[cap-talk] Google Chrome Interview
frantz at pwpconsult.com
Mon Apr 20 19:49:10 EDT 2009
cap-talk at collinjackson.com (Collin Jackson) on Sunday, April 19, 2009 wrote:
>File upload is described in a little more detail in our 2008 technical
>"Users can upload ﬁles to web sites using the ﬁle upload control. When
>the user clicks the form control, the browser displays a ﬁle picker
>dialog that lets the user select a ﬁle to upload. If the browser
>kernel did not restrict which ﬁles the rendering engine could upload,
>an attacker who compromised the rendering engine could read an
>arbitrary ﬁle on the user’s ﬁle system by uploading the ﬁle to
>attacker.com. Instead of conﬁrming each ﬁle upload with a dialog box,
>Chromium uses a design similar to the DarpaBrowser’s “powerbox”
>pattern , treating the user’s selection of a ﬁle with a ﬁle picker
>dialog as an authorization to upload the ﬁle to an arbitrary web site.
>The browser kernel is responsible for displaying the ﬁle picker dialog
>and records which ﬁles the user has authorized for which instances of
>the rendering engine..."
This design is really a step forward.
The big problem with these designs, as I see it, is having a confined
environment where you can enforce some security properties. The Polaris
project had to stand on its head to find such an environment in Windows,
and finally settled on running the confined program under a different,
specially created, user account.
Fortunately in CapROS, we have such an environment. We are able to use that
environment to protect against buffer overruns in our web server. Quoting
a portion of the description in
>If we assume we create a new instance of the http object for each new tcp
>connection, and that the code of these instances is isolated from each
>other (i.e. taking over one instance doesn't allow taking over other
>instances), then the only Swiss numbers an instance knows are those passed
>in over the connection, and those it can find using its authorities.
>If we keep the Swiss number to object mapping in a directory which can not
>be enumerated (in an iterator, or getNext() kind of function), then our
>0wned http instance can only guess Swiss numbers and ask the directory if
>it guessed right.
For the whole discussion thread, see <http://sourceforge.net/mailarchive/message.php?msg_id=499C9E8D.6030708%40macslab.com>
Cheers - Bill
Bill Frantz | Airline peanut bag: "Produced | Periwinkle
(408)356-8506 | in a facility that processes | 16345 Englewood Ave
www.pwpconsult.com | peanuts and other nuts." - Duh | Los Gatos, CA 95032
More information about the cap-talk