[cap-talk] Dan Bernstein's qmail security lessons paper

Sun Dec 16 22:08:25 EST 2007

daw at cs.berkeley.edu (David Wagner) on Sunday, December 16, 2007 wrote:

>James Donald writes:
>>But your company web server does need to be pretty much
>>privileged to run your business, and if a guy from
>>Nigeria gets control of it, the principle of least
>>privilege does not help much.
>
>I think the principle of least privilege can help even there, if applied
>properly.  For instance, CGI programs that dynamically generate HTML
>content do not need to run as root.  It is helpful to run them in a
>minimal-privilege jail, so that a single bug in a single CGI program
>cannot compromise your entire web site.

What Bernstein suggests is using tools like language interpreters to
run parts of systems in environments where they can do no harm.  In
his paper, he suggests that the parser which parses the "From:"
header and returns a string which is the ID of the sender be run so
that, even if it is completely compromised, the only thing it can do
is return the ID of the sender, and points out that it would
probably be easier to set that ID with a valid header.  He mentions
using dataflow analysis when decomposing a system in this manner.

I should add, reading between the lines of this paper, he seems to
assume that privileges can only be controlled at the operating
system level.  He doesn't mention capability systems or languages. 
The closest he gets to system to confine programs are these two
references:

Ian Goldberg, David Wagner, Randi Thomas, Eric 
Brewer, A secure environment for untrusted helper 
applications (confining the wily hacker), 6th USENIX 
Security Symposium (1996). URL: <http://www.usenix.org/publications/library/proceedings/sec96/goldberg.html>.

David S. Peterson, Matt Bishop, Ra ju Pandey, A 
flexible containment mechanism for executing 
untrusted code, 11th USENIX Security Symposium 
(2002). URL: <http://www.usenix.org/events/sec02/peterson.html>.

>>For things like the webserver, what can help a lot is
>>writing stuff in a language that is immune from buffer
>>overflows and the like.
>
>That's a good idea, too, but not sufficient on its own (just as the
>principle of least privilege is not sufficient on its own).

Yes, SQL injection attacks aren't based on taking over the web
server.  They depend on it failing at the devilishly hard problem of
quoting an arbitrary string so some j-random SQL parser will treat
it as data and not instructions.

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | The first thing you need when  | Periwinkle
(408)356-8506      | using a perimeter defense is a | 16345 Englewood Ave
www.pwpconsult.com | perimeter.                     | Los Gatos, CA 95032