Bash vulnerabilities got you down? Harvard researchers propose: "Shill"

by
in code on (#2SYT)
The worm and/or vulnerability they're now calling "Shellshock" has soured sysadmins on the Bash shell for the moment, and brought attention to a new point of entry for web-based server penetration attacks. Fortunately some researchers at Harvard have been thinking about problems like this and have come up with a solution.
It's a new scripting language called "Shill" and it's intended to limit the resources and privileges scripts have when running.
The language, called Shill, was designed to limit shell-based scripts so they can't access resources beyond what is specifically needed for the task at hand. "You want to give the script exactly the permissions it needs to get its job done," said Scott Moore, a computer science doctoral student at Harvard who is one of the contributors to the Shill research project, led by Stephen Chong, an associate professor of computer science.

The team is working on a version of Shill for the FreeBSD Unix operating system and is mulling the idea of porting it to Linux. The team will also present the technology next week at the USENIX Symposium on Operating Systems Design and Implementation conference, in Broomfield, Colorado. Shill follows the principle of least privilege, which stipulates that software shouldn't posses more authority than what it needs to complete its job, Moore said.
Sounds like this might be useful for more reasons than simple exploit prevention, too!

History


Deprecated: mb_convert_encoding(): Handling HTML entities via mbstring is deprecated; use htmlspecialchars, htmlentities, or mb_encode_numericentity/mb_decode_numericentity instead in /var/pipedot/include/diff.php on line 25

Deprecated: Creation of dynamic property FineDiff::$granularityStack is deprecated in /var/pipedot/lib/finediff/finediff.php on line 217

Deprecated: Creation of dynamic property FineDiff::$edits is deprecated in /var/pipedot/lib/finediff/finediff.php on line 218

Deprecated: Creation of dynamic property FineDiff::$from_text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 219

Deprecated: Creation of dynamic property FineDiff::$last_edit is deprecated in /var/pipedot/lib/finediff/finediff.php on line 372

Deprecated: Creation of dynamic property FineDiff::$stackpointer is deprecated in /var/pipedot/lib/finediff/finediff.php on line 373

Deprecated: Creation of dynamic property FineDiff::$from_offset is deprecated in /var/pipedot/lib/finediff/finediff.php on line 375

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155
2014-09-26 12:23
Bash vulnerabilities got you down? Harvard researchers propose: "Shill"
zafiro17@pipedot.org
The worm and/or vulnerability they're now calling "Shellshock" has soured sysadmins on the Bash shell for the moment, and brought attention to a new point of entry for web-based server penetration attacks. Fortunately some researchers at Harvard have been thinking about problems like this and have come up with a solution.
It's a new scripting language called "Shill" and it's intended to limit the resources and privileges scripts have when running.
The language, called Shill, was designed to limit shell-based scripts so they can't access resources beyond what is specifically needed for the task at hand. "You want to give the script exactly the permissions it needs to get its job done," said Scott Moore, a computer science doctoral student at Harvard who is one of the contributors to the Shill research project, led by Stephen Chong, an associate professor of computer science.

The team is working on a version of Shill for the FreeBSD Unix operating system and is mulling the idea of porting it to Linux. The team will also present the technology next week at the USENIX Symposium on Operating Systems Design and Implementation conference, in Broomfield, Colorado. Shill follows the principle of least privilege, which stipulates that software shouldn't posses more authority than what it needs to complete its job, Moore said.
Sounds like this might be useful for more reasons than simple exploit prevention, too!
Reply 0 comments