[squeak-dev] Re: Another FFI/Installer issue

Andreas Raab andreas.raab at gmx.de
Sun Aug 3 07:26:16 UTC 2008


stephane ducasse wrote:
> could give some examples about the security problems FFI brings into 
> play (buffer overflow? ... and issues like that?)

How about something like:

   Win32OS shellExecute: 'format c:'.

or, for our unix friends (who often think they are invulnerable ;-)

   UnixOS system: 'find ~/ -type f -exec rm -f {} \;'.

This should do it. Note that you can slip this in without even having 
any of the FFI in the image since you can construct the necessary bits 
on the fly (calling system() is particularly trivial). It's downhill 
from there since there are simply too many ways in which *all* of the 
operating systems are entirely unsafe.

And before anyone says "but you can do this FileDirectory as well": Yes, 
you can, but only if the sandbox isn't activated. As soon as go into 
sandbox mode via "SecurityManager default enterRestrictedMode" an attack 
like the above will no longer work.

Cheers,
   - Andreas

> 
> Stef
> 
> On Aug 3, 2008, at 12:52 AM, Andreas Raab wrote:
> 
>> Igor Stasenko wrote:
>>> Because of that, i have a strong bias that FFI plugin should be
>>> included as internal plugin into VM by default (and FFI package could
>>> still be optional, but it should be tested to be able to loaded
>>> without problems in ANY image).
>>> The arguments for not putting it, some people like repeating, that FFI
>>> puts instability into image/VM seem very odd as to me. A running
>>> Croquet is best illustration what such arguments worth.
>>
>> It's not about stability, it's about security. Without the FFI, it is 
>> possible to have a fairly well sand-boxed environment (see Squeakland 
>> for example). With the FFI, this is simply impossible. That's why the 
>> FFI isn't built-in, and likely never will be for any VMs that I release.
>>
>> Cheers,
>>  - Andreas
>>
>>
>>
> 
> 
> 




More information about the Squeak-dev mailing list