Friday 21 July 2017

SECURITY FOR THE SECURITY GODS! SANDBOXING FOR THE SANDBOXING THRONE

@GodTributes took over my title, soz.

Dude, where's my maintainer?

Last year, probably as a distraction from doing anything else, or maybe because I was asked, I started reviewing bugs filed as a result of automated flaw discovery tools (from Coverity to UBSan via fuzzers) being run on gdk-pixbuf.

Apart from the security implications of a good number of those problems, there was also the annoyance of having a busted image file bring down your file manager, your desktop, or even an app that opened a file chooser either because it was broken, or because the image loader for that format didn't check for the sanity of memory allocations.

(I could have added links to Bugzilla entries for each one of the problems above, but that would just make it harder to read)

Two big things happened in gdk-pixbuf 2.36.1, which was used in GNOME 3.24:

  • the removal of GdkPixdata as a stand-alone image format loader. We really don't want to load GdkPixdata files from sources other than generated sources or embedded data structures, and removing that loader closed off those avenues. We still ended up fixing a fair number of naive assumptions in helper functions though.
  • the addition of a thumbnailer for gdk-pixbuf supported images. Images would not be special-cased any more in gnome-desktop's thumbnailing code, making the file manager, the file chooser and anything else navigating directories full of broken and huge images more reliable.
But that's just the start. gdk-pixbuf continues getting bug fixes, and we carry on checking for overflows, underflows and just flows, breaks and beats in general.

Programmatic Thumbellina portrait-maker

Picture, if you will, a website making you download garbage files from the Internet, the ROM dump of a NES cartridge that wasn't properly blown on and digital comic books that you definitely definitely paid for.

That's a nice summary of the security bugs foisted upon GNOME in past year or so, even if, thankfully, we were ahead of the curve in terms of fixing those issues (the GStreamer NSF decoder bug was removed in 2013, the comics backend in evince was rewritten over a period of 2 years and committed in March 2017).

Still, 2 pieces of code were running on pretty much every file downloaded, on purpose or not, from the Internet: Tracker's indexers and the file manager's thumbnailers.

Tracker started protecting itself not long after the NSF vulnerability, even if recent versions of GStreamer weren't vulnerable, as we mentioned.

That left the thumbnailers. Some of those are first party, like the gdk-pixbuf, and those offered by core applications (Evince, Videos), written by GNOME developers (yours truly for both epub/mobi and Nintendo DS).

They're all good quality code I'd vouch for (having written or maintained quite a few of them), but they can rely on third-party libraries (say GStreamer, poppler, or libarchive), have naive or insufficiently defensive code (gdk-pixbuf loaders,  GStreamer plugins) or, worst of all: THIRD-PARTY EXTENSIONS.

There are external plugins and extensions for image formats in gdk-pixbuf, for video and audio formats in GStreamer, and for thumbnailers pretty much anywhere. We can't control those, but the least we can do when they explode in a wet mess is make sure that the toilet door is closed.

Not even Nicholas Cage can handle this Alcatraz

For GNOME 3.26 (and today in git master), the thumbnailer stall will be doubly bolted by a Bubblewrap sandbox and a seccomp blacklist.

This closes a whole vector of attack for the GNOME Desktop, but doesn't mean we're completely out of the woods. We'll need to carry on maintaining and fixing security bugs in those libraries and tools we depend on, as GStreamer plugin bugs still affect Videos, gdk-pixbuf bugs still affect Photos and Eye Of Gnome, etc.

And there are limits to what those 2 changes can achieve. The sandboxing and syscall blacklisting avoids those thumbnailers writing anything but an image file in PNG format in a specific directory. There's no network, the filename of the original file is hidden and sanitised, but the thumbnailer could still create a crafted PNG file, and the sandbox doesn't work inside a sandbox! So no protection if the application running the thumbnailer is inside Flatpak.

In fine

GNOME 3.26 will have better security for thumbnailers, so you won't "need to delete GNOME Files".

But you'll probably want to be careful with desktops that forked our thumbnailing code, namely Cinnamon and MATE, which don't implement those security features.

The next step for the thumbnailers will be beefing up our protection against greedy thumbnailers (in terms of CPU and memory usage), and sharing the code better between thumbnailers.

Note for later, more images of cute animals.

7 comments:

ocrete said...

Most of the Videos problem would be fixed by running it inside Flatpak!|

Bastien Nocera said...

> Most of the Videos problem would be fixed by running it inside Flatpak!

In Flatpak, when sandboxed, a crafted video file could delete all of your video library, or send private videos through the network. Flatpak would be mitigation, not a fix. Ideally, metadata extraction and the whole video decoding pipeline would happen in even more restricted environments, similarly to Web Browsers having network, parsing and display in separate processes. But, yes, certainly better than non-sandboxed!

Unknown said...

I am going to move gnome-photos away from gdk-pixbuf over the next few months / releases. As a result, I'd just repeat my suggestion that we find a way to consolidate GIMP's and GEGL's codecs in a single library, and a better API for decoding image files into GeglBuffers.

stuaxo said...

Great :)

I noticed in Ubuntu a while back that PDF thumbnailing was disabled by SE policy. I hope that more thumbnailers will be enabled now they are in a sandbox.

Bastien Nocera said...

> I am going to move gnome-photos away from gdk-pixbuf over the next few months / releases.
> As a result, I'd just repeat my suggestion that we find a way to consolidate GIMP's and GEGL's
> codecs in a single library, and a better API for decoding image files into GeglBuffers.

Repeating suggestions ain't going to make code magically appear. I have no idea what this code would look like but maybe you have a better idea mapped out.

Bastien Nocera said...

> I noticed in Ubuntu a while back that PDF thumbnailing was disabled by SE policy. I hope that more
> thumbnailers will be enabled now they are in a sandbox.

Didn't know Ubuntu used SELinux, maybe you mean AppArmor. Depending on the rule, this would only close down a particular class of vulnerabilities. It also requires applying this rule to specific binaries, rather than relying on the way they're instantiated.

Bastien Nocera said...

> Repeating suggestions ain't going to make code magically appear. I have no
> idea what this code would look like but maybe you have a better idea mapped out.

Looks like I missed the fact that this was about GIMP and GEGL's loaders, and not gdk-pixbuf. In both cases, the attack surface is much lower than gdk-pixbuf's which is used in hundreds of apps to read untrusted data, or data generated from untrusted data (such as thumbnails).

I'd still recommend writing the code as a way to move the problem forward though ;)