Firefox helper applications and security model.
John McCabe-Dansted
gmatht at gmail.com
Sat Mar 4 08:09:42 GMT 2006
There is discussion on ubuntu-devel as to which helper applications
should be trusted by firebox.
IMHO, in the long term, we should adopt a security model that protects
users from misbehaved helper applications and services, in the same
way that we currently protect "the system" from misbehaved users.
There are such projects:
Systrace (below) allows us to run programs with access to only certain
files and syscalls. From what I understand this makes it both
lighterweight and more secure than chroot jails. The overhead is
reasonably small, as most syscalls, like fread, are safe and do not
need to be trapped.
Systrace - Interactive Policy Generation for System Calls (more
for server apps)
http://www.citi.umich.edu/u/provos/systrace/
Plash is a similar project that e.g. adds rights to particular files
when opened via a trusted replacement for the GTK file open dialog
box.
Plash: the Principle of Least Authority shell (for users)
http://plash.beasts.org/
The Achilles heel of Plash is xorg. Once you give an untrusted
application access to the X server it can do Bad Things(tm). They are
working on ways of fixing X, e.g. by only giving access to a safe
proxy to the X server.
It seems that when this problem is solved, Plash would allow us to
have as many "trusted" applications and services as we would like, and
still be more secure than we are today :).
--
John C. McCabe-Dansted
Master's Student
More information about the sounder
mailing list