Run metadata stripping processes in a sandbox

Question

Run metadata stripping processes in a sandbox

Closed this issue 8 years ago · 9 comments

It might make sense to run the metadata stripping processes in a sandbox or as a different user, as they run scripts which parse attacker controlled data. Vulnerabilities in image or PDF parsing libraries are a possibility and would allow an attacker access to other whistleblower's data in the current setting.

Answer 1 · 2012-07-31T08:08:10.000Z

yes, this makes sense and has been thought about, as well. ideally, we could use FreeBSD jails, for this, but we're stuck with linux for now. we're still looking into specific options for sandboxing.

keep in mind, though that none of the submitted data is kept on the server (for more than a few seconds), so an attacker would usually just find empty dropboxes (although they might contain replies from the editors)

Answer 2 · 2012-07-31T11:23:18.000Z

Depending on the distribution you can create a jail using AppArmor or SELinux.

Answer 3 · 2012-07-31T15:32:11.000Z

The attacker may just find empty dropboxes/replies from the editors, but once he is inside the system he may be able to just wait for new submissions to be submitted (if not detected, of course).

Answer 4 · 2012-08-01T21:12:54.000Z

Hi, I would not recommend running FreeBSD for the moment, it lacks basic security functions as (ASLR) making exploitation a piece of cake (remember the 90's?) I would recommend implementing a sandbox with seccomp. http://sourceforge.net/projects/libseccomp/ some examples can be found here: http://outflux.net/teach-seccomp/

This is for the latest-greatest kernel versions. Ubuntu 12.04 ships with it apparantly. Personally, I would prefer it over something like SeLinux. Apparmor.. not so sure, but seccomp is really nifty sandbox technology. I would recommend you to check it out!.

Answer 5 · 2012-08-22T13:49:50.000Z

For now we will go ahead with FreeBSD, simply since that's what we're most comfortable with.

I contend that a setup of something one is experienced with will always be safer than something that is perhaps nominally safer by design but with which you have no experience with :-)

however, by including setup scripts that provide a mechanism to isolate these processes we can give other folks -- perhaps such as yourself nudge :-) -- a starting point to which they can add their own favorite setup.

i'm keeping this issue open until we have some code to show.

feel free to continue the conversation...

Answer 6 · 2013-10-25T03:20:38.000Z

@tomster
FreeBSD has Jails, now Linux has LXC (Linux containers), check that out, if you are still on Linux. ;-)

Answer 7 · 2013-10-31T09:59:22.000Z

There's even a metadata stripping library here: https://mat.boum.org/

Answer 8 · 2013-10-31T10:31:17.000Z

@DrWhax MAT looks interesting, will definitely evaluate that, thanks for the pointer!

/cc @erdgeist

Answer 9 · 2016-09-01T15:20:10.000Z

with #18 we now have true sandboxing for the cleansing. while we're a) still on FreeBSD (which, btw has ASLR by now, thankyouvermyuch) and b) we still haven't used something like @DrWhax recommended I'm closing this issue as far as the sandboxing is concerned.