Security/ProcessIsolation/ThreatModel: Difference between revisions

← Older edit

Security/ProcessIsolation/ThreatModel (view source)

Revision as of 05:42, 23 September 2009

272 bytes added , 23 September 2009

→‎Cross-domain Compromise

Ladamski

Confirmed users

717

edits

@@ Line 36: / Line 36: @@
 *theft of local and network files via file:// and related schemes
 *theft of local data via direct access to database or database files
+==== Assets at Risk ====
+* local files, registry entries, etc.
+* network files (NFS, SMB)
+* intranet servers / services
 ==Cross-domain Compromise==
@@ Line 47: / Line 52: @@
 *A compromised process could persist after navigating to a different FQDN
 *Overwrite cached content
+====Assets at Risk====
+*Cookies and other session tokens
+*Saved passwords
+*Web content and data
+*Cache
 ==Cross-domain Data Theft==
@@ Line 113: / Line 124: @@
 Plugins are not planned to be sandboxed yet, since they require their own broker architecture, mostly due to challenges around:
-- filesystem access (file uploads, downloads, media playback)
+* filesystem access (file uploads, downloads, media playback)
-- auto-update
+* auto-update
-- potentially registry and network access (binary sockets, etc) - or allow them unlimited access
+* potentially registry and network access (binary sockets, etc) - or allow them unlimited access
-==General threats==
+==General pitfalls==
 *Some Windows processes don't respect token privileges, they clone their own token based upon the user with default permissions (task manager is an example)
 *Some services allow anyone to talk to them regardless of restrictions (Telnet service for example)
 *There are a lot of DLLs in Windows that inject themselves into a process (like renderer) that can't deal with restricted rights tokens, so they crash or behave inappropriately (leave handles open, etc).
+*Never patch a process that's already running