[tor-dev] Run With Limited Capabilities - GSOC

Cristian-Matei Toader cristian.matei.toader at gmail.com
Sun Jun 30 10:43:53 UTC 2013 

On Sat, Jun 29, 2013 at 10:24 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> Cristian-Matei Toader:
>> Hello,
>>
>> My name is Cristian Toader, and I feel very excited about designing and
>> implementing a capabilities based sandbox for the central Tor project, as
>> part of the GSOC program.
>
> Welcome!
>
>>
>> ----
>> About myself:
>>
>> I have been a Linux enthusiast for almost 6 years and have first started
>> using Tor around 3 years ago.
>>
>> I am currently studying in the UK. In approximately one month I will be
>> graduating the Computer Science programme at the University of Surrey, and
>> plan on pursuing a master's degree in Advanced Computer Science at the
>> University of Cambridge for the following academic year.
>>
>> I have completed a placement year at Qualcomm (UK) LTD which involved
>> implementing and testing security solutions for the Linux Android OS. These
>> were based on cryptography and the TrustZone run-mode of the ARM
>> processors. Most of the development during the placement year was performed
>> in C, with some tests written in Java and C++ for the upper layers.
>>
>
> That sounds great - I've been doing some work on Tor on ARM lately. I
> think this kind of experience is really useful - which ARM SOC boards
> are you familiar with?

I wouldn't say familiar, since there is so much to know about the
architecture, but during the internship I have worked with 8660 and
8960 boards (early snapdragon builds). The only hardware interaction I
had however was trace32 debugging and writing a bus driver for a
prototype feature in trustzone. The team was mainly focused on the
HLOS (only android during my internship) so I got to learn a bit about
everything, it was a good experience.

I would gladly help you if I can. Are you doing something like porting
tor for android as a service using the NDK?

>> ----
>> About the project:
>>
>> The project I will be working on as part of GSOC is based on the "Run With
>> Limited Capabilities" proposal [1] mentored by Nick Mathewson (nickm) and
>> Andrea Shepard (athena). The project is still in the planning stage. I will
>> start working on an appropriate design as soon as I finish my last exams,
>> which is the 3rd of June.
>>
>> As part of the project I will need to:
>>   - investigate research papers regarding capability based sandboxes
>>   - get familiar with the Tor code structure
>>   - decide on whether there should be different states starting from which
>> the tor program only has a limited set of capabilities, depending on what
>> syscalls it should be able to perform; or maybe have a more complex
>> approach based on a trusted process representing a root of trust (with no
>> network interactions) which controls the capabilities of the processes it
>> launches
>>   - integrate an appropriate solution
>>   - develop and run tests for the project
>>
>
> This sounds great. I've experimented a bit with (lib)seccomp filters,
> seatbelt, AppArmor, SELinux and other related systems as they apply to
> TBB, tlsdate and tor itself. I'm happy to code review, to generally
> think over the designs and so on.
>
>> A constraint agreed with nickm, would be that once the program capabilities
>> are set they should not be modifiable (otherwise a potential attacker could
>> have the option of first enabling capabilities and then execute privileged
>> code).
>>
>
> Sure - this is something seen with ROP gadgets - is there a write
> protected area of memory? First, mark it as unprotected, then carry on, etc.

Not sure what you meant with the protected area of memory, but what I
meant was something like filter the syscall that changes capabilities
such that it cannot be used, so if you did get a ROP attack it
wouldn't be able to basically disable the sandbox.

>> Some additional details can be found in tickets #7005 [2], #5219 [3], and
>> #5220 [4].
>>
>> I will try to keep everyone updated. I am looking forward to advice and
>> suggestions. If anyone needs to contact me, this is my primary email, my
>> irc.oftc.net username is ctoader, and I am geographically located in GMT+2.
>>
>
> Sounds good - i'm 'ioerror' on #tor-dev - feel free to reach out to me
> or others.
>
> Welcome to the Tor community!
>
> All the best,
> Jacob

Thank you for the welcome, I've seen you around on #tor-dev and will
definitely ask for advice if needed!

More information about the tor-dev mailing list