23

Can someone please describe, for a non-programmer, but IT person, what is pledge?

Ex.: there is a program, ex.: "xterm". How can pledge make it more secure? It pledge inside the programs code, or outside in the OS itself?

Where is pledge? Is it in the programs code; or does the OS has a list of binaries that can only invoke xy syscalls?

Improve this question

3 Answers 3

Reset to default
19

What is Pledge?

pledge is a system call.

Calling pledge in a program is to promise that the program will only use certain resources.

Another way of saying is to limit the operation of a program to its needs, e.g.,

"I pledge not to open any new sockets"
"I pledge to only write temporary files, and not write other files"

How does it make a program more secure?

It limits the operation of a program. Example:

  • You wrote a program named xyz that only needs the read system-call.
  • Then you add pledge to use only read but nothing else.
  • Then a malicious user found out that in your program there is a vulnerability by which one can invoke a root shell.
  • Exploiting your program to open a root shell will result that the kernel will kill the process with SIGABRT (which cannot be caught/ignored) and generate a log (which you can find with dmesg).

It happens because before executing other codes of your program, it first pledge not to use anything other than read system call. But opening root shell will call several other system-calls which is forbidden because its already promised not to use any other but read.

Where is Pledge?

Its usually in a program. Usage from OpenBSD 6.5 man page:

#include <unistd.h>

int pledge(const char *promises, const char *execpromises);

Example Code: Example code of cat command from cat.c

........
#include <unistd.h>
........
int ch;
if (pledge("stdio rpath", NULL) == -1)
    err(1, "pledge");

while ((ch = getopt(argc, argv, "benstuv")) != -1)
..........
Improve this answer
3
  • 1
    This's a good explanation, but is it actually true that you can make pledges as fine-grained as "I pledge not to use any other ports except port 63" or "I pledge not to use any other system-call except lseek() and fork()"? Commented May 4, 2020 at 20:07
  • 1
    What about, say, a Java program? I don't know what syscalls the JVM will make on my program's behalf. I know my program will be reading and writing a file, so I could pledge only those syscalls, but the JVM may do something else that is normal but not one of those syscalls. Commented May 8, 2021 at 19:20
  • Yes, @poolie it doesn't look like you can specify the port(s) you're using or the exact system calls. Still if you're using lseek() you would also want to open and close the file so might as well request stdio. There is also rpath if you're read-only. Commented Aug 27, 2024 at 13:18
6

A program normally makes use of only a certain set of system or library calls. With pledge you can restrict the set of allowed system calls to only this set. For example, if a program does not need to read the password database, you can forbid calling the getpwnam() function.

How is this useful? It is an extra line of defense against vulnerabilities. If the program contains a bug, somebody might be able to use exploit the bug to alter the execution flow of the program or inject some extra code into the process. The bug can be, for example, a buffer overflow error in a network facing daemon, which the attacker can trigger by sending the program more data than it can handle, possibly arranging for the program to read and send the contents of the /etc/passwd file over the network.

Improve this answer
5

Your program "pledges" to only use functionality {A,B,C}

If a hacker could inject code into your pledged process and attempt functionality D, then the OS crashes your program

For example, say you have an NTP server. It has pledged to only use DNS and CLOCK functionality. But it has a flaw that allows remote code execution. Hacker asks it to WRITE FILE. But pledge will detect this and shutdown the program and log the error

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.