On 21.03.2011, at 14:09, Igor Stasenko wrote:

> It sounds as contradiction to me. From one side you want to make VM
> being responsible for certain level of security, but from another
> side, you want it to be open for "insecure" stuff like NativeBoost.
> Apparently you can't have both at once. You should choose one.
> Unless you change VM to disable external module loading mechanism,
> there is no any security guarantees, only imaginable ones.
> I could download plugin from web, place it into 'secure' directory and
> then tell VM to load it as external plugin.

If the VM sandbox is enabled, file access is restricted to a single directory. So you cannot write the plugin to the plugin directory. 

(if there are problems with the current implementation, we should fix those, obviously)

>  And where is your command-line option(s) now?

This has nothing to do with command line options. The sandbox is enabled by a primitive. Etoys enables it before downloading code. There is no way to disable it once engaged.

> For things like NativeBoost, it is responsibility of developer(s) ,
> what level of security is desirable/enough for them.
> In this regard, VM is just a tool which developers using.

Yes, but the virtual machine defines the boundary 

> And may i ask, why you don't want to put a security measures at
> language side? You can disable or completely remove compiler.

Not if you want to allow the user to write code.

> You can
> disable a primitives which allow doing "nasty" stuff,
> and of course you can make it controllable from command line. And
> because it is at language side, it is much easier to maintain and fix
> and develop in general. So, why not?

That is precisely what the SecurityPlugin is designed to do. It is very simple, but all VM extensions (like NativeBoost) would have to use it.

> I am really enjoying  that smalltalk has a wide open architecture, but
> at the same time it missing one simple thing: a 'deployment' mode,
> where you have certain security guarantees out of the box.
> So that's an open question, why we never had that in Squeak.. VM
> cannot do such magic, it is too stupid and cannot really tell if given
> sequence of bytecodes/class format/external plugin are secure enough
> or not.
> This logic is best to be put at image side where you can reason about
> it much easier because you have reflection ( and smalltalk instead of
> C :)

The VM is the interface between Smalltalk code and the outside world. Traditionally we have been keeping this interface as small as possible. It's an ideal place to ensure that bad things won't happen. VM extensions like FFI, OSProcess, NativeBoost allows code to circumvent the safe environment of the VM. 

>> It would be a shame if e.g. Etoys would have to ship its own VM because you made it less secure in newer versions. After all, it was Etoys that convinced all the major Linux distros to even include a VM.
>> 
> 
> No no no.. Please stop looking at VM as a black-box with two inputs
> and one TV output. This approach is too naive and will never pass any
> real-world testing, moreover it hinders any progress towards improving
> state of art.
> If you approach with our "standard" VM to some serious guys, first
> thing they will do is to ask a security expert to evaluate it..
> And then any your proposal which is based on such technology will be
> rejected instantly, and i fear that project budget will be spent on
> making same thing but in java.

By widening the VM interface you make security analysis even harder. Or even unnecessary, by allowing FFI or arbitrary native code there is no security anyway.

> So, it is a shame that we don't have a good answer to tough guys, and
> instead of really looking how to make system sound and secure, we're
> like sitting ducks with all these command-line options, which can be
> cracked by
> some clever guy in few minutes.

I have no idea what your beef with command-line options is. It's a red herring anyway. Etoys does not use security-related command-line options.

> In my vision, VM should be made a dynamically loadable library with
> nice API to interact with host application. Currently we have a
> monolithic VM, which is host and library in one. But in future i'd
> like (and not just me btw) to have
> VM which can be easily embedded into a host application, and then host
> application can control security as well as many other aspects.

So I need a C compiler to build my apps instead of doing it in Smalltalk? No thank you. I do not share that vision.

> For things like browser plugin, you simply can't use same things for
> everything.

I'm sorry, but that's bullshit. The browser plugin executes the same VM binary as a standalone app.

> And so, we should provide a way for making it easy to
> customize VM for own purpose(s),
> but at same time make it flexible enough to make forking pointless.

Precisely. And what I want is run-time customization, not compile-time. 

> And that's exactly why we building an infrastructure for VMs: it will
> enable us to build own custom VMs in much easier, much less painful
> and much more controllable way.

I very much like the build infrastructure you are setting up. It's very useful for development, for working together, for shorter turn-around times etc.

But that is totally unrelated to the question how many different Linux packages there should be for the VM. Because those packages are not built by your Hudson installation. They are built by the Fedora maintainer, the Debian packager, etc.

Do you know how many different Python interpreters there are in a typical Linux distro?

> And for Etoys this is a way to go: you can share the same code base,
> but in own corner you could have mods, which will disable or stub-out
> unwanted/insecure functionality.

It is reasonably simple to just have a flag in the VM to disable the insecure parts. Why would I need a C compiler to do that? Why can't we share even more than just the code base?

> In that way you can be confident that application you distributing is secure,
> and instead of arguing with me (or some other VM developer guy) what
> is best for you, you can do it yourself without much stress. :)

So this is you telling me to just shut up? When all I am asking for is to make things configurable at runtime (in true Smalltalk spirit) rather than having to compile my own VM? I'm not arguing against native boost or FFI or the like, but simply for an option to disable it at runtime.

> Just don't tell me that you don't want this, or you never considered
> it as a good perspective. ( I won't believe you anyways ;)

Why wouldn't you believe it? I went to *considerable* effort to *not* bundle a VM with Etoys. That would have been much easier for me indeed, and in fact we used to bundle a Linux VM until about 3 years ago. I then built the original Etoys RPM so that it depends on a VM RPM. And thanks to that effort (and people doing the packaging work) today we have Etoys and VM packages in many Linux distros:

	http://pkgs.org/package/squeak-vm

Call me a dreamer, but I find it important to being a good player in the wider open-source community. And that community has evolved considerably from "download the sources and configure it to taste and compile your own". A single binary package is standard nowadays. You don't really recompile Firefox to change a preferences, do you?

- Bert -