Add vlc_sandbox notes

vlc_sandbox.md

@@ -0,0 +1,344 @@
+
+# Design sandbox avec broker
+
+```c
+struct broker_worker_t
+{
+    int id;
+    int fd; // process_ipc
+    ARRAY_DECL(int) acls;
+};
+
+struct broker_state_t
+{
+    ARRAY_DECL(const broker_worker_t *) workers;
+};
+
+struct worker_state_t
+{
+    int id;
+    int fd; // process_ipc
+};
+
+```
+
+Lorsqu'on crée le nouveau premier objet dans un nouveau processus, le broker enregistre l'id de l'objet.
+Lorsqu'on essaye de passer un objet non broker-boxé via un message en faisant un process_handler_t, le broker génère un nouvel id pour l'objet et le retourne à l'appelant, qui l'intègre au message.
+
+Les messages ont la forme suivante :
+
+```
+struct msg
+{
+    // When sending from broker
+    uint32_t from;
+    // Common stuff
+    uint32_t op;
+    uint32_t target;
+    uint32_t action;
+
+    void* args;
+};
+```
+
+
+Les réponses ont la forme suivante :
+
+```
+struct answer
+{
+    uint32_t op;
+    uint32_t from;
+    void* payload;
+};
+```
+
+Cas particulier de la création du processus : la `target` est ignoré, et `from` renvoie l'ID du nouveau module créé dans le nouvel étage.
+
+
+
+# Windows passage de descripteur de fichiers
+
+From https://msdn.microsoft.com/en-us/library/bb625962.aspx
+
+> Service applications using multiple processes are sometimes designed to
+> duplicate handles to objects, such as files, between server processes. If
+> all the processes are running under the same special service account, the
+> default security on service processes does not introduce restrictions. The
+> default DACL on service processes running under special service accounts
+> does not grant PROCESS_DUP_HANDLE access, which is required for 
+> DuplicateHandle calls. Application service designers have to implement 
+> functionality to grant PROCESS_DUP_HANDLE access on the service process
+> object to another user account used by a co-process in order to share
+> handles between application processes that run under different user accounts.
+> But if the service into which you want to duplicate the handle is a special
+> service account running at a system integrity level, a co-process running at
+> a high or medium integrity level will not be able to obtain
+> PROCESS_DUP_HANDLE because of the mandatory label policy. Even if the DACL 
+> grants PROCESS_DUP_HANDLE access, the mandatory label policy does not allow
+> lower-integrity callers that access. If this situation affects the service
+> application design, the application service code will need to change so that
+> the process that initiates DuplicateHandle is at an integrity level higher
+> than the integrity level of the process that is the source of the handle.
+> That is, a higher-integrity service can duplicate a handle into its own
+> process as a target from a lower-integrity process as the handle source.
+
+https://bugs.chromium.org/p/chromium/issues/detail?id=338538
+https://chromium.googlesource.com/chromium/src.git/+/dc84fcce71f37e6faeab9dce6ae2a65f1e12a5d2%5E%21/#F0
+
+Windows ignores DACLs on certain unnamed objects (like shared sections).
+So, we generate a random name when we need to enforce read-only.
+
+# Windows isolation réseau
+
+https://msdn.microsoft.com/en-us/library/hh780593
+https://msdn.microsoft.com/library/0a97956e-fda9-4791-b87b-9e03ae135382
+
+Not possible without Hyper-V, which needs Windows 10 Pro.
+
+# Windows, Shatter attack, UIPI
+
+http://www.coseinc.com/en/index.php?rt=download&act=publication&file=Vista_UIPI.ppt.pdf
+https://en.wikipedia.org/wiki/Shatter_attack
+http://www.hpl.hp.com/techreports/2005/HPL-2005-87.pdf
+
+=> Since windows vista, 4 integrity levels: low, medium, high, system
+
+# Exploiting a leaked thread handle project zero
+
+https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html
+
+other attacks:
+
++ Detecting kernel memory disclosure with x86 emulation and taint tracking
+https://j00ru.vexillium.org/papers/2018/bochspwn_reloaded.pdf
+
++ Reading priviledged memory with a side-channel
+https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
+
++ aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript
+https://googleprojectzero.blogspot.com/search?updated-max=2018-01-03T14:27:00-08:00&max-results=7&start=4&by-date=false
+
++ Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices
+https://googleprojectzero.blogspot.com/search?updated-max=2017-12-18T09:47:00-08:00&max-results=7&start=5&by-date=false
+
++ Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read
+https://googleprojectzero.blogspot.com/search?updated-max=2017-08-23T09:10:00-07:00&max-results=7&start=11&by-date=false
+
+
+# Documents à lire
+
++ privilege escalation on windows, about DACL, token etc
+https://conference.hitb.org/hitbsecconf2017ams/materials/D2T3%20-%20James%20Forshaw%20-%20Introduction%20to%20Logical%20Privilege%20Escalation%20on%20Windows.pdf
+
+
+# VLC-sandboxing orienté module
+
+
+# Windows security
+
++ Jobs are not aimed at providing security, they are like cgroups.
