What is OpenBSD's pledge in short?
What is Pledge?
pledge
is a system call.
Calling pledge
in a program is to promise that the program will only use certain resources.
Another way of saying is to limit the operation of a program to its needs, e.g.,
"I pledge not to use any other ports except
port 63
"
"I pledge not to use any other system-call exceptlseek()
andfork()
"
How does it make a program more secure?
It limits the operation of a program. Example:
- You wrote a program named
xyz
that only needs theread
system-call. - Then you add
pledge
to use onlyread
but nothing else. - Then a malicious user found out that in your program there is a vulnerability by which one can invoke a
root
shell. - Exploiting your program to open a
root
shell will result that the kernel will kill the process withSIGABRT
(which cannot be caught/ignored) and generate a log (which you can find withdmesg
).
It happens because before executing other codes of your program, it first pledge
not to use anything other than read
system call. But opening root
shell will call several other system-calls which is forbidden because its already promised not to use any other but read
.
Where is Pledge?
Its usually in a program. Usage from OpenBSD 6.5 man page:
#include <unistd.h>
int pledge(const char *promises, const char *execpromises);
Example Code: Example code of cat
command from cat.c
........
#include <unistd.h>
........
int ch;
if (pledge("stdio rpath", NULL) == -1)
err(1, "pledge");
while ((ch = getopt(argc, argv, "benstuv")) != -1)
..........
A program normally makes use of only a certain set of system or library calls. With pledge
you can restrict the set of allowed system calls to only this set. For example, if a program does not need to read the password database, you can forbid calling the getpwnam()
function.
How is this useful? It is an extra line of defense against vulnerabilities. If the program contains a bug, somebody might be able to use exploit the bug to alter the execution flow of the program or inject some extra code into the process. The bug can be, for example, a buffer overflow error in a network facing daemon, which the attacker can trigger by sending the program more data than it can handle, possibly arranging for the program to read and send the contents of the /etc/passwd
file over the network.
Your program "pledges" to only use functionality {A,B,C}
If a hacker could inject code into your pledged process and attempt functionality D, then the OS crashes your program
For example, say you have an NTP server. It has pledged to only use DNS and CLOCK functionality. But it has a flaw that allows remote code execution. Hacker asks it to WRITE FILE. But pledge
will detect this and shutdown the program and log the error