My favorites | Sign in
Logo
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
Summary | Updates | People
Activity: High
Code license:
GNU General Public License v2
Labels:
Unix, Security, Utility, Linux, FreeBSD, CPlusPlus, GPL, Opensource, BSD
Feeds:
Project feeds
Owners:
snackypants
Committers:
peter.eckersley, k...@isecpartners.com, ioerror, davidericsonthiel
People details »

IMPORTANT NOTE

isolate currently suffers from some bad security bugs! These are local root privilege escalation bugs. Thanks to the helpful person who reported them (email Chris if you want credit!). We're working to fix them ASAP, but until then, isolate is unsafe and you should uninstall it. Sorry!

The Problem

All your Unix applications run with the full authority of the account that launched them: your browser can read your SSH private key, your mail reader can mine your browser history, your image converter can delete all your email, and so on.

My colleague David was able to find exploitable vulnerabilities in many common media players:

https://www.isecpartners.com/files/iSEC_Thiel_Exposing_Vulnerabilities_Media_Software_0.pdf

So it is not safe to listen to songs from untrustworthy sources: a maliciously-crafted MP3 could crack your music program and use its authority to send your SSH key to a maniac with an evil mustache.

What's an "untrustworthy source"? The Internet would be one example...

The Solution

This utility, isolate, runs processes in a chroot-ed environment, with constrained resource limits, as a random UID, and with limited access to the X server. An isolated program ("isolatee") no longer has all the authority of your user account, but you can still enjoy its legitimate functionality. You can play even maliciously-crafted songs in an unsafely implemented music player, with greatly minimized risk to your other data.

isolate is based on an idea by Daniel Bernstein. See section 5.2 of his paper "Some Thoughts on Security After 10 Years of qmail 1.0":

http://cr.yp.to/qmail/qmailsec-20071101.pdf

isolate is easy to use, with a usage model like sudo, chroot, nice, and so on: just prefix your command like with "isolate ". isolate automatically discovers library dependencies and builds a supporting environment for the isolated process, removing one of the difficulties in constructing a chroot environment. isolate can be used on an ad hoc basis to protect your processes and data from potentially dangerous applications.

isolate has been tested on FreeBSD 7 and Ubuntu 8; ultimately, we want it to work on every Unix!

Examples

This screenshot shows me using isolate an image transformation. After all, we cannot trust the user input, and image manipulation programs have a long history of security bugs. This example also shows that we can pipe together separately isolated processes. The comic strip is from http://www.xkcd.com/, but you probably already knew that.

In this screenshot, I use the -D option to manually specify that I want isolate to copy in /bin and /lib, and then I isolate sh (giving it the ability to open 10 files and launch 5 processes at a time). You can also isolate other interpreters, like Python, and you can run scripts that have "#!" as their first two bytes.

Using the X Security Extension, the isolatee (if it is an X client) is put into the "untrusted" group, meaning it is subject to your X security policy (see the SecurityPolicy (5) manual page). Common policies restrict the ability of untrusted clients to read and write many of the properties of "trusted" clients, to grab the keyboard, and to set transparent backgrounds (such as to take screenshots of the other windows). This example shows that a keylogger is unable to function when isolated:

This example shows that, normally, xeyes has a transparent background:

But xeyes cannot make its background transparent when it is untrusted:

The reason for this is that when windows can set a transparent background, they can "see" what lies beneath them in the window stacking order, and thereby learn the contents of those windows. We don't want untrusted windows to be able to do that. (Note that the X Security Extension does not stop untrusted clients from learning the position of the mouse.)

Similarly, some (hopefully all) screenshot programs cannot work when isolated:









Powered by Google Project Hosting