void* sthread(void* arg) { char buf[1024]; /* who cares about exploits here! Even if exploited, the attacker can't * read password, write to stdout, invoke dangerous syscalls (prevented * by SELinux policy), etc. He can only do what we allowed in the * policy: 1) read arg 2) read stdin. */ while (gets(buf)); } int real_main(int argc, char *argv[], char *envp[]) { char* password = "sthreads have default-deny permissions, so children \ won't see this buffer unless explicitly granted"; sc_t policy; tag_t label = tag_new(TAG_LPT); char* arg = smalloc(1000, label); strcpy(arg, "arg is labelled so it can be shared (named in a \ policy) and children may see it"); /* prepare the policy for an sthread */ sc_init(&policy); sc_fd_add(&policy, 0, PROT_READ); /* allow it to read stdin */ sc_mem_add(&policy, label, PROT_READ); /* grant read to argument */ /* Attach an SELinux policy that denies all syscalls except for reading * from stdin */ sc_sel_context(&policy, "nobody:nobody_r:only_read_stdin_t"); /* launch sthread to do dangerous business (e.g. user input parsing) */ lpthread_create_join(&policy, sthread, arg, NULL); } int main(int argc, char *argv[], char *envp[]) { smain(real_main, argc, argv, envp); exit(0); }
R main:sshd.c:742,xmalloc:xmalloc.c:23 R debug_flag R log_level R log_on_stderr RW options RW rc4_ready R sensitive_data R startup_pipeWe now know which globals need read acces (e.g. startup_pipe), which read/write (e.g. options) and which mallocs need to be converted to smalloc (e.g. line 742 in sshd.c). We can therefore create an sthread for this function with the permissions it needs.
The README file in the tarball contains more details on compiling and using Wedge.
svn co https://frostie.cs.ucl.ac.uk/repos/wedge/trunk wedgeYou can browse our repository here. A wiki and defect tracking system can be found here.
General queries can be sent to the wedge-users@cs.ucl.ac.uk mailing list. Development discussions are held at wedge-dev@cs.ucl.ac.uk. Here are the subscription instructions and Web archives for wedge-users and wedge-dev.
[1] | A. Bittau, P. Marchenko, M. Handley, and B. Karp. Wedge: Splitting Applications into Reduced-Privilege Compartments. In NSDI, 2008. (pdf) (html) (bib). Talk slides (pdf). |