Writing Sandboxed Software

I’ve written a series of articles on various Linux sandboxing capabilities that developers can make use of to write their programs in a more secure fashion. If you’re interested, have a look.

Here’s a link to all of the articles:

Seccomp Filters: http://www.insanitybit.com/2014/09/08/3719/

Linux Capabilities: http://www.insanitybit.com/2014/09/08/sandboxing-linux-capabilities/

Chroot Sandbox: http://www.insanitybit.com/2014/09/08/sandboxing-chroot-sandbox/

Apparmor: http://www.insanitybit.com/2014/09/08/sandboxing-apparmor/

And here’s a link to the GitHub for SyslogParse, the program I use as a demonstration:

https://github.com/insanitybit/SyslogParser

Sandboxing: Chroot Sandbox

Sandboxing: Chroot Sandbox

This is the third installment on a series of various sandboxing techniques that I’ve used in my own code to restrict an applications capabilities. You can find a shorter overview of these techniques here. This article will be discussing Chroot sandboxing.

Intro To Chroot:

If you’ve been on Linux for a little while you may have already heard of a chroot. Maybe some service you use “chroots” itself. You may have also heard that chroot’ing isn’t great for security, or maybe even that they’re super easy to break out of. Whoever said that isn’t wrong, chroot environments can be great for confining some things and really awful for confining others.

Chroot is, simply, “change root”. The Linux file system has a root, it’s “/” – everything is an offset from this root node. But with chroot you can tell a process that “/” is actually somewhere else. Now, as far as that process knows, the entire filesystem begins somewhere else.

There are two requirements for a process to be able to break out of a chroot environment:

1) The ability to call chroot() again (this requires root, or CAP_SYS_CHROOT)

2) The ability to write to the chroot environment.

So, as soon as you chroot, your process should drop privileges and lose the CAP_SYS_CHROOT capability. If you can remove write access, all the better.

In the case of SyslogParse I did both.

The Code:

mkdir("/tmp/syslogparse/", 400);

chdir("/tmp/syslogparse/");

if(chroot("/tmp/syslogparse/") != 0)
err(0, "chroot failed");

Line by line:


mkdir("/tmp/syslogparse/", 400);

mkdir() is a system call that makes a directory at the specified path, with the specified permissions.

In this case the code is creating a directory /tmp/syslogparse/ and only root can read the folder, and no one can write to it.


chdir("/tmp/syslogparse/");

We move our working directory to the folder we’ve just created.


if(chroot("/tmp/syslogparse/") != 0)
err(0, "chroot failed");

chroot changes the root directory to the folder we’ve just created. Now the program, as far as it knows, is at “/” – the root directory. It only sees an empty file system, none of which it can write to.

The next step here is to drop permissions with setUID() and setGID(), which I’ll be going over in the next article.

Conclusion:

At this point the chroot *can* be broken out of. Nothing is stopping this program from simply changing the mode of the folder to allow writing to it. If, however, you drop privileges (again, see next article), you’ll be in a chroot that can not be bypassed by any design flaws in the chroot itself.

The benefits of being in a no-write chroot are quite nice. The process can’t write any files, which means it can’t open any pipes to other processes – no communication.

With a Grsecurity kernel (some distros package these particular chroot modifications) there’s a host of other restrictions applied, chroot sort of acts as a separate namespace/ user, and communicating outside of the chroot in any new way is denied. The process is isolated more strictly.

It’s a very nice way to sandbox an application, and it’s fairly simple, though not suitable for all applications.

Next Up: Limited Users

Penetration Testing Report

So for one of my classes I had to perform a full penetration test on a server. It wasn’t particularly difficult but I figured I’d share the report here. I’ve done this twice now for the same class (different setups) and it’s been pretty fun.

This is all purposefully vulnerable stuff. It was a script kiddy stuff to get in but fun nonetheless. The report is written as if it had been handled by a legitimate team of pentesters.

Here’s the report.

[PDF] http://www.insanitybit.com/wp-content/uploads/2014/03/PentestReport.pdf

VLC Apparmor Profile

I have a profile for VLC that works on 64bit Ubuntu with no abstractions. If you’re on another distro or not 64bit, just add <abstraction/base> and remove all of the libraries.

I built this a long time ago to see how annoying it would be to remove abstractions, so it may not be perfect, I haven’t looked at it in a while, but I know it runs fine on my system.

Decided to post it because of a recent writeup about a VLC exploit, here.

