Confirmed users
717
edits
Security/ProcessIsolation/ThreatModel: Difference between revisions
Security/ProcessIsolation/ThreatModel (view source)
Revision as of 05:42, 23 September 2009
, 23 September 2009→Cross-domain Compromise
| (6 intermediate revisions by the same user not shown) | |||
| Line 23: | Line 23: | ||
*different resources or types of file systems may not be protected from direct access by low-privilege processes, due to lack of support for security descriptors (ex. FAT and FAT32: http://dev.chromium.org/developers/design-documents/sandbox#TOC-The-token) | *different resources or types of file systems may not be protected from direct access by low-privilege processes, due to lack of support for security descriptors (ex. FAT and FAT32: http://dev.chromium.org/developers/design-documents/sandbox#TOC-The-token) | ||
*a restricted process must lower privilege effectively after boostrapping, and close any open privileged resources beforehand | *a restricted process must lower privilege effectively after boostrapping, and close any open privileged resources beforehand | ||
*if low privilege content has access to, or provides input directly to, drivers such as video, printing, storage, etc. there is a significant risk that those device drivers are not designed to consume malicious / untrusted content | *if low privilege content has access to, or provides input directly to, drivers such as video, printing, storage, fonts, etc. there is a significant risk that those device drivers are not designed to consume malicious / untrusted content | ||
==System / Local Network Data Theft== | ==System / Local Network Data Theft== | ||
| Line 36: | Line 36: | ||
*theft of local and network files via file:// and related schemes | *theft of local and network files via file:// and related schemes | ||
*theft of local data via direct access to database or database files | *theft of local data via direct access to database or database files | ||
==== Assets at Risk ==== | |||
* local files, registry entries, etc. | |||
* network files (NFS, SMB) | |||
* intranet servers / services | |||
==Cross-domain Compromise== | ==Cross-domain Compromise== | ||
| Line 47: | Line 52: | ||
*A compromised process could persist after navigating to a different FQDN | *A compromised process could persist after navigating to a different FQDN | ||
*Overwrite cached content | *Overwrite cached content | ||
====Assets at Risk==== | |||
*Cookies and other session tokens | |||
*Saved passwords | |||
*Web content and data | |||
*Cache | |||
==Cross-domain Data Theft== | ==Cross-domain Data Theft== | ||
| Line 113: | Line 124: | ||
Plugins are not planned to be sandboxed yet, since they require their own broker architecture, mostly due to challenges around: | Plugins are not planned to be sandboxed yet, since they require their own broker architecture, mostly due to challenges around: | ||
* filesystem access (file uploads, downloads, media playback) | |||
* auto-update | |||
* potentially registry and network access (binary sockets, etc) - or allow them unlimited access | |||
==General pitfalls== | |||
*Some Windows processes don't respect token privileges, they clone their own token based upon the user with default permissions (task manager is an example) | |||
*Some services allow anyone to talk to them regardless of restrictions (Telnet service for example) | |||
*There are a lot of DLLs in Windows that inject themselves into a process (like renderer) that can't deal with restricted rights tokens, so they crash or behave inappropriately (leave handles open, etc). | |||
*Never patch a process that's already running | |||