Re: Save the world from evil code crusade

aurelianito <aurelianocalvo@xxxxxxxxxxxx> wrote: 
1. What exactly will your security model look like?  I'm not even
sure that you have a clear vision yet so maybe before dealing with
implementations it might be more helpful to first make clear what
will be allowed, what not and how you want to separate areas of
different capabilities.


A permission is an object with the method implies?( permission )

implies?( permission ) returns true iff self implies permission. For
instance:

TRUE == write_in_any_file.implies?( write_in_foo_txt ).
FALSE == write_in_any_file.implies?( format_hard_disk ).

Of course, TRUE == a.implies( a ).

When a protected operation is tried, the method am_i_allowed?(
permission ) is executed. This method returns FALSE if the "current
permissions" do not imply permission.


So basically you control method execution.

Each source code file will be asociated with a permission. The current
permission is the AND of the implies of the permissions of all the
files in the calling stack.

You mean, permissions are inherited down the call stack? What do you think how efficient that will be? The set of permissions potentially changes with every method invocation...

For instance.
Lets imagine:
a.rb: has format_hard_disk && write_in_any_file permissions (*).
b.rb: has write_in_any_file permission (*).

(*) assume that the ruby process is running as root for a moment.

And this is the (pseudo)code:
a.rb:
def foo()
 format_hard_disk()
end

b.rb:
require "a"
require "securedruby"
configure_permissions()
foo()

When "ruby b.rb" is run. The following process happens:
1 - foo is defined.
2 - Secured ruby is loaded.
3 - permissions for the files are set.
4 - foo is started. (STACK: b.rb, a.rb)
4.1 - format_hard_disk is started (STACK: b.rb - a.rb - ???).
4.2 - check if b.rb permissions imply format_hard_disk. (pass)
4.3 - check if a.rb permissions imply format_hard_disk. (NO pass)
4.4 - throw security exception (formatting is NOT EXECUTED).

IMHO you will never get this to work reliably without modifying Ruby interpreter code. Because of Ruby's dynamic nature you won't be able to catch all method renamings. Also, there is no way to safely intercept every method call AFAIK. Maybe you can try to do something with set_trace_func though...

2. When 1 is answered this one might become more clear: what
security you need is not possible using threads with different $SAFE
levels?


That one is easy. Run untrusted libs/servlets/scripts without
modification and be able to box them without requiring the client code
to be any different as it would be if it's trusted.


???  With $SAFE you don't need to change libs either.

Regards and thank's for your time and attention,
Aureliano.

PS: just having this conversation with all of you is making clearer
for me the picture of what I want to do. Thank you very much.


Cheers

   robert

.

Relevant Pages

  • Re: What do people think about SELINUX? pros and cons
    ... That was how I understood permissions. ... [compton ~]$ chmod 000 FOO ... cannot write to any object at security level N-1 or lower. ...
    (comp.os.linux.misc)
  • Re: Ubuntu Server 8: Managing users & groups: How to?
    ... If I'm user 'foo', and I have a group named 'test' which I am in, ... I've technically been added to this file 2 times, so which permissions ... permissions and even set the group to any group you are a member of. ... acl manual page in section 5: ...
    (Ubuntu)
  • Re: Ubuntu Server 8: Managing users & groups: How to?
    ... Is there a way to manage users & groups in Ubuntu Server much like ... I have a question also about basic file permissions. ... USER: foo ... rwx rwx rwx foo test ...
    (Ubuntu)
  • security related question
    ... still write to the file and even change the permissions. ... rocket 2% chmod 444 foo ... have any permissions set like in exemple to prevent from deleting a file ...
    (comp.os.linux.security)
  • Re: security related question
    ... > still write to the file and even change the permissions. ... > rocket 2% chmod 444 foo ... > have any permissions set like in exemple to prevent from deleting a file ...
    (comp.os.linux.security)