 

# Last Modified: Sat Sep  7 23:23:17 2013

#include <tunables/global>

 

/usr/bin/vlc {

 deny network inet dgram,

 deny /etc/apparmor.d/abstractions/base r,

 

 / r,

 /bin/dash rCx,

 /dev/ r,

 /dev/ati/card* rw,

 /dev/dri/card* rw,

 /dev/null rw,

 /dev/snd/ r,

 /dev/snd/control* rw,

 /dev/tty rw,

 /dev/urandom r,

 /etc/drirc r,

 /etc/fonts/** r,

 /etc/gai.conf r,

 /etc/host.conf r,

 /etc/hosts r,

 /etc/ld.so.cache r,

 /etc/locale.alias r,

 /etc/localtime r,

 /etc/nsswitch.conf r,

 /etc/passwd r,

 /etc/pkcs11/modules/ r,

 /etc/pkcs11/modules/gnome-keyring.module r,

 /etc/pulse/client.conf r,

 /etc/services r,

 /etc/ssl/certs/ca-certificates.crt r,

 /etc/xdg/Trolltech.conf rk,

 /etc/xdg/sni-qt.conf rk,

 /home/ r,

 /home/*/* r,

 /home/*/.config/ rw,

 /home/*/.config/** rk,

 /home/*/.config/Trolltech.conf* rwk,

 /home/*/.config/gtk-*/gtkfilechooser.ini* rw,

 /home/*/.config/vlc/ rw,

 /home/*/.config/vlc/** rwk,

 /home/*/.dbus/ w,

 /home/*/.dbus/session-bus/ w,

 /home/*/.dbus/session-bus/* w,

 /home/*/.local/ w,

 /home/*/.local/share/ w,

 /home/*/.local/share/* rw,

 /home/*/.local/share/icons/ r,

 /home/*/.local/share/icons/hicolor/**/ r,

 /home/*/.local/share/mime/* r,

 /home/*/.local/share/vlc/ rw,

 /home/*/.local/share/vlc/* rw,

 /home/*/.local/share/vlc/*/ rw,

 /home/*/.pulse-cookie rwk,

 /home/*/.pulse/ r,

 /home/*/Documents/ r,

 /home/*/Documents/** rwk,

 /home/*/Downloads/ r,

 /home/*/Downloads/** rwk,

 /home/*/Videos/** rwk,

 /lib/libnss_mdns4.so* mr,

 /lib/libnss_mdns4_minimal.so* mr,

 /lib/x86_64-linux-gnu/ld-*.so mr,

 /lib/x86_64-linux-gnu/libbz2.so.* mr,

 /lib/x86_64-linux-gnu/libc-*.so mr,

 /lib/x86_64-linux-gnu/libcap.so.* mr,

 /lib/x86_64-linux-gnu/libcom_err.so.* mr,

 /lib/x86_64-linux-gnu/libcrypt-*.so mr,

 /lib/x86_64-linux-gnu/libdbus-*.so* mr,

 /lib/x86_64-linux-gnu/libdl-*so mr,

 /lib/x86_64-linux-gnu/libexpat.so.* mr,

 /lib/x86_64-linux-gnu/libgcc_s.so.* mr,

 /lib/x86_64-linux-gnu/libgcrypt.so.* mr,

 /lib/x86_64-linux-gnu/libglib-2.0.so.* mr,

 /lib/x86_64-linux-gnu/libgpg-error.so.* mr,

 /lib/x86_64-linux-gnu/libjson.so.* mr,

 /lib/x86_64-linux-gnu/libkeyutils.so.* mr,

 /lib/x86_64-linux-gnu/liblzma.so.* mr,

 /lib/x86_64-linux-gnu/libm-*so mr,

 /lib/x86_64-linux-gnu/libncurses.so.* mr,

 /lib/x86_64-linux-gnu/libncursesw.so.* mr,

 /lib/x86_64-linux-gnu/libnsl-*.so mr,

 /lib/x86_64-linux-gnu/libnss_compat-*.so mr,

 /lib/x86_64-linux-gnu/libnss_dns-*.so mr,

 /lib/x86_64-linux-gnu/libnss_files-*.so mr,

 /lib/x86_64-linux-gnu/libnss_nis-*.so mr,

 /lib/x86_64-linux-gnu/libpcre.so.* mr,

 /lib/x86_64-linux-gnu/libpng*.so.* mr,

 /lib/x86_64-linux-gnu/libpthread-*so mr,

 /lib/x86_64-linux-gnu/libresolv-*.so mr,

 /lib/x86_64-linux-gnu/librt-*so mr,

 /lib/x86_64-linux-gnu/libselinux.so.* mr,

 /lib/x86_64-linux-gnu/libslang.so.* mr,

 /lib/x86_64-linux-gnu/libtinfo.so.* mr,

 /lib/x86_64-linux-gnu/libudev.so.* mr,

 /lib/x86_64-linux-gnu/libusb-*.so.* mr,

 /lib/x86_64-linux-gnu/libuuid.so.* mr,

 /lib/x86_64-linux-gnu/libwrap.so.* mr,

 /lib/x86_64-linux-gnu/libz.so.* mr,

 /media/** rwk,

 /proc/ r,

 /proc/*/auxv r,

 /proc/*/cmdline r,

 /proc/*/fd/ r,

 /proc/*/maps r,

 /proc/*/stat r,

 /proc/*/status r,

 /proc/ati/ r,

 /proc/filesystems r,

 /proc/meminfo r,

 /proc/modules r,

 /proc/sys/kernel/pid_max r,

 /proc/sys/vm/overcommit_memory r,

 /proc/uptime r,

 /run/resolvconf/resolv.conf r,

 /run/shm/ r,

 /run/shm/pulse-shm-* rw,

 /run/user/*/dconf/user rw,

 /sys/devices/system/*/ r,

 /sys/devices/system/cpu/online r,

 owner /tmp/** rw,

 /usr/bin/vlc r,

 /usr/bin/xdg-screensaver Cx,

 /usr/lib/fglrx/libGL.so.* mr,

 /usr/lib/fglrx/libatiuki.so.* mr,

 /usr/lib/liba*-*.so* mr,

 /usr/lib/libcddb.so* mr,

 /usr/lib/libcdio.so* mr,

 /usr/lib/libdca.so* mr,

 /usr/lib/libdvbpsi.so* mr,

 /usr/lib/libenca.so* mr,

 /usr/lib/libiso9660.so* mr,

 /usr/lib/libkate.so* mr,

 /usr/lib/liblirc_client.so* mr,

 /usr/lib/libmodplug.so* mr,

 /usr/lib/libmpcdec.so* mr,

 /usr/lib/libresid-builder.so* mr,

 /usr/lib/libsidplay2.so* mr,

 /usr/lib/libtar.so* mr,

 /usr/lib/libtwolame.so* mr,

 /usr/lib/libvcdinfo.so* mr,

 /usr/lib/libvlc.so* mr,

 /usr/lib/libvlccore.so* mr,

 /usr/lib/locale/locale-archive r,

 /usr/lib/vlc/lua/meta/reader/ r,

 /usr/lib/vlc/lua/meta/reader/filename.luac r,

 /usr/lib/vlc/lua/modules/simplexml.luac r,

 /usr/lib/vlc/lua/playlist/ r,

 /usr/lib/vlc/lua/playlist/* r,

 /usr/lib/vlc/plugins/ r,

 /usr/lib/vlc/plugins/*/ r,

 /usr/lib/vlc/plugins/*/lib*.so mr,

 /usr/lib/vlc/plugins/plugins.dat* rw,

 /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_conf_pulse.so mr,

 /usr/lib/x86_64-linux-gnu/dri/r*_dri.so mr,

 /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so mr,

 /usr/lib/x86_64-linux-gnu/gconv/CP*.so mr,

 /usr/lib/x86_64-linux-gnu/gconv/UTF-*.so mr,

 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache mr,

 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-*/*/loaders.cache mr,

 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-*/*/loaders/lib*.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/ r,

 /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache r,

 /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/*/engines/libmurrine.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/*/gtk.immodules r,

 /usr/lib/x86_64-linux-gnu/gtk-*/*/immodules/im-ibus.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/*/menuproxies/libappmenu.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/modules/libcanberra-gtk-module.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/modules/liboverlay-scrollbar.so mr,

 /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so mr,

 /usr/lib/x86_64-linux-gnu/libFLAC.so.* mr,

 /usr/lib/x86_64-linux-gnu/libICE.so.* mr,

 /usr/lib/x86_64-linux-gnu/libLLVM-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtCore.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtDBus.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtGui.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtSvg.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtXml.so.* mr,

