Old security problems and new solutions

From: Loganaden Velvindron <loganaden_at_gmail.com>
Date: Tue, 31 Mar 2015 19:51:03 +0000

Imagine that you have downloaded an xz file, from an untrusted source
from the internet.

It might be hiding a clever piece of code that tries to execute
arbitrary code while you're uncompressing it.

Now, it would be cool to have an isolated environment to do this. The
FreeBSD guru will choose to use jails which allows you to build light
VMs. A Linux administrator might use docker and run decompress the
untrusted file.

This has happened with decompression/compression utilities such as
bzip2 in the past
(http://www.rapid7.com/db/vulnerabilities/ubuntu-USN-986-1)

Now, we propose a new, low overhead solution:
xz running in a sandbox itself !


xz puts the compressor and the decompressor in a restricted
environment, where it cannot open arbitrary files or attempt to
execute arbitrary code.

xz is a widely used compression format used in virtualization
solutions such as vmware, and Linux systems such as Debian, OpenSuSE,
Fedora, FreeBSD, Gentoo and in Desktop projects such as GNOME.


Kind regards,
//Logan
C-x-C-c


-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
Received on Tue Mar 31 2015 - 19:51:19 PST

This archive was generated by hypermail 2.3.0 : Tue Mar 31 2015 - 19:54:03 PST