Domain: subterfugue.org
Stories and comments across the archive that link to subterfugue.org.
Comments · 6
-
Unfortunately, no...However, there exist some alternatives. User-mode linux allows you to sandbox a collection of linux applications in a most efficient way. Effectively, you can restrict access to anything you like. However, it's still very much a work in progress (not actually getting user-mode linux to run, that is fine, but using it as a secure sandbox is).
A more realistic alternative in the short term might be subterfugue, which allows you to intercept any system call, and make a configuration file for each program, to see which system calls they are allowed to perform. It is also a lot slower than a uml sandbox would be.
But both are at the moment probably best described as hackers tools. They are not in any way comparably in convenience to windows application firewalls, but they have functionality that extends them. I'd be interested to hear about anyone with real experience in using any of these (or other tools) for similar purposes.
-
Re:I suppose what you are trying to say is...You might also find this interesting.
--Mike
-
SUBTERFUGUE could do this...You might find SUBTERFUGUE interesting. It's kind of alpha, but it could do this, given the right trick.
(Disclosure: I'm the principal author.)
--Mike
-
what he said (MOD PARENT UP PLS)I'm sure it's been a long and tedious road, but solving this really matters.
My project, SUBTERFUGUE, is written in Python, GPL'ed, and included in Debian, so I have a (small) dog in this race.
The FSF has been right about things so far. If you truly disagree with them, make that argument to them (and us). But please don't let exhaustion be the reason for just letting things drop in the current murky state.
--Mike
-
Trust No One
This approach of trusting only certain authorities is very limiting; it means that only well-known groups could provide me with software. Signatures protect against tampering between the source and destination, but what about attacks from the source? In this modern age, I would like to be able to try software from some random dude in Tuva or Timbuktu. How can I do that without exposing myself to attacks?
One approach that I've wanted to try should be helpful, but I haven't had time to build it. Others have talked about this elsewhere, I'm pretty sure, but I still don't have the app in my hands. Do any of you have time to write it?
Most software I install is installed by root, but will then be run by a random user. Let's suppose that I'm willing to trust code as an unprivileged user but not as root.
The fundamental approach is sandboxing. Don't trust software based on the name of the author (and the signatures that authenticate it), but on what the software does. We're going to run the installer (e.g. rpm or configure/make/make install) from within a specially-configured subterfugue process. Subterfugue intercepts system calls and can replace the requested actions with custom ones. open,write,mkdir,mknod,rmdir,unlink,etc. will all be intercepted.
I would configure subterfugue such that:
- read/write access to files and request for network connections is deferred until permission is granted at a prompt
- when write access is granted, the file is copied to a sandbox and the installer is allowed to open the copy.
At this point, no files outside the sandbox have been modified. Post-modification checks are done here, optionally examining the "diff" relative to the real file. If any of these tests fail, the software should not be installed. If it is to be installed, then the modified files are moved from the sandbox to the real locations.
Whether installation is aborted or completed, clean-up is merely erasing the entire sandbox directory.
This sort of thing is complicated to use, but that's because it's asking for complex judgement from the user. It's begging for a clean front-end with permission rules ("let it create new executables in
/usr/local/bin", "allow all writes to this directory subtree", etc.). And if anyone has a simpler way to achieve this goal (other than the current "hope you're safe").Furthermore, this approach only protects from installer attacks that are trying to gain root access. It doesn't protect against attacks against run by the user account (which could even be root!). If one were really committed, one could place a subterfugue wrapper around all programs, tuning them for permission only for the files and network access you decide they need. But there you may have an unacceptable slowdown from the interception of all system calls.
-
SUBTERFUGUEGood points. If this bothers you, you may find SUBTERFUGUE interesting. It provides a means for you not to have to totally trust every program you run.
(It runs under vanilla Linux 2.4 and a Debian package is available, but it is kind of slow and alpha.)
--Mike