 /usr/lib/x86_64-linux-gnu/libSDL-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libSDL_image-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libSM.so.* mr,

 /usr/lib/x86_64-linux-gnu/libX11-xcb.so.* mr,

 /usr/lib/x86_64-linux-gnu/libX11.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXau.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXcomposite.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXcursor.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXdamage.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXdmcp.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXext.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXfixes.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXinerama.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXpm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXrandr.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXrender.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXt.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXxf86vm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libaa.so.* mr,

 /usr/lib/x86_64-linux-gnu/libasn1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libasound.so.* mr,

 /usr/lib/x86_64-linux-gnu/libass.so.* mr,

 /usr/lib/x86_64-linux-gnu/libasyncns.so.* mr,

 /usr/lib/x86_64-linux-gnu/libatk-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libaudio.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavahi-client.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavahi-common.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavc*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavcodec.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavformat.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavutil.so.* mr,

 /usr/lib/x86_64-linux-gnu/libbluray.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcaca.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcairo.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcanberra-gtk.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcanberra.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcroco-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcrystalhd.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdatrie.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdbusmenu-glib.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdbusmenu-gtk.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdbusmenu-qt.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdc*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdirac_encoder.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdirect-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdirectfb-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdricore*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdrm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdrm_radeon.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdvdnav.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdvdread.so.* mr,

 /usr/lib/x86_64-linux-gnu/libebml.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfaad.so.* mr,

 /usr/lib/x86_64-linux-gnu/libffi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfontconfig.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfreetype.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfribidi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfusion-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgallium.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgconf-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgdk-x11-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgio-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libglapi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgmodule-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgnutls.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgobject-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgpm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgsm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgssapi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgtk-x11-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libharfbuzz.so.* mr,

 /usr/lib/x86_64-linux-gnu/libhcrypto.so.* mr,

 /usr/lib/x86_64-linux-gnu/libheimbase.so.* mr,

 /usr/lib/x86_64-linux-gnu/libheimntlm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libhx509.so.* mr,

 /usr/lib/x86_64-linux-gnu/libibus-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libicudata.so.* mr,

 /usr/lib/x86_64-linux-gnu/libicui18n.so.* mr,

 /usr/lib/x86_64-linux-gnu/libicule.so.* mr,

 /usr/lib/x86_64-linux-gnu/libicuuc.so.* mr,

 /usr/lib/x86_64-linux-gnu/libixml.so.* mr,

 /usr/lib/x86_64-linux-gnu/libjbig.so.* mr,

 /usr/lib/x86_64-linux-gnu/libjpeg.so.* mr,

 /usr/lib/x86_64-linux-gnu/libjson.so.* mr,

 /usr/lib/x86_64-linux-gnu/libk5crypto.so.* mr,

 /usr/lib/x86_64-linux-gnu/libkrb5.so.* mr,

 /usr/lib/x86_64-linux-gnu/libkrb5support.so.* mr,

 /usr/lib/x86_64-linux-gnu/liblber-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/liblcms.so.* mr,

 /usr/lib/x86_64-linux-gnu/libldap_r-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libltdl.so.* mr,

 /usr/lib/x86_64-linux-gnu/liblua5.1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmad.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmatroska.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmng.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmpeg*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmtp.so.* mr,

 /usr/lib/x86_64-linux-gnu/libnotify.so.* mr,

 /usr/lib/x86_64-linux-gnu/libogg.so* mr,

 /usr/lib/x86_64-linux-gnu/libopus.so.* mr,

 /usr/lib/x86_64-linux-gnu/liborc-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libp11-kit.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpango-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpangocairo-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpangoft2-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpixman-1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpostproc.so.* mr,

 /usr/lib/x86_64-linux-gnu/libproxy.so.* mr,

 /usr/lib/x86_64-linux-gnu/libproxy/*/modules/ r,

 /usr/lib/x86_64-linux-gnu/libproxy/*/modules/config_gnome*.so mr,

 /usr/lib/x86_64-linux-gnu/libproxy/*/modules/network_networkmanager.so mr,

 /usr/lib/x86_64-linux-gnu/libpulse-simple.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpulse.so.* mr,

 /usr/lib/x86_64-linux-gnu/libraw*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libroken.so.* mr,

