From: [...] jwalsh@bigpond.net.au Thanks Ross, you have given me the partial answer to a problematic which has bugged me for a while: It started off as "Is Smalltalk safe from Windows?", Then progressed to "Is Smalltalk safe from 'C' ?", Now its "Is Smalltalk Safe from Smalltalk". This was originally a problem which could not ever happen to Smalltalk. Encapsulation and Message passing meant the Method was safe, from intrudere.
... it's not. Object has plenty of debugging methods for poking at slots on arbitrary objects. It's relatively simple to overwrite a CompiledMethod's bytecodes and even simpler just to replace the method with one you compile up. There is nothing mystical about objects; they're just data. In order to run a debugger, *something* has to break encapsulation.
Can someone please convince me that Smalltalk is safe from 'C' hackers.
On the contrary, I can convince you the other way. Object memory in Smalltalk is merely bytes at locations in memory; the VM uses a C-language stack for some of its work, which can be attacked; and the virtual machine is a chunk of compiled C. If the VM can do it, attacking code can do it; and the VM is the only way of creating any effect in Smalltalk. Therefore, all the effects that you see in Smalltalk can be duplicated by C code, because they are *created* by C code. There is nothing mystical about objects, image, or anything else.
- Peter
Well I'll comment that smalltalk does provide index bounds checking, type checking etc, all of which that makes life a bit safer.
However no-one has ever done an audit of the primitive interface to ensure blatant lies about incoming parms, buffer overflows, and the like don't have interesting side-effects as part of doing the prim call. Occasionally prim calls check things but they are not paranoid enough.
From the other direction, no serious effort has been taken to ensure strangely made incoming/outgoing socket requests won't have interesting side-effects. Let alone understanding the problems if you give a user the ability to execute arbitrary Smalltalk code which could allow you to exploit FFI, or OSProcess, file streams, or Applescript into doing something interesting.
Certainly it's easy to create pure simple smalltalk code to provide a denial of service effect, or with a bit more effort crash the VM.
However If someone had funding I'm sure there are some folks who could certainly tackle the primitive interface audit.
PS if you are asking about Smalltalk as a Server on the internet, without the ability for anyone to execute arbitrary Smalltalk code the amount of effort to ensure it is "safe" is more manageable.
On 22-Sep-05, at 3:01 PM, Peter Crowther wrote:
Can someone please convince me that Smalltalk is safe from 'C' hackers.
On the contrary, I can convince you the other way. Object memory in Smalltalk is merely bytes at locations in memory; the VM uses a C-language stack for some of its work, which can be attacked; and the virtual machine is a chunk of compiled C. If the VM can do it, attacking code can do it; and the VM is the only way of creating any effect in Smalltalk. Therefore, all the effects that you see in Smalltalk can be duplicated by C code, because they are *created* by C code. There is nothing mystical about objects, image, or anything else.
- Peter
-- ======================================================================== === John M. McIntosh johnmci@smalltalkconsulting.com 1-800-477-2659 Corporate Smalltalk Consulting Ltd. http://www.smalltalkconsulting.com ======================================================================== ===
squeak-dev@lists.squeakfoundation.org
-
John M McIntosh -
Peter Crowther