Harvard researchers take aim at Shellshock-like woes with new scripting language

The Shill scripting language limits the rights of shell programs to what is necessary to get the job done

Shellshock vulnerability test for Bash

Shellshock vulnerability test for Bash

While administrators scramble to fix the newly discovered Shellshock vulnerability, Harvard University researchers are putting the finishing touches on a scripting language built to mitigate the damage caused by such holes.

The language, called Shill, was designed to limit shell-based scripts so they can't access resources beyond what is specifically needed for the task at hand.

"You want to give the script exactly the permissions it needs to get its job done," said Scott Moore, a computer science doctoral student at Harvard who is one of the contributors to the Shill research project, led by Stephen Chong, an associate professor of computer science.

The team is working on a version of Shill for the FreeBSD Unix operating system and is mulling the idea of porting it to Linux. The team will also present the technology next week at the USENIX Symposium on Operating Systems Design and Implementation conference, in Broomfield, Colorado.

Shill follows the principle of least privilege, which stipulates that software shouldn't posses more authority than what it needs to complete its job, Moore said.

Unix-based systems, such as Linux and Apple's OS X, already come with rigorous permission systems, based on the user and any groups to which the user is assigned. The weakness in this approach is that any programs run by the user inherit all the permissions assigned to that user and that group.

"The idea of Shill is to give you control over what you want a program or script to access," Moore said. For instance, if someone writes a script for the Bash shell to work within a particular directory, then Shill can ensure the script can access only that directory and not all of the directories that the user can access. A shell is a user interface, either a graphical interface or, in Bash's case, a command line interface. A shell script is a set of commands, encapsulated in a file, that the shell understands and can execute automatically when the file is run by the operating system.

"Most scripting languages, such as Bash, don't give you a way to figure out what the script is going to do. Everything is buried inside the code," said Christos Dimoulas, a Harvard graduate student also on the development team. "Shill, in contrast, comes with specific interfaces that make it extremely easy to declare and enforce exactly what the script is going to do."

Shill received a bump in publicity as news of the Shellshock vulnerability roiled through the Linux system administrator community. Shill could be used to prevent Shellshock-like vulnerabilities, Moore said.

Shellshock is a command injection vulnerability, in which a malicious attacker could inject their own commands into a Bash shell script, giving permissions to do whatever the user of that script has permissions to do on that system.

"It's dangerous because this Bash script that you created to generate a Web page can also be used to launch a new shell or exploit other vulnerabilities in the system," Moore said.

Shill would limit what can be done with any particular script. "Even if someone is able to inject some commands, they are still limited to the initial set of permissions that the script had in the beginning," Moore said.

In a way, Shill is similar to SE Linux, a National Security Agency technology embedded in Linux that is widely used to restrict what programs can do on a computer. SE Linux is used to establish a computerwide policy, while Shill confines the policies to the particular script executing the task, Moore said.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags softwaresystem managementharvard university

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?