 /usr/lib/x86_64-linux-gnu/librom*.so.* mr,

 /usr/lib/x86_64-linux-gnu/librsvg-2.so.* mr,

 /usr/lib/x86_64-linux-gnu/libsamplerate.so.* mr,

 /usr/lib/x86_64-linux-gnu/libsasl2.so.* mr,

 /usr/lib/x86_64-linux-gnu/libschroedinger-*.so* mr,

 /usr/lib/x86_64-linux-gnu/libshout.so.* mr,

 /usr/lib/x86_64-linux-gnu/libsmbclient.so.* mr,

 /usr/lib/x86_64-linux-gnu/libsndfile.so.* mr,

 /usr/lib/x86_64-linux-gnu/libspeex.so* mr,

 /usr/lib/x86_64-linux-gnu/libspeexdsp.so* mr,

 /usr/lib/x86_64-linux-gnu/libsqlite3.so* mr,

 /usr/lib/x86_64-linux-gnu/libssh2.so* mr,

 /usr/lib/x86_64-linux-gnu/libstdc*.so* mr,

 /usr/lib/x86_64-linux-gnu/libswscale.so* mr,

 /usr/lib/x86_64-linux-gnu/libtag.so.* mr,

 /usr/lib/x86_64-linux-gnu/libtalloc.so.* mr,

 /usr/lib/x86_64-linux-gnu/libtasn1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libtdb.so.* mr,

 /usr/lib/x86_64-linux-gnu/libthai.so.* mr,

 /usr/lib/x86_64-linux-gnu/libtheora.so* mr,

 /usr/lib/x86_64-linux-gnu/libtheoradec.so* mr,

 /usr/lib/x86_64-linux-gnu/libtheoraenc.so* mr,

 /usr/lib/x86_64-linux-gnu/libthreadutil.so* mr,

 /usr/lib/x86_64-linux-gnu/libtiff.so* mr,

 /usr/lib/x86_64-linux-gnu/libtxc_dxtn_s2tc.so.* mr,

 /usr/lib/x86_64-linux-gnu/libupnp.so* mr,

 /usr/lib/x86_64-linux-gnu/libv*.so* mr,

 /usr/lib/x86_64-linux-gnu/libv4lconvert.so* mr,

 /usr/lib/x86_64-linux-gnu/libva-x11.so* mr,

 /usr/lib/x86_64-linux-gnu/libva.so* mr,

 /usr/lib/x86_64-linux-gnu/libvorbis.so* mr,

 /usr/lib/x86_64-linux-gnu/libvorbisenc.so* mr,

 /usr/lib/x86_64-linux-gnu/libvorbisfile.so* mr,

 /usr/lib/x86_64-linux-gnu/libvpx.so* mr,

 /usr/lib/x86_64-linux-gnu/libwbclient.so* mr,

 /usr/lib/x86_64-linux-gnu/libwebp.so* mr,

 /usr/lib/x86_64-linux-gnu/libwind.so* mr,

 /usr/lib/x86_64-linux-gnu/libx264.so* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-composite.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-dri2.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-glx.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-keysyms.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-randr.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-render.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-shm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-xv.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxml2.so.* mr,

 /usr/lib/x86_64-linux-gnu/libzvbi.so.* mr,

 /usr/lib/x86_64-linux-gnu/mesa/libGL.so.* mr,

 /usr/lib/x86_64-linux-gnu/pango/*/module-files.d/ r,

 /usr/lib/x86_64-linux-gnu/pango/*/module-files.d/libpango*.modules r,

 /usr/lib/x86_64-linux-gnu/pango/*/module-files.d/libpango1.0-0.modules r,

 /usr/lib/x86_64-linux-gnu/pango/*/modules/pango-basic-fc.so mr,

 /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs*.so mr,

 /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-*.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/iconengines/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/iconengines/libqsvgicon.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqgif.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqico.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqjpeg.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqmng.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqsvg.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqtga.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqtiff.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/inputmethods/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/inputmethods/libqimsw-multi.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/menubar/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/menubar/libappmenu-qt.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/systemtrayicon/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/systemtrayicon/libsni-qt.so mr,

