[tor-dev] Run With Limited Capabilities - GSOC

Cristian-Matei Toader cristian.matei.toader at gmail.com
Thu May 30 00:36:43 UTC 2013


My name is Cristian Toader, and I feel very excited about designing and
implementing a capabilities based sandbox for the central Tor project, as
part of the GSOC program.

About myself:

I have been a Linux enthusiast for almost 6 years and have first started
using Tor around 3 years ago.

I am currently studying in the UK. In approximately one month I will be
graduating the Computer Science programme at the University of Surrey, and
plan on pursuing a master's degree in Advanced Computer Science at the
University of Cambridge for the following academic year.

I have completed a placement year at Qualcomm (UK) LTD which involved
implementing and testing security solutions for the Linux Android OS. These
were based on cryptography and the TrustZone run-mode of the ARM
processors. Most of the development during the placement year was performed
in C, with some tests written in Java and C++ for the upper layers.

About the project:

The project I will be working on as part of GSOC is based on the "Run With
Limited Capabilities" proposal [1] mentored by Nick Mathewson (nickm) and
Andrea Shepard (athena). The project is still in the planning stage. I will
start working on an appropriate design as soon as I finish my last exams,
which is the 3rd of June.

As part of the project I will need to:
  - investigate research papers regarding capability based sandboxes
  - get familiar with the Tor code structure
  - decide on whether there should be different states starting from which
the tor program only has a limited set of capabilities, depending on what
syscalls it should be able to perform; or maybe have a more complex
approach based on a trusted process representing a root of trust (with no
network interactions) which controls the capabilities of the processes it
  - integrate an appropriate solution
  - develop and run tests for the project

A constraint agreed with nickm, would be that once the program capabilities
are set they should not be modifiable (otherwise a potential attacker could
have the option of first enabling capabilities and then execute privileged

Some additional details can be found in tickets #7005 [2], #5219 [3], and
#5220 [4].

I will try to keep everyone updated. I am looking forward to advice and
suggestions. If anyone needs to contact me, this is my primary email, my
irc.oftc.net username is ctoader, and I am geographically located in GMT+2.

Best regards,
Cristian Toader.

[2] https://trac.torproject.org/projects/tor/ticket/7005
[3] https://trac.torproject.org/projects/tor/ticket/5219
[4] https://trac.torproject.org/projects/tor/ticket/5220
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20130530/b436601f/attachment.html>

More information about the tor-dev mailing list