[ANN] malloc'd ByteArrays

Brian Rice water at tunes.org
Tue Dec 13 10:52:35 PST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Dec 13, 2005, at 9:10 AM, Todd Fleming wrote:
> Brian Rice wrote:
>> Remember that I'm not just thinking of your code, but of your  
>> code's  security against other code. What protects the system from  
>> side  effects that alter a direct-pointer handle and accessing  
>> arbitrary  memory? A malloc plugin is NOT a trivial security  
>> issue. The entire  thing is written to avoid buffer overflows. Do  
>> you have suggestions  to keep the VM safe from image-side code and  
>> yet allow unlimited  malloc() usage?
> I have an idea, but it depends on one thing: is there a way to  
> limit slot, method, and primative access so that only approved  
> methods can read, write, or call them?  I guess this is what  
> Subjective Dispatch will help with.

Right now, there's no way to limit access. Even subjective dispatch  
can be bypassed - it simply makes it easier to use other security  
mechanisms while appearing transparent to the user.

The critical thing would be a security auditor, probably built into  
the compiler or a compiler variant. This is a big project, and I  
don't have anything set up for this yet, just a bunch of vague ideas  
I've collected over time.

> If so, we could limit the primitives that malloc, free, read, and  
> write memory so that they only may be called by the wrapper  
> methods.  The wrapper methods would provide a public way to get the  
> pointer value (for plugins), but wouldn't provide a way to set the  
> pointer value.  The wrapper methods would check bounds before  
> calling the primitives.

Right, that's a good start, much like E capabilities, and the  
possibility of this has been an influence on Slate's coding style and  
organization. Still, I haven't spent enough time figuring out the  
details. Perhaps Kevin Reid can weigh in on this, being most familiar  
with E and Common Lisp / Slate.

> There is a similar hole in the Cairo wrapper that needs plugging; I  
> don't know how to prevent the user from modifying the wrapper's  
> pointer values.  This could cause Cairo to clobber arbitrary memory.

Well, the situation is that an attack on the Slate system depends on  
re-compiling sources right now. I think that as long as we can limit  
possible avenues of attack to that, then we're ok.

BTW, you are right about ExternalLibrary's holding pointers being a  
problem, since we are passing function pointers around in mutable  
arrays (not that immutability would help much, since we can call the  
API with other arrays). You are also right about the arbitrary limits  
being a design problem for Slate. So here's my proposition after some  
thought: Why not use the malloc module to drive the tables, and use  
realloc() for re-sizing?

It's still an idea just forming, but it seems that we could remove  
our static limits by re-organizing the VM C sources around it.

>> You'll notice that I had also added bytesPerWord and Platform   
>> endianness primitives to the platform plugin, entirely with this  
>> in  mind. Give me some credit. ;)
>
> Oooh, nice!

It's still annoying that I have to load a module to get these,  
considering that the ExternalLibrary and malloc interfaces could  
benefit from them. So I may wind up duplicating or migrating that  
code into the VM... we'll see.

- --
- -Brian
http://tunes.org/~water/brice.vcf

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDnxh4PVkAvLW1zf4RAiimAJ9IsV9RqWH/khgnq8dIkLLBHAeBOACgqvoM
JM1Ps320YRMGzOZ3NrXmcbg=
=5ngp
-----END PGP SIGNATURE-----

More information about the Slate mailing list