 /usr/lib{,32,64}/ r,

 /usr/local/share/fonts/ r,

 /usr/local/share/pixmaps/ r,

 /usr/share/X11/locale/*/Compose r,

 /usr/share/X11/locale/*/XLC_LOCALE r,

 /usr/share/X11/locale/compose.dir r,

 /usr/share/X11/locale/locale.alias r,

 /usr/share/X11/locale/locale.dir r,

 /usr/share/alsa/* r,

 /usr/share/alsa/alsa.conf.d/ r,

 /usr/share/alsa/alsa.conf.d/50-pulseaudio.conf r,

 /usr/share/alsa/alsa.conf.d/bluetooth.conf r,

 /usr/share/alsa/alsa.conf.d/pulse.conf r,

 /usr/share/alsa/cards/aliases.conf r,

 /usr/share/alsa/pcm/default.conf r,

 /usr/share/fonts/ r,

 /usr/share/fonts/** r,

 /usr/share/glib-2.0/schemas/gschemas.compiled r,

 /usr/share/gvfs/remote-volume-monitors/ r,

 /usr/share/gvfs/remote-volume-monitors/*.monitor r,

 /usr/share/icons/ r,

 /usr/share/icons/** rk,

 /usr/share/libthai/* r,

 /usr/share/mime/mime.cache r,

 /usr/share/pixmaps/ r,

 /usr/share/poppler/cMap/*/ r,

 /usr/share/themes/** r,

 /var/cache/** mr,

 /var/lib/dbus/machine-id r,

 /var/lib/defoma/fontconfig.d/* r,

 profile /bin/dash {

 

   /bin/dash mr,

   /etc/ld.so.cache r,

   /etc/nsswitch.conf r,

   /etc/passwd r,

   /home/*/.config/dconf/user r,

   /lib/x86_64-linux-gnu/ld-*.so r,

   /lib/x86_64-linux-gnu/libc-*.so* mr,

   /run/user/*/dconf/user rw,

   /usr/lib/x86_64-linux-gnu/libproxy/*/pxgsettings rix,

   /usr/share/glib-2.0/schemas/gschemas.compiled r,

 

 }

 

 profile /usr/bin/xdg-screensaver {

   #include <abstractions/ubuntu-konsole>

 

   capability sys_ptrace,

   /bin/cat rix,

   /bin/dash rix,

   /bin/grep rix,

   /bin/hostname rix,

   /bin/ln rix,

   /bin/mktemp rix,

   /bin/mv rix,

   /bin/ps rix,

   /bin/rm rix,

   /bin/sed rix,

   /bin/sleep rix,

   /bin/which rix,

   /home/*/.Xauthority r,

   /proc/ r,

   /proc/*/mounts r,

   /proc/*/stat r,

   /proc/*/status r,

   /proc/cpuinfo r,

   /proc/filesystems r,

   /proc/meminfo r,

   /proc/stat r,

   /proc/sys/kernel/pid_max r,

   /proc/tty/drivers r,

   /proc/uptime r,

   /tmp/* rw,

   /usr/bin/cut rix,

   /usr/bin/dbus-send rix,

   /usr/bin/gnome-screensaver-command rix,

   /usr/bin/xdg-screensaver r,

   /usr/bin/xprop rix,

   /usr/bin/xset rix,

 

 }

}

HTTPSwitchBoard – Security / Privacy Extension For Chrome

For the last couple of weeks I’ve been using HTTPSwitchBoard. It’s reminiscent of NoScript or Request Policy on Firefox, but has a wonderful and intuitive user interface. The goal of the extension is to allow users to control what content is loaded on their webpages. It intercepts request for content and displays them to the user, allowing them to decide which they would like to allow. It is the first ‘script control’ or ‘content control’ extension that I have used on Chrome that has a decent user interface and isn’t totally broken. And, it works – it passes various Javascript tests.

httpsb

 

As you can see in the above screenshot you get quite a lot of information about what a website needs. In this case I’m creating a whitelist of content for http://www.insanitybit.com and any third party content loaded onto it.

Creating the whitelist is simple, and you can get quite strict with the settings.

As you can see I’ve opened up a ‘list’ in the top left, that list determines where these rules apply. By default it apples to “*”, which means that whatever I whitelist will be whitelisted on all sites (that don’t have more specific rules). I can also do http://*.insanitybit.com, which means if there’s a forum.insanitybit.com the whitelist applies. Or, in this case, I’ve limited the rules to http://www.insanitybit.com. This is a wonderful feature. I, for example, have globally whitelisted imgur.com, because it’s loaded on so many sites. I can then also have my Facebook rules apply only to Facebook, leaving it blocked by default on all other sites. Very simple, very powerful.

Scripting control extensions have suffered in the past due to Chrome not allowing developers access to powerful APIs. The developer solved this by having all script control handled by Content Security Policy, and modifying the header before the request is made, thus disallowing Javascript reliably.

