Serg Koren wrote: ---snip---
However, it does bring up the possibility of nasty squeak viruses infecting your machine. Some thought should be given regarding a security mechanism to limit or prevent such things if Squeak/web applets are to be produced.
This is one of those projects that has not yet gotten attention. Ted Kaehler posted this spec and challenge last year for a file-safe VM for Squeak:
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Subject: File-safe Squeak VM Date: Mon, 8 Sep 1997 18:16:28 -0700 From: "Ted K." tedk@wdi.disney.com
Folks, We have discussed servers written in Squeak that evaluate an arbitrary Smalltalk expression, or serve up HTML. These serves are vulnerable to any Smalltalk virus that overwrites the server's hard disk. Mark Lentczner and I have been thinking about this issue for several years, and have written up the way we made Codeworks(tm) be file-safe. See http:www.glyphic.com/glyphic/papers/safehelperapps/title.html (Glyphic Codeworks is a prototype-based Smalltalk-like system available for the Mac for free at www.glyphic.com)
For Squeak, I've come up with the following spec for a File-Safe VM. The idea is that user code can wreck havoc within the Squeak image, but can only do limited damage on the host's disk. With these restrictions, in each session, only files in one folder can be read and written, only a limited number of new files can be opened, and only a limited number of bytes can be written. In addition, we want a user who accidentally runs into the limits to be able to save his work one last time before the system refuses to write anymore. Only servers and other special applications would use this VM. Normal operation of the server would not trigger these limits.
The File-Safe VM proposal:
1) A new flag "NoVirus" in the C translator. False for the normal Squeak VM, and true for the File-Safe VM.
2) At Squeak startup, init some counters in C. Put 100 into SessionNewFiles, put 10,000,000 in SessionBytesWrt.
3) Code in the File primitive: If NoVirus, file prim will not read or write outside the Squeak folder. That folder is found by some fixed path from either the .image location or the .exe location. Writing in the .image is also allowed (used to save a modified image after sys updates). Served pages must be in a folder within the Squeak folder.
4) If NoVirus, no file types may be written except those of .sqo, text, and image (Mac). No files ending in suffixes other than .sqo, .img, or ..txt may be written (PC) (This is to block out .exe, and other special suffixes.) No aliases may be written.
5) If NoVirus, every file rename or file creation decrements SessionNewFiles. When zero, do the primitive, but also return an error code. The Squeak file code puts up the message "More than 100 files were created this session. To prevent viruses, we do not allow more. After this write is complete, quit Squeak." When less than zero, just fail the primitive. (How check for a code when the primitive succeeds? In the File info block??)
6) If NoVirus, all bytes witten decrement SessionBytesWrt. When 1 meg or less, do the primitive, but also return an error code. The Squeak file code puts up the message "More than 9 megs were written on the disk this session. To prevent viruses, we do not allow more. After this write is complete, quit Squeak." When less than zero, just fail the primitive.
7) No Apple Events or ActiveX interprocess events are allowed. (Don't allow another app to do the file writing for us.)
8) If NoVirus, disable the escape to user-supplied C code, or to direct OS calls (when we have these in Squeak).
Creating this new VM would not only help Squeak web servers, but also any end-user Squeak applications that involve blindly downloading Squeak code over the web. Would you like to do it?
--Ted Kaehler. """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""