Running untrusted code & sandboxing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Running untrusted code & sandboxing

Igor Stasenko
Hello all,
I am thinking, what could be done to make Squeak 100% safe when
running untrusted code.

From one side, stands a compiler, but from another is run time environment.
What i thinking that untrusted code should use own, sepatate
class/object hierarchy and
do not use any of existing objects from 'unsafe' part of image.

If we could use a separation in image, like:

[ core [ unsafe ] ]

where 'core' is our regular image, or dev image. It is safe to have a
references from objects in regular space to ones in unsafe one.
But we should prevent leaking a reference to objects in 'core' area
being captured by any objects in 'unsafe' area,
where untrusted code runs.

Ultimately, before running an untrusted code, we should swap the
specialObjectsArray, so all things, which VM primitives could see,
will be pointing inside unsafe space, and therefore we making
impossible to obtain a pointer to any object from 'core' area
even when using primitives.

But then, once we switch a specialObjectsArray, and if there is no
objects pointing back to core, VM will GC it mercilessly.
And of course, once untrusted code finished its job, or interrupt
occurs, we should be able to switch whole VM context back to core.

So, there should be a pointer back to core area. But once we have it,
we have a chance that malicious code could find it
and break from the jail.
Well, maybe with help of specialized compiler, which knows what
primitives are unsafe, we could hide this reference?

Any other ideas in this regard?

--
Best regards,
Igor Stasenko AKA sig.

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Running untrusted code & sandboxing

Marcus Denker-4

On Jan 10, 2010, at 11:42 AM, Igor Stasenko wrote:

> Hello all,
> I am thinking, what could be done to make Squeak 100% safe when
> running untrusted code.
...

>
> Any other ideas in this regard?
>
Yes :-) And a PhD Student working on it. And a ANR (french NSF) proposal
in the works for more...

        :-)


        Marcus



_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Running untrusted code & sandboxing

Marcus Denker-4

On Jan 10, 2010, at 11:48 AM, Marcus Denker wrote:

>
> On Jan 10, 2010, at 11:42 AM, Igor Stasenko wrote:
>
>> Hello all,
>> I am thinking, what could be done to make Squeak 100% safe when
>> running untrusted code.
> ...
>
>>
>> Any other ideas in this regard?

This seems related:

        http://marcusdenker.de/publications/Casa09aObjectSpaces.pdf


>>
> Yes :-) And a PhD Student working on it. And a ANR (french NSF) proposal
                      ^two, attacking from two sides.


        Marcus

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Running untrusted code & sandboxing

Igor Stasenko
2010/1/10 Marcus Denker <[hidden email]>:

>
> On Jan 10, 2010, at 11:48 AM, Marcus Denker wrote:
>
>>
>> On Jan 10, 2010, at 11:42 AM, Igor Stasenko wrote:
>>
>>> Hello all,
>>> I am thinking, what could be done to make Squeak 100% safe when
>>> running untrusted code.
>> ...
>>
>>>
>>> Any other ideas in this regard?
>
> This seems related:
>
>        http://marcusdenker.de/publications/Casa09aObjectSpaces.pdf
>

Highly related!
But the devil in details.  :)

>
>>>
>> Yes :-) And a PhD Student working on it. And a ANR (french NSF) proposal
>                      ^two, attacking from two sides.
>
>
>        Marcus
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
>



--
Best regards,
Igor Stasenko AKA sig.

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Running untrusted code & sandboxing

Stéphane Ducasse
indeed

We do not say that we have the solution but this a good problem to work on.

>>>> This seems related:
>>
>>        http://marcusdenker.de/publications/Casa09aObjectSpaces.pdf
>>
>
> Highly related!
> But the devil in details.  :)
>
>>
>>>>
>>> Yes :-) And a PhD Student working on it. And a ANR (french NSF) proposal
>>                      ^two, attacking from two sides.
>>
>>
>>        Marcus
>>
>> _______________________________________________
>> Pharo-project mailing list
>> [hidden email]
>> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
>>
>
>
>
> --
> Best regards,
> Igor Stasenko AKA sig.
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project