I like the extension a lot – while I am not really worried at all about security on my system, I find it much faster than Adblock Plus, simple to use, and I enjoy being able to control the content on webpages.

The developer is very responsive and all of the code is on GIT, which is wonderful.

You can find HTTP Switchboard on the Chrome webstore here:

https://chrome.google.com/webstore/detail/http-switchboard/mghdpehejfekicfjcdbfofhcmnjhgaag

Why I Preordered An Acer C720 Chromebook

A lot of people aren’t super into Chrome OS, but I personally think it’s a great operating system for netbooks. They’re light as hell on your resources and Chrome OS is arguably the most secure consumer operating system around.

So, why did I buy the Chromebook?

The Hardware

chromebook

The Chromebook has somedecent specs for the price (270 dollars after everything),

  • CPU: Haswell Celeron 2995U. 1.4GHz, dual-core, 2MB Cache
  • RAM: 4GB DDR3 (Soldered down…sorry kids. 4GB RAM should be enough for anybody)
  • Display: 11.6″ 1366×768 (16:9)
  • Disk: 16GB SSD (NGFF connector)

Now, this is not the most powerful device in the world. Intel really screwed up in my opinion when they left AVX and AES-IN instructions out of this CPU, but it’s still not weak at all. 4GB of RAM is definitely adequate for browsing and using many apps. A decent screen, and a SSD.

The hardware is really quite decent for a netbook, certainly for the price (comparable ACER notebooks are the same price). There’s also a really great battery life – 8.5 hours, and in my experience Chromebooks typically get as good or better battery life than advertised.

This is perfect for travel or going to my classes, which is 99% of the workload it’ll get.

The Software

Chrome OS is a really cool operating system. In my opinion, it’s the ideal operating system for a netbook. Whereas other operating systems will boot up taking 1GB of RAM, or more, just for the OS itself, ChromeOS (last I checked) boots with under 100MB usage. It’s a very stripped down and optimized Linux system, booting in just a few seconds. The hardware is completely dedicated to the operating system, so even though the specs aren’t very powerful, they’re not going to waste time on anything.

Chrome OS is easily the most secure operating system in terms of protecting the user from infection or exploitation. The Chrome sandbox on Linux is something I’ve written about in the past and I feel very confident in its security. As I’ve recently written about, Native Client apps, which allow for very low level and powerful programs to run on your Chromebook, are also placed into a sandbox.

On the topic of Native Client, I think it could be huge for Chromebooks. Right now many apps are glorified bookmarks – you click them, they take you to a site, and that’s it. Once Portable Native Client is released in Chrome 31 developers will have the tools to port projects that already exist over to ChromeOS with ease. LastPass has already started work on a Native Client binary plugin, and other projects can potentially be ported.

I’ll also be able to use my Chromebook to control other computers I own that run Chrome via the Chrome Remote Desktop plugin. That means that, should anything arise that my Chromebook can’t handle, I can simply control a system that I own that can handle the task.

The majority of the Chromebook usage is going to be Netflix, Google Docs, and Cloud 9 IDE, but I think I’ll have a lot of fun with it. I may at some point turn on Dev mode and start hacking at the low level stuff, but for the most part I just want a low maintenance system that I can take around with me.

 

64bit Chromium Is Building, Chrome To Follow?

Chromium 64bit for Windows appears to be building on Google’s official builtbot. Many users of 64bit Windows will be very happy about this, I’m sure. 64bit leads to potential performance improvements, as well as many security improvements (especially on Windows 8) so this could go very well for everyone.

It will be fun to see what developments come out of Chrome 64bit, and what kind of performance improvements we really see. The potential for performance improvements on a 64bit browser are… mixed, and complicated. Complicated data structures like the DOM won’t enjoy larger pointers and long int values, but there are other performance improvements that will potentially outweigh that.

In terms of security, among other things, Chrome will now be able to use High Entropy ASLR, a feature of Windows 8 that makes ASLR more resilient to specific types of attacks.

Naturally, Linux users have had 64bit Chrome for ages.

Encrypted Call And Text From WhisperSystems

Whispersystems has released two Android apps that allow for encryption of all calls and texts with any other device running the apps.

RedPhone allows for encrypted calls using SRTP and ZRTP between you and other phones running RedPhone. Setup is simple and use of the app is seamless. All calls are VOIP, and the encryption documentation can be found here:

https://github.com/WhisperSystems/RedPhone/wiki/Encryption-Protocols

The other app, TextSecure, allows for both asymmetric encryption between you and those who also run the app as well as local encryption of text messages. You can even set a timeout so that your messages are locked after X minutes/ hours – a very handy feature.

