Re: Sandboxing (was -- Re: [Officesecurity] A couple of crashers for lowriter)
23 views
Skip to first unread message
Michael Meeks
Sep 28, 2015, 8:13:29 AM9/28/15
to Alexander Cherepanov, securi...@chromium.org, lsecurity, Fridrich Strba
Hi Justin & Alex,
On Sun, 2015-09-27 at 00:05 +0300, Alexander Cherepanov wrote:
> On 2014-11-26 21:07, Michael Meeks wrote:
> >> At upstream level many things could also be done. From showing warning
> >> before importing exotic formats to sandboxing importers.
> >
> > If you have a creative approach to sandboxing importers, I'm interested
> > - would be a bit of development work; but of course possible - we could
> > spawn external processes [ and how to sandbox those ? ] - but basically
> > anything is possible for someone wanting to contribute.
Right =)
> This question came up on Twitter and it seems that Justin Schuh (Chrome
> browser security tech lead, at least a couple of years ago) is ready to
> assist LibreOffice with sandboxing. In case you missed it, the thread
> starts here:
>
> https://twitter.com/justinschuh/status/646409306372354048
Awesome - so, great to meet you Justin.
When you say 'assist' ? =) do you mean coding ? or pointing to some
docs ?.
Certainly - we'd love to use the Chromium sand-boxing; we ship a huge
number of document / file-types which are seldom used, or present for
legacy compatibility - and which generally produce ODF (often via SAX
style callbacks IIRC).
It would be fantastic (if it's possible) to isolate these re-using your
sandbox; we'd be very happy to point to the code-locations to hook that
in (if you're in evangelism mode), or - failing that to co-mentor a
Google Summer of Code piece to try to do that.
I CC Fridrich - the mastermind behind much of the Document Liberation
work, in case he has something to add. Fridrich - how hard would it be
to put a stream / transfer-whole-file interface between DLP filters and
the LibreOffice core ? (and/or is it a good idea ? ;-)
Alex - thanks for the introduction.
ATB,
Michael.
> ----------------------------------------------------------------------
> Justin Schuh, @justinschuh:
> Dear AV vendors, you can reach me on securi...@chromium.org for
> assistance in sandboxing your software (taviso@ approved this message)
>
> Alexander Cherepanov, @ch3root:
> @justinschuh Is it possible to extend this offer to LibreOffice? I've
> heard they have a lot of legacy code in import filters /@michael_meeks
>
> Justin Schuh, @justinschuh:
> @ch3root @michael_meeks Should be straightforward. It's mostly a matter
> of launching the converters in a separate process
>
> Justin Schuh, @justinschuh:
> @ch3root @michael_meeks Your primary format handler would need to be
> hardened independently, because sandboxing it would be much harder
>
> Justin Schuh, @justinschuh:
> @ch3root @michael_meeks But yeah, ping the list to ask, because
> sandboxing the import filters should be pretty straightforward
>
> ----------------------------------------------------------------------
> AIUI Chromium sandbox is open source and described here:
>
> https://www.chromium.org/developers/design-documents/sandbox
> https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md
>
> And while I'm at it, Google has other cool technologies. E.g., the
> problems with traffic for updates:
>
> > force those same people to update a load of ancient
> > versions of LibreOffice out there - that (in turn) fails to provide any
> > statistically significant security advantage to the users [ and also
> > consumes some staggering bandwidth as a side-effect ;-].
>
> could be mitigated with effective patches:
>
> https://dev.chromium.org/developers/design-documents/software-updates-courgette
>
> Google has autoupdater too:
>
> https://github.com/google/omaha
> https://omaha.googlecode.com/svn/wiki/OmahaOverview.html
>
> IIUC LibreOffice is not autoupdated on MS Windows and cannot be updated
> for a machine when a user has a restricted account (unlike Chrome and
> Firefox).
--
michae...@collabora.com <><, Pseudo Engineer, itinerant idiot
On Sun, 2015-09-27 at 00:05 +0300, Alexander Cherepanov wrote:
> On 2014-11-26 21:07, Michael Meeks wrote:
> >> At upstream level many things could also be done. From showing warning
> >> before importing exotic formats to sandboxing importers.
> >
> > If you have a creative approach to sandboxing importers, I'm interested
> > - would be a bit of development work; but of course possible - we could
> > spawn external processes [ and how to sandbox those ? ] - but basically
> > anything is possible for someone wanting to contribute.
Right =)
> This question came up on Twitter and it seems that Justin Schuh (Chrome
> browser security tech lead, at least a couple of years ago) is ready to
> assist LibreOffice with sandboxing. In case you missed it, the thread
> starts here:
>
> https://twitter.com/justinschuh/status/646409306372354048
Awesome - so, great to meet you Justin.
When you say 'assist' ? =) do you mean coding ? or pointing to some
docs ?.
Certainly - we'd love to use the Chromium sand-boxing; we ship a huge
number of document / file-types which are seldom used, or present for
legacy compatibility - and which generally produce ODF (often via SAX
style callbacks IIRC).
It would be fantastic (if it's possible) to isolate these re-using your
sandbox; we'd be very happy to point to the code-locations to hook that
in (if you're in evangelism mode), or - failing that to co-mentor a
Google Summer of Code piece to try to do that.
I CC Fridrich - the mastermind behind much of the Document Liberation
work, in case he has something to add. Fridrich - how hard would it be
to put a stream / transfer-whole-file interface between DLP filters and
the LibreOffice core ? (and/or is it a good idea ? ;-)
Alex - thanks for the introduction.
ATB,
Michael.
