tests for the project

This sounds great. I've experimented a bit with (lib)seccomp filters,
seatbelt, AppArmor, SELinux and other related systems as they apply to
TBB, tlsdate and tor itself. I'm happy to code review, to generally
think over the designs and so on.

> A constraint agreed with nickm, would be that once the program capabilities
> are set they should not be modifiable (otherwise a potential attacker could
> have the option of first enabling capabilities and then execute privileged
> code).

Sure - this is something seen with ROP gadgets - is there a write
protected area of memory? First, mark it as unprotected, then carry on, etc.

> Some additional details can be found in tickets #7005 [2], #5219 [3], and
> #5220 [4].
> I will try to keep everyone updated. I am looking forward to advice and
> suggestions. If anyone needs to contact me, this is my primary email, my
> irc.oftc.net username is ctoader, and I am geographically located in GMT+2.

Sounds good - i'm 'ioerror' on #tor-dev - feel free to reach out to me
or others.

Welcome to the Tor community!

All the best,

More information about the tor-dev mailing list