[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Run With Limited Capabilities - GSOC



Hello,

My name is Cristian Toader, and I feel very excited about designing and implementing a capabilities based sandbox for the central Tor project, as part of the GSOC program. 

----
About myself:

I have been a Linux enthusiast for almost 6 years and have first started using Tor around 3 years ago. 

I am currently studying in the UK. In approximately one month I will be graduating the Computer Science programme at the University of Surrey, and plan on pursuing a master's degree in Advanced Computer Science at the University of Cambridge for the following academic year.
 
I have completed a placement year at Qualcomm (UK) LTD which involved implementing and testing security solutions for the Linux Android OS. These were based on cryptography and the TrustZone run-mode of the ARM processors. Most of the development during the placement year was performed in C, with some tests written in Java and C++ for the upper layers.

----
About the project:

The project I will be working on as part of GSOC is based on the "Run With Limited Capabilities" proposal [1] mentored by Nick Mathewson (nickm) and Andrea Shepard (athena). The project is still in the planning stage. I will start working on an appropriate design as soon as I finish my last exams, which is the 3rd of June.

As part of the project I will need to:
  - investigate research papers regarding capability based sandboxes
  - get familiar with the Tor code structure
  - decide on whether there should be different states starting from which the tor program only has a limited set of capabilities, depending on what syscalls it should be able to perform; or maybe have a more complex approach based on a trusted process representing a root of trust (with no network interactions) which controls the capabilities of the processes it launches
  - integrate an appropriate solution
  - develop and run tests for the project
  
A constraint agreed with nickm, would be that once the program capabilities are set they should not be modifiable (otherwise a potential attacker could have the option of first enabling capabilities and then execute privileged code).

Some additional details can be found in tickets #7005 [2], #5219 [3], and #5220 [4].

I will try to keep everyone updated. I am looking forward to advice and suggestions. If anyone needs to contact me, this is my primary email, my irc.oftc.net username is ctoader, and I am geographically located in GMT+2.

Best regards,
Cristian Toader.

[1] https://www.torproject.org/getinvolved/volunteer.html.en#limitCapabilities
[2] https://trac.torproject.org/projects/tor/ticket/7005
[3] https://trac.torproject.org/projects/tor/ticket/5219
[4] https://trac.torproject.org/projects/tor/ticket/5220

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev