• DevSummit
• 201808
• SoftwareSecurity

Session Leader: MariuszZaborski

https://hackmd.io/MqmyWiPvTwa0CWMbUM8Kvg (content has been migrated to this page)

• Capsicum
  • Capsicum built unconditionally?
    • optional Capsicum results in unfortunate "errno != ENOSYS" anti-pattern
    • enabled by default in most GENERIC kernels today, but not arm
    • enable along with armv7 GENERIC
    • why are people building w/o Capsicum today? unknown
    • desire to execute performance tests (bz)
    • too late for 12.0, benchmark within next 2.5 years
    • UWaterloo co-op student could do benchmarking in Jan-Apr 2019 term
    • switch sense of option or add to all kernel configs?
  • setproctitle(3)
    • recently optimized version
    • should it be allowed in capability mode?
      • room concensus suggests yes
• Capsicum-ish infrastracture
  • Casper services
    • dns, groups, passwd, random, sysctls, syslog
  • capsicum helpers
  • fdunlinkat(2)
  • process descriptors
    • thread descriptors (for debugging)
• Capcisized things in base

  • Capsicum

• Capcisize things in ports
  • okular (not upstreamed)
  • irssi upstreamed (trasz)
  • Chromium (rather old patch set)
  • Firefox - need Capsicum support in Rust
  • git (server)
  • svn server
  • Chrome embedded framework (CEF)
  • ffmpeg
  • libavcodec, libavformat difficult to sandbox due to large API surface
  • vlc
• Higher-level design documentation for compartmentalization / Capsicum application needed
  • maybe document netdump server as an example of a relatively straightforward but non-trival case
• certs in the base system
  • in progress
• Format string bug (%n) proposal
  • Microsoft disables by default
  • Disable by default in our libc
  • Add ELF flag or special function to enable it
  • Request ports exp-run with patch to produce errors if found
  • theraven: add printf_unsafe, have Clang use it if %n found in static format string
    • non-static format strings using %n fail or have to call printf_unsafe
• (Selective?) application of hardening flags
  • base system perhaps not too interesting, except for libraries
  • relationship with shipping IR
  • don't always compose
• vulnerability mitigations
  • ASLR
    • waiting on review
  • W^X
    • brooks?
• jails
  • reduced timer resolution in jails???
  • wish we had a way of managing them in the base system
    • ex. dockeresque ability
• kerberos
  • pick one
    • pick MIT