Hi All,
recently Denis Kudriashov wanted to access the OS handle of a Socket from the image to pass through the FFI. David Lewis pointed out that the AioPlugin provides a primitive to do this. I asked David why he didn't add it to the SocketPlugin in the first place and he discussed Andreas Rabb's security concerns. It strikes me a) that accessing the OS handle of a file or a socket is extremely useful in some circumstances and invalid in others b) having handle access in a secondary plugin is inconvenient to say the least c) having access only to Socket handles and not to file handles is also inconvenient.
So I propose adding a SecurityPlugin facility to control handle access, which would be granted by default, and to add primitives to both the SocketPlugin and FilePlugin to answer the native OS handle when the SecurityPlugin grants permission.
I also propose adding a compilation flag to the Windows VM to allow compiling out Andreas' handle management, which consists merely of maintaining a table of the file handles (not the socket handles) that have been created by the VM. It strikes me that a much better solution is merely to encrypt the handle via xoring with a value created at random. I don't see how Andreas' solution adds value, especially since it is not implemented on other platforms, and merely adds overhead.
Thoughts? Objections? _,,,^..^,,,_ best, Eliot
Hi Eliot,
I don't share the security concerns in this matter, but here are two thoughts:
1) The OS handle would just be a number or another simple object? So, I would compare it to any other "reference" to an artifact manifested outside the image that could become invalid anytime. For example, any URL can be stored in-image yet become invalid after some time if the DNS entry would vanish.
2) On a conceptual level, I see no issues to mix objects of different abstraction levels in the image. We do it all the time. A person might be represented as an instance of some Person class that points to an SqlDatabase that points to an SqlTable that points to a DirectoryEntryFile that points to a FileStream that ... and so on. We would just promote/offer the existing abstraction of OS handles to the object-oriented world.
It would be unfortunate if security concerns would negatively affect consistency in this regard.
Best, Marcel Am 16.08.2017 02:13:50 schrieb Eliot Miranda eliot.miranda@gmail.com: Hi All,
recently Denis Kudriashov wanted to access the OS handle of a Socket from the image to pass through the FFI. David Lewis pointed out that the AioPlugin provides a primitive to do this. I asked David why he didn't add it to the SocketPlugin in the first place and he discussed Andreas Rabb's security concerns. It strikes me a) that accessing the OS handle of a file or a socket is extremely useful in some circumstances and invalid in others b) having handle access in a secondary plugin is inconvenient to say the least c) having access only to Socket handles and not to file handles is also inconvenient.
So I propose adding a SecurityPlugin facility to control handle access, which would be granted by default, and to add primitives to both the SocketPlugin and FilePlugin to answer the native OS handle when the SecurityPlugin grants permission.
I also propose adding a compilation flag to the Windows VM to allow compiling out Andreas' handle management, which consists merely of maintaining a table of the file handles (not the socket handles) that have been created by the VM. It strikes me that a much better solution is merely to encrypt the handle via xoring with a value created at random. I don't see how Andreas' solution adds value, especially since it is not implemented on other platforms, and merely adds overhead.
Thoughts? Objections?
_,,,^..^,,,_
best, Eliot
Hi Eliot.
I asked David why he didn't add it to the SocketPlugin in the first place
and he discussed Andreas Rabb's security concerns
It would be interesting to read about them because it looks strange that it is secure to manage OS handle from VM but not secure to manage it from image side. Both ways are requested by user directly or indirectly which means that user has OS permissions. So what the difference?
2017-08-16 2:13 GMT+02:00 Eliot Miranda eliot.miranda@gmail.com:
Hi All,
recently Denis Kudriashov wanted to access the OS handle of a Socket
from the image to pass through the FFI. David Lewis pointed out that the AioPlugin provides a primitive to do this. I asked David why he didn't add it to the SocketPlugin in the first place and he discussed Andreas Rabb's security concerns. It strikes me a) that accessing the OS handle of a file or a socket is extremely useful in some circumstances and invalid in others b) having handle access in a secondary plugin is inconvenient to say the least c) having access only to Socket handles and not to file handles is also inconvenient.
So I propose adding a SecurityPlugin facility to control handle access, which would be granted by default, and to add primitives to both the SocketPlugin and FilePlugin to answer the native OS handle when the SecurityPlugin grants permission.
I also propose adding a compilation flag to the Windows VM to allow compiling out Andreas' handle management, which consists merely of maintaining a table of the file handles (not the socket handles) that have been created by the VM. It strikes me that a much better solution is merely to encrypt the handle via xoring with a value created at random. I don't see how Andreas' solution adds value, especially since it is not implemented on other platforms, and merely adds overhead.
Thoughts? Objections? _,,,^..^,,,_ best, Eliot
On Wed, Aug 16, 2017 at 1:36 PM, Denis Kudriashov dionisiydk@gmail.com wrote:
Hi Eliot.
I asked David why he didn't add it to the SocketPlugin in the first place
and he discussed Andreas Rabb's security concerns
It would be interesting to read about them because it looks strange that it is secure to manage OS handle from VM but not secure to manage it from image side. Both ways are requested by user directly or indirectly which means that user has OS permissions. So what the difference?
It's for when you want to allow arbitrary code to be executed in the image, yet still protect the machine from harm. This happens when sharing objects between images - an object could have malicious code attached. So in that case, before running the code, we turn on the VM file sandbox via the SecurityPlugin. This ensures that the image can only access files in a sandbox directory but not outside. But it only works if the FilePlugin is the only way to access files - meaning FFI and OSProcess etc. must be disabled, and there must not be another way to create file handles.
So IMHO, if the goal is to get a raw handle for using in FFI, then that's okay, since all security goes out the door as soon as FFI is enabled anyway. And if FFI is not enabled, then the raw file handle isn't useful, so there is no need to restrict read-access to it. Or am I missing something?
TL;DR read-only access to raw file handle may not be a security issue.
- Bert -
+1
On 16 Aug 2017, at 02:13, Eliot Miranda eliot.miranda@gmail.com wrote:
Hi All,
recently Denis Kudriashov wanted to access the OS handle of a Socket from the image to pass through the FFI. David Lewis pointed out that the AioPlugin provides a primitive to do this. I asked David why he didn't add it to the SocketPlugin in the first place and he discussed Andreas Rabb's security concerns. It strikes me
a) that accessing the OS handle of a file or a socket is extremely useful in some circumstances and invalid in others b) having handle access in a secondary plugin is inconvenient to say the least c) having access only to Socket handles and not to file handles is also inconvenient.
So I propose adding a SecurityPlugin facility to control handle access, which would be granted by default, and to add primitives to both the SocketPlugin and FilePlugin to answer the native OS handle when the SecurityPlugin grants permission.
I also propose adding a compilation flag to the Windows VM to allow compiling out Andreas' handle management, which consists merely of maintaining a table of the file handles (not the socket handles) that have been created by the VM. It strikes me that a much better solution is merely to encrypt the handle via xoring with a value created at random. I don't see how Andreas' solution adds value, especially since it is not implemented on other platforms, and merely adds overhead.
Thoughts? Objections? _,,,^..^,,,_ best, Eliot
squeak-dev@lists.squeakfoundation.org