
Tame() – bad kitty, no socket for you - elchief
http://www.openbsd.org/papers/tame-fsec2015/mgp00001.html
======
ajdlinux
[http://www.openbsd.org/papers/tame-
fsec2015/mgp00007.html](http://www.openbsd.org/papers/tame-
fsec2015/mgp00007.html)

"Optional security is irrelevant (in the long term). Mitigation technologies
which can be disabled -> fade into history"

This this this this this. As much as I like having control over my system and
the ability to disable things, I've seen enough examples of users and
corporate sysadmins taking years to fix basic security issues because there
exists a quick and dirty workaround.

~~~
AceJohnny2
Yeah, this was, to me, the most insightful slide of the whole talk.

------
SwellJoe
Reminds me of Perl's taint mode. It is not the same in terms of implementation
or the types of limits imposed, of course, but it has some of the same basic
ideas...you have to work really hard to make some kinds of stupid mistakes
when the code is tainted, and I think the same sort of idea is at play here.

I really like it when tools do the work of preventing me from doing dumb
stuff. Security, in particular, is such a difficult task with so much
knowledge required (particularly in a language like C) that it's almost
surprising that software has as few vulnerabilities as it does.

I'm unlikely to ever start a new project in C again, but if I do find myself
in a networked C project maintenance or patching situation, I certainly would
consider pulling this in.

~~~
joosters
Perl's taint checking really was ahead of its time (introduced in 1988,
according to Wikipedia!)

Are there other languages that have this feature? (wiki only mentions Ruby)

~~~
lmm
In a language with a modern type system it doesn't need to be a language-level
feature. I use Scala and any use of unadorned String will be picked up in code
review, because generally we prefer to use some specific type that says what
it represents.

~~~
jfoutz
It's amusing the solution you present is code review.

I'd bet naked strings never get that far, because your business libraries all
expect CustomerName or whatever.

~~~
lmm
Sure, but occasionally new programmers will do a bunch of work with a String
and and only wrap it as a CustomerName before making a library call.

------
falcolas
A bit meta, but...

Part of me appreciates that there is no magic javascript which mucks with the
browser and makes the slideshow a real pain in the butt to navigate. However,
this is going too far in the opposite direction. Each slide as its own page?
Navigation is slow, all-but requires the mouse, and creates a N-length list of
sites to go "back" through to return here.

Can we just come to a compromise: one page with each slide below the last?
Allow us to take advantage of parallel fetching of assets, use native
scrolling to progress, and you can even create anchors to link to a particular
slide!

Even better, you could easily write some basic javascript and to turn such a
page into the former version of a slideshow if you're so inclined.

~~~
gpvos
This was developed to work in all browsers. Even 1995 ones. Why change it? It
still works.

~~~
vacri
No, it wasn't developed to work in all browsers - jpgs don't work well in
text-mode browsers like w3m or lynx. Likewise, jpgs of text are worthless to
things like screenreaders, and there's no useful info in the alt text. jpgs of
text also don't work with people who have tools to style pages so they can
read them better. Ironically if they had've just used simple text, it would
have worked in all browsers.

In addition to this, the OP suggests ways in which it doesn't work _well_.
Just because something 'works', doesn't mean it can't be significantly
improved.

~~~
eru
Funny enough, JPGs can work in links.

~~~
vacri
Sure, but not on a default install. This is what I see on a basic install of
lynx: [http://i.imgur.com/UlxBCk4.png](http://i.imgur.com/UlxBCk4.png)

~~~
4ad
Links, elinks, and lynx are different browsers.

~~~
vacri
Ah, my mistake. I just assumed that you could add a plugin for graphics.
Thanks.

------
phpnode
tame() is one of those things that is so simple and obvious in retrospect that
it's flabbergasting that it took so long to be invented/(re)discovered.

~~~
vezzy-fnord
Probably because it's theoretically inelegant. A lot of people are quite
absolutist when it comes to security, and shun solutions that aren't
_entirely_ robust to all possible edge cases.

Yet in practice, tame(2) makes privilege dropping such a trivial activity that
it will quite likely influence far more programmers than a more capable but
also more grueling and complex mechanism like seccomp-bpf.

Speaking of which, here's a tame(2)-like wrapper over libseccomp:
[https://github.com/dimkr/libwaive](https://github.com/dimkr/libwaive)

~~~
gnuvince
Quoting myself from the lobste.rs thread[0]:

>> No matter how good the interface is, it’s almost certain this will never
hit Linux in the next 5-10 years. It’s not because the interface is bad, but
because the glibc-devs and other people are scared of simple and straight-
forward interfaces, rather not doing anything than implementing an interface
which handles the general case rather than trying to cover the 0.5% of edge
cases, being complex and bloated.

> This is such a tough lesson to learn and to apply. I still fail at it most
> of the time in my own code, thinking up the weirdest edge cases possible
> that I need to handle rather than making the 99% case nice and simple.

I'm a CS grad student, I've worked in the industry before, and I am 100%
guilty of sometimes dismissing a nice and simple solution because the
perfectionist in me is annoyed that an edge case takes O(n^2) or that the
algorithm won't give the optimal answer in some pretty rare circumstances.

[0] [https://lobste.rs/s/4jlaod/tame_-
_bad_kitty_no_socket_for_yo...](https://lobste.rs/s/4jlaod/tame_-
_bad_kitty_no_socket_for_you)

------
openbsd-usr
Theo mentions a hackathon in Croatia in the second slide, and some might not
know this, but the OpenBSD project actually invented the concept of a
hackathon in 1999 as a way of gathering their global developer community
together in one place to hack on OpenBSD in a festive atmosphere.

Sixteen years later, the concept has been completely co-opted by (often VC-
backed) tech companies as a means of promoting their products and extracting
unpaid labor from developers.

~~~
pgeorgi
The tech company hackathons are about the same age. It's two concepts that
sprung up at about the same time, using the same name for superficially
similar activities.

See
[https://en.wikipedia.org/wiki/Hackathon](https://en.wikipedia.org/wiki/Hackathon).
The unsourced claim on Sun is explained in more detail on
[https://en.wikipedia.org/wiki/JavaOne](https://en.wikipedia.org/wiki/JavaOne)

------
chipuni
I got to the twentieth slide, and I still wonder:

What does tame() itself DO?

~~~
masklinn
[http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-
current/man2/...](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-
current/man2/tame.2)

Whitelist syscalls. Any non-whitelisted syscall being invoked causes the
process to be terminated with SIGKILL (or a non-blockable SIGABRT if `abort`
it set). Further tame(2) calls can only further restrict the whitelist. The
whitelisting can get down to just _exit(2).

~~~
mmastrac
I was wondering why you'd ever want to just limit yourself to _exit, but the
man page answers that:

    
    
      A request value of "" restricts the process to the _exit(2)
      system call. This can be used for pure computation
      operating on memory shared with another process.

~~~
0xcde4c3db
"The man page answers that" could probably be the OpenBSD motto.

~~~
xiaq
It was the Unix motto. Before GNU ruined man pages...

------
arianvanp
It seems really fragile that tame takes a string as argument that is tokenized
and parsed? Why not just pass an array of pre-defined constants.

~~~
gecko
Because an array wouldn't be any safer than the string (still would be null-
terminated or risk buffer overruns if you passed the length incorrectly), and
using a string means you don't have to import a pile of constants if you want
to use tame from languages other than C.

~~~
michaelmior
You could use bit flags to avoid the array issue. Your point about constants
is reasonable although given that it's a one-time cost and there are already
automated tools to do this for many popular languages, I don't think it
presents a real barrier.

Edit: I see they originally use a bit mask and then changed to the space-
separated string.

[http://www.tedunangst.com/flak/post/string-
interfaces](http://www.tedunangst.com/flak/post/string-interfaces)

------
zdw
Even though this is mentioned as being "OpenBSD only - not a stable
interface!" on slide 25...

As OpenBSD's userland and libc is used extensively in Android, I wonder what
the chances are of Google embracing tame() in future versions of Android.

~~~
brynet
While it's true that Android's C library (bionic) uses code from OpenBSD
libc.. tame(2) is a system call, in the kernel.

------
ianphughes
That font makes reading difficult.

~~~
dd9990
It's a running joke. Included on some of their slides and webpages is the
disclaimer: "This page scientifically designed to annoy web hipsters. Donate
now to stop the Comic Sans and Blink Tags "

~~~
gpvos
I think the OpenBSD people started doing this after the CERN presentation on
the Higgs boson that also used Comic Sans. By making it slightly harder to
read and therefore more difficult to scan diagonally, it increases the
attention the reader gives to the text.

