You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since mfttool (EDIT: now elftool) is designated to be used as the default means of learning about a unikernels MFT (from an orchestration system perspective, for example) (see discussion in #372 (comment) ), it will be parsing untrusted input in the host.
Sandboxing this with seccomp/pledge/capsicum/whatever would seem to make sense to me.
While I would of course prefer a high-level implementation doing this, using the C executable has two benefits:
It's using the exact same code as the actual loader, which means parser discrepancies are less of an issue.
Incidentally(?), a stand-alone executable is a lot easier to sandbox than the tender, or library function, since its scope of operation is pretty limited (can basically be reduced to read/write/flush/exit). That means mfttool can be our first line of defense against malicious input. An exploit targeting the MFT handling code would have to be written to not trigger during the first (sandboxed) mfttool stage (or at least not crash that), while also exploiting the actual (less sandboxed) tender.
The text was updated successfully, but these errors were encountered:
Since
mfttool(EDIT: nowelftool) is designated to be used as the default means of learning about a unikernels MFT (from an orchestration system perspective, for example) (see discussion in #372 (comment) ), it will be parsing untrusted input in the host.Sandboxing this with seccomp/pledge/capsicum/whatever would seem to make sense to me.
While I would of course prefer a high-level implementation doing this, using the C executable has two benefits:
read/write/flush/exit). That meansmfttoolcan be our first line of defense against malicious input. An exploit targeting the MFT handling code would have to be written to not trigger during the first (sandboxed)mfttoolstage (or at least not crash that), while also exploiting the actual (less sandboxed) tender.The text was updated successfully, but these errors were encountered: