Pwn2Own results for Wednesday (Day One) (opens in new tab)

(pwn2own.com)

52 pointsgioi12y ago21 comments

21 comments

It appears that most of these attacks relied on exploiting the unfortunate design of C, which makes manual memory management the default and safe, managed memory the special case. It should be the reverse. Speed will always matter, but you don't have to use risky, manual memory mgt everywhere to get speed; you just need it in the few spots where it makes a difference.

In the majority of places in your code, manual memory management gives you no benefit but does expose you to a possible vulnerability if you make a mistake. If the default, lazy option were to let the well-tested runtime do the job for you, yet you could do a little extra work and get manual override wherever you wanted, and manual override everywhere brought you essentially back to C, I think we would have much safer code without a noticeable loss of performance.

Edit: I just realized in the shower that I was saying "memory management" when I meant direct "memory manipulation" more generally. I'm including arrays accessed by memory address rather than by bounds-checked index, pointer arithmetic, etc., not just malloc and free.

pcwalton12y ago

> It appears that most of these attacks relied on exploiting the unfortunate design of C, which makes manual memory management the default and safe, managed memory the special case. It should be the reverse. Speed will always matter, but you don't have to use risky, manual memory mgt everywhere to get speed; you just need it in the few spots where it makes a difference.

That's true, but I would claim something even stronger. Getting safety doesn't mean giving up manual memory management, as Rust shows (disclaimer: I work on Rust). You just have to need to have a language or system that enforces that you use safe manually-managed idioms. The idea that safety requires giving up performance (e.g. opting into a garbage collector, or even a runtime) is not true in most cases. In a properly designed system, safety doesn't even require opting into a runtime.

SiVal12y ago

Would Firefox be better (more secure and with no performance handicap) if written in Rust? I realize that there is an enormous amount of existing code that shouldn't be thrown away, but if Mozilla wanted to create a browser from scratch today (or in a couple of years, when Rust has been debugged and polished), would they write it in Rust?

1 more reply

hershel12y ago

Pcwalton, do you guys at mozilla think servo could be foolproof against sandbox escapes, or that this is a bit unrealistic ?

1 more reply

Someone12y ago

Your edit almost made me eat my comment, but I will go further: there's nothing risky about manual memory management, as long as the compiler and/or runtime prohibit you from accessing memory you didn't allocate, adding null pointer and boundary checks (which may need runtime support to get the size of an allocated memory block) where the compiler cannot guarantee that you only access memory you allocated.

The reverse situation, garbage-collecting systems that do nothing to prevent you from dereferencing null pointers or going out of bounds, is just as dangerous as C.

gioiOP12y ago

Mozilla's Rust & Servo go exactly in this direction, thankfully.

conorh12y ago

Looks like day 2 happened already and had some pretty good exploits:

http://www.pwn2own.com/2014/03/pwn2own-results-thursday-day-...

gioiOP12y ago

https://news.ycombinator.com/item?id=7401371

rwg12y ago

At Pwn4Fun, Google delivered a very impressive exploit against Apple Safari launching Calculator as root on Mac OS X.

I'll bet it was ocspd they exploited. The CRL handling code in libsecurity is awful, and ocspd runs as root without a sandbox profile.

bfish51012y ago

How can you tell if a process runs as root or is run within a sandbox?

rwg12y ago

"ps" will show the effective uid ocspd is running as:

    % ps aux|grep ocspd
    root              534   0.0  0.0  2442712   2036   ??  Ss    3:53PM   0:00.04 /usr/sbin/ocspd

I don't know how to show the sandbox a running process is contained in, but it's easy enough to show that launchd runs ocspd directly, without sandbox-exec:

    % grep -A3 ProgramArguments /System/Library/LaunchDaemons/com.apple.ocspd.plist
            <key>ProgramArguments</key>
            <array>
                    <string>/usr/sbin/ocspd</string>
            </array>

It's possible for a process to programmatically place itself in a sandbox (see /usr/include/sandbox.h), but a quick look at the source to ocspd and a quick disassembly of what actually ships with OS X 10.9.2 shows ocspd does not do that.

yukichan12y ago

On a mac Activity Monitor will show you that, also there are also things like top, ps aux and pgrep. These would work:

pgrep -lf -U root | grep processname

or:

ps aux | grep root | grep processname

sitkack12y ago

What this shows is that if you are using a machine connected to the internet, assume you have been rooted. If you are paranoid, do all of your surfing in a VM over Tor and reset that VM state after every launch.

Ellipsis75312y ago

Good idea but there's quite a lot of exploits in virtual machines that let them infect the host machine too. :P So it's really pretty hard to stay safe. You could always run your OS from a read-only CD? At least you'd be none-infected on each reboot.

ChuckMcM12y ago

My favorite is you run the browser on a different machine and you place a webcam near it that you can visit on your primary machine. Sending keystrokes and mouse moves to the browser machine using an infrared laser to create a unidirectional serial link to the machine.

Air gap AND lasers, how cool is that?

2 more replies

M2Ys4U12y ago

Tails[0] would be a good candidate for this.

[0] https://tails.boum.org/

mikeash12y ago

Until someone infects your BIOS, anyway.

j / k navigate · click thread line to collapse

21 comments

SiVal12y ago

pcwalton12y ago

SiVal12y ago

1 more reply

hershel12y ago

Pcwalton, do you guys at mozilla think servo could be foolproof against sandbox escapes, or that this is a bit unrealistic ?

1 more reply

Someone12y ago

The reverse situation, garbage-collecting systems that do nothing to prevent you from dereferencing null pointers or going out of bounds, is just as dangerous as C.

gioiOP12y ago

Mozilla's Rust & Servo go exactly in this direction, thankfully.

conorh12y ago

Looks like day 2 happened already and had some pretty good exploits:

http://www.pwn2own.com/2014/03/pwn2own-results-thursday-day-...

gioiOP12y ago

https://news.ycombinator.com/item?id=7401371

rwg12y ago

At Pwn4Fun, Google delivered a very impressive exploit against Apple Safari launching Calculator as root on Mac OS X.

I'll bet it was ocspd they exploited. The CRL handling code in libsecurity is awful, and ocspd runs as root without a sandbox profile.

bfish51012y ago

How can you tell if a process runs as root or is run within a sandbox?

rwg12y ago

"ps" will show the effective uid ocspd is running as:

    % ps aux|grep ocspd
    root              534   0.0  0.0  2442712   2036   ??  Ss    3:53PM   0:00.04 /usr/sbin/ocspd

I don't know how to show the sandbox a running process is contained in, but it's easy enough to show that launchd runs ocspd directly, without sandbox-exec:

    % grep -A3 ProgramArguments /System/Library/LaunchDaemons/com.apple.ocspd.plist
            <key>ProgramArguments</key>
            <array>
                    <string>/usr/sbin/ocspd</string>
            </array>

yukichan12y ago

On a mac Activity Monitor will show you that, also there are also things like top, ps aux and pgrep. These would work:

pgrep -lf -U root | grep processname

or:

ps aux | grep root | grep processname

sitkack12y ago

Ellipsis75312y ago

ChuckMcM12y ago

Air gap AND lasers, how cool is that?

2 more replies

M2Ys4U12y ago

Tails[0] would be a good candidate for this.

[0] https://tails.boum.org/

mikeash12y ago

Until someone infects your BIOS, anyway.

j / k navigate · click thread line to collapse