In light of recent disclosures about US wiretapping, PRISM and otherwise, you may want to seriously consider trying these out.

https://github.com/WhisperSystems/TextSecure/wiki/Protocol

You can download both of these apps off of the play store:
https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone

https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms

Reminder: I Have A Twitter

Just a reminder, which I like to post once in a while, I do have a Twitter and I use it very often. It’s probably the easiest way to find out about new posts on this site, and I also use it a ton to retweet great research, talk to other people in the field, or ramble (in a brief 140 character limit) about security.

If you’re only following my website you’re only getting half of what I say, really.

Follow me @InsanityBit

Will Increased DVR Use Cut Into Advertiser Revenue?

This post is actually an application to the attsavings.com/scholarship, so it’s a break from my usual computer security content. The scholarship asks an interesting question:

In a presentation to advertisers, Ted Harbert, the chairman of NBC, expressed his distaste over using DVRs to skip commercials by saying, “This is an insult to our joint investment in programming, and I’m against it.”

Harbert is expressing an industry-wide phobia among broadcast networks, but what do you think?

The question of DVR and its effect on advertisers ability to make money is interesting, and really applies to quite a lot. Technology is fast paced, but adopting new business models tends to be slow. In the following post I’ll be discussing this specific relationship between DVR as a technology and advertising as a business model.

Will increased DVR use cut into TV advertising revenue?

DVR stands for Digital Video Recorder and, as the name suggests, it’s a technology used to record your favorite TV shows and then watch them later. You’re probably familiar with DVR devices, such as TiVo, which have made their ways into a very significant number of homes. The technology allows you to record your TV shows when you’re not around, and then watch at your convenience, with the ability to fast forward, rewind, or pause at any given time.

The issues that advertisers have with this is pretty clear – when you watch TV you get a commercial break, and those commercials are paid for by various companies. They make a lot of money using these commercials and DVR allows users to circumvent them easily.

But is the issue really DVR? Is that the one technology that advertisers should be worried about? With so many networks now hosting their content online through Hulu or their own services, it seems clear to me that users are always going to be able to control the content better than the advertisers can. Installing Adblock Plus is enough to remove the commercials in the vast majority of online broadcasting.

And what about Piracy? With pirated content the commercials are stripped right out of the videos. No fast forwarding necessary. Pirated content is usually available minutes after the TV show has aired, before the networks even have it on their sites, and it’s accessible by just about anyone.

And, most obviously, what about the remote? I don’t know anyone who doesn’t at the very least just mute their TV during commercials and then ignore it until the show is back, or they’ll just flip to another channel for a few minutes. How can that be controlled? It really can’t be.

All of these new ways of viewing content or avoiding commercials are not going to stop. Things are only going ot get worse for advertisers who rely on commercials. But, again, we still need  the money, so what to do?

Lately it seems like all that’s gotten done is a few innocent people have gotten in trouble for pirating. And while DVR is entirely legal, advertisers’ clearly aren’t happy about it.

But advertisers still need to make money, because all of this content has to get paid for somehow. What they need to do is evolve. The business model of commercials is broken once the users have any control over the content – you can try DRM, but anyone who’s read this blog should know that it’s just not going to do the trick. The content exists on a device that you own and you control, and it’s only ever a matter of work and time before you find a way to control any content that your device accesses.

Instead of trying to fight this technology they should be trying to work with it. Technology isn’t going to wait, they need to catch up. The answer, or at least one of the answers, is to move the advertisements into the shows. Instead of a coca-cola commercial for 30 seconds, have your main character stand near a vending machine, or order a coke at a diner. Get your products into the show, but don’t annoy anyone about it.

If you have a coca-cola commercial for 30 seconds, everyone’s just going to mute it. Or fast forward. Or change the channel. It doesn’t matter how they avoid it, but they will. You put a can of coke in the main characters hand when he’s delivering a speech or dodging bullets, or anything, and people are going to notice it, but they’re not going to try to avoid it at all.

And maybe that’s not solution, maybe the solution is to reformat the entire business model of entertainment, it’s difficult to say. What I can say, with absolute certainty, is that if you try to fight the progress of any technology that’s already out there, you will lose. This goes double for technologies that involve a user getting what they want in a convenient format.