|
|
Subscribe / Log in / New account

Priviledge Seperation

Priviledge Seperation

Posted Dec 10, 2015 17:59 UTC (Thu) by iabervon (subscriber, #722)
In reply to: Priviledge Seperation by pwfxq
Parent article: Wireshark 2.0: Now with Qt

It might be interesting to consider isolating the packet analysis from the UI, and running the packet analysis in a process without the ability to use nearly any system calls. Even without any special privileges, it's easy to imagine an attack that uses a bug in a dissector to send the whole packet dump somewhere over TOR, which could reveal a bunch of local network secrets in response to having attacker-generated packets in the same dump.

to post comments

Priviledge Seperation

Posted Dec 10, 2015 20:00 UTC (Thu) by bronson (subscriber, #4806) [Link] (2 responses)

I had the same thought... If ever there was a case for tight sandboxing, dissectors are it.

I assume the catch is that Wireshark is cross-platform and sandboxing is not. Very very not.

Priviledge Seperation

Posted Dec 10, 2015 22:33 UTC (Thu) by johill (subscriber, #25196) [Link] (1 responses)

Writing dissectors is already a huge pain ;-)
Seriously though - it could probably be done since the dissectors interact with an abstract representation of the parse tree, but you'd have to serialize that across some kind of protocol which is likely quite awful ...

I think the cross-platform angle seems a bit of a red herring; once you've split it out to a separate process you could get the security where it's supported?

Priviledge Seperation

Posted Dec 11, 2015 15:27 UTC (Fri) by raven667 (subscriber, #5198) [Link]

As far as cross platform sandboxing, it seems the browser vendors have lead the way, Chrome was designed around the needs of sandboxing and has researched it thoroughly on all supported operating systems, so using that as a template to start from seems the smart move.

It seems you only need a file descriptor in/out, input would be pcap data, output would have to be structured for consumption by the Wireshark UI, which provides its own attack surface and potential for failure, but it should be lower than that of the dissectors themselves, even as the dissectors are re-written in a safer way. How is that done in browser land, what validation does the display process have of data being fed from the parser?


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds