[tor-dev] Run With Limited Capabilities - GSOC
cristian.matei.toader at gmail.com
Thu May 30 00:36:43 UTC 2013
My name is Cristian Toader, and I feel very excited about designing and
implementing a capabilities based sandbox for the central Tor project, as
part of the GSOC program.
I have been a Linux enthusiast for almost 6 years and have first started
using Tor around 3 years ago.
I am currently studying in the UK. In approximately one month I will be
graduating the Computer Science programme at the University of Surrey, and
plan on pursuing a master's degree in Advanced Computer Science at the
University of Cambridge for the following academic year.
I have completed a placement year at Qualcomm (UK) LTD which involved
implementing and testing security solutions for the Linux Android OS. These
were based on cryptography and the TrustZone run-mode of the ARM
processors. Most of the development during the placement year was performed
in C, with some tests written in Java and C++ for the upper layers.
About the project:
The project I will be working on as part of GSOC is based on the "Run With
Limited Capabilities" proposal  mentored by Nick Mathewson (nickm) and
Andrea Shepard (athena). The project is still in the planning stage. I will
start working on an appropriate design as soon as I finish my last exams,
which is the 3rd of June.
As part of the project I will need to:
- investigate research papers regarding capability based sandboxes
- get familiar with the Tor code structure
- decide on whether there should be different states starting from which
the tor program only has a limited set of capabilities, depending on what
syscalls it should be able to perform; or maybe have a more complex
approach based on a trusted process representing a root of trust (with no
network interactions) which controls the capabilities of the processes it
- integrate an appropriate solution
- develop and run tests for the project
A constraint agreed with nickm, would be that once the program capabilities
are set they should not be modifiable (otherwise a potential attacker could
have the option of first enabling capabilities and then execute privileged
Some additional details can be found in tickets #7005 , #5219 , and
I will try to keep everyone updated. I am looking forward to advice and
suggestions. If anyone needs to contact me, this is my primary email, my
irc.oftc.net username is ctoader, and I am geographically located in GMT+2.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tor-dev