> ----------------------------------------------------------------------
> Justin Schuh, @justinschuh:
> Dear AV vendors, you can reach me on securi...@chromium.org for
> assistance in sandboxing your software (taviso@ approved this message)
>
> Alexander Cherepanov, @ch3root:
> @justinschuh Is it possible to extend this offer to LibreOffice? I've
> heard they have a lot of legacy code in import filters /@michael_meeks
>
> Justin Schuh, @justinschuh:
> @ch3root @michael_meeks Should be straightforward. It's mostly a matter
> of launching the converters in a separate process
>
> Justin Schuh, @justinschuh:
> @ch3root @michael_meeks Your primary format handler would need to be
> hardened independently, because sandboxing it would be much harder
>
> Justin Schuh, @justinschuh:
> @ch3root @michael_meeks But yeah, ping the list to ask, because
> sandboxing the import filters should be pretty straightforward
>
> ----------------------------------------------------------------------
> AIUI Chromium sandbox is open source and described here:
>
> https://www.chromium.org/developers/design-documents/sandbox
> https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md
>
> And while I'm at it, Google has other cool technologies. E.g., the
> problems with traffic for updates:
>
> > force those same people to update a load of ancient
> > versions of LibreOffice out there - that (in turn) fails to provide any
> > statistically significant security advantage to the users [ and also
> > consumes some staggering bandwidth as a side-effect ;-].
>
> could be mitigated with effective patches:
>
> https://dev.chromium.org/developers/design-documents/software-updates-courgette
>
> Google has autoupdater too:
>
> https://github.com/google/omaha
> https://omaha.googlecode.com/svn/wiki/OmahaOverview.html
>
> IIUC LibreOffice is not autoupdated on MS Windows and cannot be updated
> for a machine when a user has a restricted account (unlike Chrome and
> Firefox).
--
michae...@collabora.com <><, Pseudo Engineer, itinerant idiot
Justin Schuh
Oct 7, 2015, 7:38:36 PM10/7/15
to Michael Meeks, Alexander Cherepanov, security-dev, lsecurity, Fridrich Strba
Sorry, didn't see this before.
On Mon, Sep 28, 2015 at 5:24 AM, Michael Meeks <michae...@collabora.com> wrote:
Hi Justin & Alex,
On Sun, 2015-09-27 at 00:05 +0300, Alexander Cherepanov wrote:
> On 2014-11-26 21:07, Michael Meeks wrote:
> >> At upstream level many things could also be done. From showing warning
> >> before importing exotic formats to sandboxing importers.
> >
> > If you have a creative approach to sandboxing importers, I'm interested
> > - would be a bit of development work; but of course possible - we could
> > spawn external processes [ and how to sandbox those ? ] - but basically
> > anything is possible for someone wanting to contribute.
Right =)
> This question came up on Twitter and it seems that Justin Schuh (Chrome
> browser security tech lead, at least a couple of years ago) is ready to
> assist LibreOffice with sandboxing. In case you missed it, the thread
> starts here:
>
> https://twitter.com/justinschuh/status/646409306372354048
Awesome - so, great to meet you Justin.
When you say 'assist' ? =) do you mean coding ? or pointing to some
docs ?.
I meant technical assistance rather than coding.
Certainly - we'd love to use the Chromium sand-boxing; we ship a huge
number of document / file-types which are seldom used, or present for
legacy compatibility - and which generally produce ODF (often via SAX
style callbacks IIRC).
It would be fantastic (if it's possible) to isolate these re-using your
sandbox; we'd be very happy to point to the code-locations to hook that
in (if you're in evangelism mode), or - failing that to co-mentor a
Google Summer of Code piece to try to do that.
Having a Summer of Code project sounds like a great idea.
I CC Fridrich - the mastermind behind much of the Document Liberation
work, in case he has something to add. Fridrich - how hard would it be
to put a stream / transfer-whole-file interface between DLP filters and
the LibreOffice core ? (and/or is it a good idea ? ;-)
Yeah, that's pretty much the strategy. It would be trivial to sandbox if you can break it out to a standalone process that accepts a file as input and emits a file as output.
Michael Meeks
Oct 9, 2015, 4:08:32 AM10/9/15
to Justin Schuh, Alexander Cherepanov, security-dev, lsecurity, Fridrich Strba
On Wed, 2015-10-07 at 16:37 -0700, Justin Schuh wrote:
> Sorry, didn't see this before.
> I meant technical assistance rather than coding.
>
> we'd be very happy to point to the code-locations to hook that
> in (if you're in evangelism mode), or - failing that to
> co-mentor a Google Summer of Code piece to try to do that.
>
> Having a Summer of Code project sounds like a great idea.
It would be great to add the bones of the idea, and your contact
> we'd be very happy to point to the code-locations to hook that
> in (if you're in evangelism mode), or - failing that to
> co-mentor a Google Summer of Code piece to try to do that.
>
> Having a Summer of Code project sounds like a great idea.
details (put mine down to - I'm happy to co-mentor) in the wiki so we
don't forget it come next year:
https://wiki.documentfoundation.org/Development/GSoC/Ideas
> Yeah, that's pretty much the strategy. It would be trivial to sandbox
> if you can break it out to a standalone process that accepts a file as
> input and emits a file as output.
Thanks !
Michael.
Justin Schuh
Oct 29, 2015, 11:42:34 AM10/29/15
to Michael Meeks, Chris Palmer, ric...@chromium.org, Justin Schuh, Alexander Cherepanov, security-dev, lsecurity, Fridrich Strba
Hey, I just wanted to let you know I hadn't forgotten about this. I've CC'd Ricky and Chris, who've both expressed interest in sponsoring this as a GSoC project, and providing technical assistance.
Ricky, Chris, it looks like this is the place where you'd register the project on their end:
Reply all
Reply to author
Forward
0 new messages