Plugin Security (Was Re: How do I create a SqueakPlugin.image from a 2.9a ?)

Raab, Andreas Andreas.Raab at disney.com
Tue Jan 23 19:19:29 UTC 2001


Luciano,

Right now that would work. But there's an easy way to get around this
problem by simply not exposing the pointer to the function but rather an
index into a table hidden in the VM. That way you may call a different
primitive but not an arbitrary location in memory. I'm looking into the
issue.

Cheers,
  - Andreas

> -----Original Message-----
> From: Luciano Notarfrancesco [mailto:lnotarfrancesco at yahoo.com]
> Sent: Monday, January 22, 2001 7:23 PM
> To: squeak at cs.uiuc.edu
> Cc: recipient list not shown
> Subject: Re: Plugin Security (Was Re: How do I create a
> SqueakPlugin.image from a 2.9a ?)
> 
> 
> 
> Removing write access to files is not enough. I think
> I can manage to write to an arbitrary place of the
> memory (and thus execute arbitrary code) using
> #become:. And there might be other ways to do this
> too... like replacing a CompiledMethod by a primitive
> method with primitive 117 (externalCall) and put in
> the first literal an array like described in
> Interpreter|primitiveExternalCall but with the
> appropiate address in the last position. I'm not sure
> this will work... I never tryed it.
> 
> Here's a challenge: find all possible ways to execute
> arbitrary code from Squeak.
> 
> Cheers,
> Luciano.-
> 
> 
> --- Russell Allen <russell.allen at firebirdmedia.com>
> wrote:
> > Karl Ramberg <karl.ramberg at chello.se> wrote:
> > > Russell Allen wrote:
> > > > I guess it depends whether we think people using
> > the plugin will need
> > > > the source - personally I would like
> > SqueakPlugin.image to be a shrunked
> > > > image but still be with changes and source files
> > (can we shrink them
> > > > too?  Or offload the comments to a website
> > somewhere?)
> > > 
> > > I think there is an issue with security and
> > therefor only saveing to the
> > > image file is enabled. 
> > 
> > I appear to be able to read and write the entire
> > directory that the
> > image is in.  On Windows machines this is the
> > directory that all of the
> > plugins are in, so theoretically I could write a
> > squeaklet that deleted
> > all competing plugins such as shockwave and flash :)
> >  
> > 
> > Worse, I could replace them (and Squeak) with
> > alternate binaries :(
> > 
> > Even if I was only allowed to save the image, I
> > could at the very least
> > mount a DOS attack on the machine by filling the HD
> > up with an image
> > bloated with random data.
> > 
> > Obviously in time a full security system with
> > sandpits and trust levels
> > would be nice; in the meantime could we disable the
> > ability of
> > SqueakAsPlugin to write to the local drive at all? 
> > (With the exception
> > of automatic updates to the VM/image - maybe that
> > should be done at the
> > VM level? With cryptographically signed updates? :)
> > 
> > Cheers,
> > 
> > Russell
> > 
> > ----------------------------------------
> > Russell Allen
> > 
> > russell.allen at firebirdmedia.com
> > 
> > ----------------------------------------
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free!
> http://photos.yahoo.com/
> 





More information about the Squeak-dev mailing list