By Guillaume Emont.
GStreamer is a big and successful project that implements complex formats. We use it to read media streams that sometimes come from untrusted sources.
The size and complexity of GStreamer and all the format implementations it brings means that the presence of security bugs in a media playback pipeline is not totally unlikely. An attacker could forge a stream that would exploit such a bug so that he can execute code of his making in the context where the exploited code was running.
A common way to alleviate this kind of issue is to run the software handling untrusted data in a context where its privileges are very limited, so that a successful exploit of a bug in the software would only grant the attacker execution rights in that limited context. We call such a context a sandbox.
I have run some experiments with setuid-sandbox, a stand-alone version of the sandboxing system used by chrome on GNU/Linux, that shows the feasibility of running at least part of a pipeline in a sandbox. In this talk, I will explain this work, its limitations and discuss what can be done to improve on it.