Priviledge Seperation

Posted Dec 10, 2015 20:00 UTC (Thu) by bronson (subscriber, #4806)
In reply to: Priviledge Seperation by iabervon
Parent article: Wireshark 2.0: Now with Qt

I had the same thought... If ever there was a case for tight sandboxing, dissectors are it.

I assume the catch is that Wireshark is cross-platform and sandboxing is not. Very very not.

Priviledge Seperation

Posted Dec 10, 2015 22:33 UTC (Thu) by johill (subscriber, #25196) [Link] (1 responses)

Writing dissectors is already a huge pain ;-)
Seriously though - it could probably be done since the dissectors interact with an abstract representation of the parse tree, but you'd have to serialize that across some kind of protocol which is likely quite awful ...

I think the cross-platform angle seems a bit of a red herring; once you've split it out to a separate process you could get the security where it's supported?

Priviledge Seperation

Posted Dec 11, 2015 15:27 UTC (Fri) by raven667 (subscriber, #5198) [Link]

As far as cross platform sandboxing, it seems the browser vendors have lead the way, Chrome was designed around the needs of sandboxing and has researched it thoroughly on all supported operating systems, so using that as a template to start from seems the smart move.

It seems you only need a file descriptor in/out, input would be pcap data, output would have to be structured for consumption by the Wireshark UI, which provides its own attack surface and potential for failure, but it should be lower than that of the dissectors themselves, even as the dissectors are re-written in a safer way. How is that done in browser land, what validation does the display process have of data being fed from the parser?