++ CreateRestrictedToken is the most powerful barrier all windows 10 has.
++ Better options are limited to Window 10 pro edition, and include
+    virtualization or WSL.
++ Windows has unix socket in WSL too, but they don't support SCM and so
+    file descriptor transfer between processes.
+
+## CreateRestrictedToken
+
+When trying to access a resource, Windows will check the user SID and group
+SID, and then will check the restricted token. Thus, restricted token can be
+used as a way to limit one process's available resources, by attaching a
+restricted token to it.
+
+As the user and group is checked, this token can only be used to limit
+existing right and can't add new ones.
+
+It is worth noticing that it doesn't limit resources access from the outside
+to the restricted process.
+
+A restricted token can be a **primary** or **impersonation** _access token_.
+
+From the documentation, it allows three ways of restricting a token:
+
+https://docs.microsoft.com/en-us/windows/desktop/secauthz/restricted-tokens
+
+> + Remove privileges from the token.
+> + Apply the deny-only attribute to SIDs in the token so that they cannot be
+>     used to access secured objects. For more information about the deny-only
+>     attribute, see SID Attributes in an Access Token.
+> + Specify a list of restricting SIDs, which can limit access to securable
+>     objects.
+
+To create a process with a restricted **primary** token, `CreateProcessAsUser`
+must be used, with the caller process having the `SE_ASSIGNPRIMARYTOKEN_NAME`
+privilege if it doesn't specify a restricted version of the caller's primary
+token.
+
+It is possible to activate a restricted token later by using the token with
+the `ImpersonateLoggedOnUser` function.
+
+Security note:
+
+> Applications that use restricted tokens should run the restricted application
+> on desktops other than the default desktop. This is necessary to prevent an
+> attack by a restricted application, using SendMessage or PostMessage, to
+> unrestricted applications on the default desktop. If necessary, switch
+> between desktops for your application purposes.
+
+It is possible to transfer a token from one process to another thanks to
+`DuplicateHandle`, as explained in the following forum posts:
+
+https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/9bd4bce0-033a-431b-abb8-2c10438e6283/how-can-i-pass-security-token-from-one-process-to-another-?forum=windowssecurity
+https://stackoverflow.com/questions/2331363/is-passing-a-windows-security-token-between-processes-permitted
+
+`ImpersonateNamedPipeClient`: https://stackoverflow.com/a/2339129
+
+
+# Windows IPC
+
+## Todolist
+
+[x] `vlc_ipc_SendIpc` must write the size of the message, then write each part
+    of the message.
+
+[x] `vlc_ipc_RecvMsg` must read the size of the message, then read the whole
+    message.
+
+[x] `vlc_msg_append_block` must put the name of the shared memory.
+
+[x] `vlc_msg_recv_block` must open the shared memory and map it.
+
+[ ] Zygote calls `CreateProcess` with `--sandbox-worker=%file_descriptor_read`
+    option.
+
+[ ] Zygote sends write file descriptor to new worker and then close it.
+
+[ ] `vlc_sandbox_Start` should start the worker eventloop if `--sandbox-worker`
+    option is present in the command line.
+
+[ ] `vlc_sandbox_Start` should start the zygote if `--sandbox-zygote=%fd` is
+    present in the command line.
+
+[ ] `block_Alloc` should create a file mapping using `CreateFileMapping` and map
+    it in memory using `MapViewOfFile`.
+
+[ ] `block_filemapping_Init` should use `OpenFileMapping` and `MapViewOfFile`.
+
+[ ] `msg_poller` should use IO completion port
+    => might work, try out
+    => take care socket deletion
+
+[ ] `vlc_ipc_Close` should close the handle, and might need to manage the
+    allocated memory (for overlapped structure for example)
+
+[ ] replace `close(ipc.fd)` by `vlc_ipc_Close(ipc)`
+
+[ ] try removing the zygote process from the windows model, only inherit the
+    handle for IPC when creating a new process.
+
+[ ] 
+
+
+## IOCP
+
+https://www.codeproject.com/Articles/10330/A-simple-IOCP-Server-Client-Class
+http://www.drdobbs.com/cpp/multithreaded-asynchronous-io-io-comple/201202921?pgno=3
+
+completion vs readiness
+https://softwareengineering.stackexchange.com/questions/293908/readiness-vs-completion-async-io-memory-usage
+https://stackoverflow.com/questions/2794535/linux-and-i-o-completion-ports
+
+The readiness model notify that a file descriptor is ready for action, whether
+it is reading or writing to it. The user then can perform the kernel-to-user
+action without waiting. In particular, it means that you can use one buffer
+for the whole set of file descriptor when reading.
+
+The completion model notify that the operation planned on a file descriptor
+has been satisfied. The user has to start the operation and let the operating
+system do it on its own, whether or not the file descriptor was ready. In
+particular, it means that you need one buffer for each file descriptor as you
+can't know in which order the operation will be satisfied.
+
+The workflow for IOCP on Windows to emulate the msg_poller is to create an
+IoCompletionPort with the following call.
+
+```
+HANDLE iocp =
+    CreateIoCompletionPort( INVALID_HANDLE_VALUE, NULL, 0, nThreads );
+```
+
+Then associate a `HANDLE handle` to the port, with `key` being a registration
+key used as identifier or pointer, given back in the notification of this 
+handle.
+
+```
+CreateIoCompletionPort( handle, iocp, key, 0 );
+```
+
+The port is ready so start read requests, giving an `OVERLAPPED` object and a
+new buffer to each read request when no request is pending.
+
+```
+FOREACH( struct iocp_buffer*, iohandle, iohandles )
+{
+    if( !iohandle->pending )
+        ReadFile( iohandle->handle, iohandle->buffer,
+                  length, NULL, iohandle->overlapped );
+}
+ENDFOR()
+```
+
+And finally wait for on the request to be satisfied by the operating system.
+The argument `overlapped` is required to be passed as a `LPOVERLAPPED` struct,
+but the example in the documentation uses a `OVERLAPPED**` instead.
+
+```
+DWORD length = 0;
+ULONG_PTR key = 0;
+OVERLAPPED *overlapped = NULL;
+
+GetQueuedCompletionStatus( iopc, &length, &key, &overlapped, INFINITE );
+```
+
+Finally, `overlapped` contains the information about the handle and the
+buffer, while `key` contains an additional information to recognize the
+operation.
+
+We can proceed to the next operations on the data and release the `overlapped`
+structure.
+
+TODO: removing HANDLE from the IO port.
+
+a lire
+https://opensource.googleblog.com/2010/01/libevent-20x-like-libevent-14x-only.html
+=> easier to write a notify-to-completion than completion-to-notify wrapper.
+
+design issues when using IOCP in a winsock server
+https://support.microsoft.com/en-us/help/192800/info-design-issues-when-using-iocp-in-a-winsock-server
+
+fast portable non blocking network programming with libevent
+http://www.wangafu.net/~nickm/libevent-book/
+
+closing a file handle with IO completion
+https://stackoverflow.com/questions/6573218/removing-a-handle-from-a-i-o-completion-port-and-other-questions-about-iocp
+
+# Sandbox todolist
+
+[ ] Create process by zones, all video decoders in the same process, all audio
+    in the same other process and vout/aout in the same process as their
+    respective counterpart
+
+[ ] Process creation policy should be in the broker process and configured at
+    vlc_sandbox_Init by the application caller.
+
+[ ] Special process creation order should be possible, for example when having
+    multiple video outputs.
+
+[ ] Release object correctly, proxy objects should have a special released
+    handler associated to them and be released as soon as the other endpoint
+    is released.
+
+[ ] Handle cross-process errors and report them to the other process correctly
+
+[ ] Handle other process life cycle, health and failure