Security in the image

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Security in the image

LaeMing
Hi, I am fishing about for an environment to try to develop a simple virtual world system in (yes, I'm aware of croquet/cobolt!).

In a smalltalk-like environment, that might conceivably involve inviting multiple people into the 'image' where the world is hosted to interact with objects within it (if I was to use a smalltalk, it would want it to interleave the entire system, not just host it on top.)

What sort of security implications might that have and are there any current solutions to a multi-user single-image situation?
Reply | Threaded
Open this post in threaded view
|

Re: Security in the image

Stephan Eggermont-3
On 12/04/17 09:34, LaeMing wrote:
> What sort of security implications might that have and are there any current
> solutions to a multi-user single-image situation?

Take a look at gemstone.
https://www.youtube.com/user/JamesGFoster/videos
Starting at https://www.youtube.com/watch?v=U0z5TddqyQI
James made a really good series of videos


Stephan


Reply | Threaded
Open this post in threaded view
|

Re: Security in the image

Ben Coman
In reply to this post by LaeMing


On Wed, Apr 12, 2017 at 3:34 PM, LaeMing <[hidden email]> wrote:
Hi, I am fishing about for an environment to try to develop a simple virtual
world system in (yes, I'm aware of croquet/cobolt!).

In a smalltalk-like environment, that might conceivably involve inviting
multiple people into the 'image' where the world is hosted to interact with
objects within it (if I was to use a smalltalk, it would want it to
interleave the entire system, not just host it on top.)

What sort of security implications might that have and are there any current
solutions to a multi-user single-image situation?

If you want hostile actors working directly within the Image with a full environment, then Pharo is probably not suitable.  Its easy to get hold of global class from the Playground references and overwrite/compile any method in the system like this...

SomeClass compile: 'initialize
    MyEvilHack dostuff.
    ^ super initialize ' 

You might want to consider Newspeak, which runs on the same VM as Pharo and has a focus on security.

cheers -ben


Reply | Threaded
Open this post in threaded view
|

Re: Security in the image

LaeMing
In reply to this post by Stephan Eggermont-3
Stephan Eggermont wrote
On 12/04/17 09:34, LaeMing wrote:
> What sort of security implications might that have and are there any current
> solutions to a multi-user single-image situation?

Take a look at gemstone.
https://www.youtube.com/user/JamesGFoster/videos
Starting at https://www.youtube.com/watch?v=U0z5TddqyQI
James made a really good series of videos


Stephan
Thanks, Stephan.
Gem looks rather good, but I need an OSS licensed environment.
Reply | Threaded
Open this post in threaded view
|

Re: Security in the image

LaeMing
In reply to this post by Ben Coman
Ben Coman wrote
On Wed, Apr 12, 2017 at 3:34 PM, LaeMing <[hidden email]> wrote:

> Hi, I am fishing about for an environment to try to develop a simple
> virtual
> world system in (yes, I'm aware of croquet/cobolt!).
>
> In a smalltalk-like environment, that might conceivably involve inviting
> multiple people into the 'image' where the world is hosted to interact with
> objects within it (if I was to use a smalltalk, it would want it to
> interleave the entire system, not just host it on top.)
>
> What sort of security implications might that have and are there any
> current
> solutions to a multi-user single-image situation?
>

If you want hostile actors working directly within the Image with a full
environment, then Pharo is probably not suitable.  Its easy to get hold of
global class from the Playground references and overwrite/compile any
method in the system like this...

SomeClass compile: 'initialize
    MyEvilHack dostuff.
    ^ super initialize '

You might want to consider Newspeak, which runs on the same VM as Pharo and
has a focus on security.
* https://www.slideshare.net/esug/8-gilad-brachaesug08
* https://www.youtube.com/watch?v=UwkROn7OmNQ

cheers -ben
Thanks, Ben.

I am looking into Newspeak now. I am rather impressed so far!
Reply | Threaded
Open this post in threaded view
|

Re: Security in the image

Denis Kudriashov
In reply to this post by Ben Coman

2017-04-12 18:32 GMT+02:00 Ben Coman <[hidden email]>:
If you want hostile actors working directly within the Image with a full environment, then Pharo is probably not suitable.  Its easy to get hold of global class from the Playground references and overwrite/compile any method in the system like this...

SomeClass compile: 'initialize
    MyEvilHack dostuff.
    ^ super initialize ' 

You might want to consider Newspeak, which runs on the same VM as Pharo and has a focus on security.

Interesting how they address your example?
Reply | Threaded
Open this post in threaded view
|

Re: Security in the image

Richard Sargent
Administrator
In reply to this post by LaeMing
LaeMing wrote
Stephan Eggermont wrote
On 12/04/17 09:34, LaeMing wrote:
> What sort of security implications might that have and are there any current
> solutions to a multi-user single-image situation?

Take a look at gemstone.
https://www.youtube.com/user/JamesGFoster/videos
Starting at https://www.youtube.com/watch?v=U0z5TddqyQI
James made a really good series of videos


Stephan
Thanks, Stephan.
Gem looks rather good, but I need an OSS licensed environment.
Can you elaborate on that? GemStone/S has a free, even for commercial use, license. Are you planning on modifying the VM or the base product code?

Reply | Threaded
Open this post in threaded view
|

Re: Security in the image

Ben Coman
In reply to this post by Denis Kudriashov
On Thu, Apr 13, 2017 at 3:54 PM, Denis Kudriashov <[hidden email]> wrote:

>
> 2017-04-12 18:32 GMT+02:00 Ben Coman <[hidden email]>:
>>
>> If you want hostile actors working directly within the Image with a full
>> environment, then Pharo is probably not suitable.  Its easy to get hold of
>> global class from the Playground references and overwrite/compile any method
>> in the system like this...
>>
>> SomeClass compile: 'initialize
>>     MyEvilHack dostuff.
>>     ^ super initialize '
>>
>> You might want to consider Newspeak, which runs on the same VM as Pharo
>> and has a focus on security.
>
>
> Interesting how they address your example?

Not a direct response, but in Newspeak forum I see Gliad [1] respond
to LaeMing... "Newspeak (note the capitalization) fits with your
concerns around security and asynchrony, though the reality needs
work. The main implementation runs on Smalltalk and as such is
insecurable.  There are less complete implementations based on
compiling to Javascript and to the Truffle VM, and Ryan's Psoup VM,
which is probably the most compliant version."

[1] https://groups.google.com/forum/#!searchin/newspeaklanguage/laeming%7Csort:relevance/newspeaklanguage/0-20dj5m6wo/f5xpYnBFBgAJ

cheers -ben

Reply | Threaded
Open this post in threaded view
|

Re: Security in the image

Guillermo Polito
Generally speaking, and from my understanding, you will not be able to do:

SomeClass compile: 'initialize
     MyEvilHack dostuff.
     ^ super initialize '

In newspeak.

And that's because you are not able to do: 

SomeClass compile: '...'

Newspeak uses object capabilities, and following those principles, you will only be able to compile and install code in a class, if somebody gives you a capability to do so.

Then, the problem is that right now Pharo's reflective API is convoluted with the base API, and thus from any piece of code you can do e.g.,:

anyObject superclass superclass allSubclasses...

A possible solution to this is to separate the reflective API from the base API.

On Sun, Apr 23, 2017 at 9:16 AM, Ben Coman <[hidden email]> wrote:
On Thu, Apr 13, 2017 at 3:54 PM, Denis Kudriashov <[hidden email]> wrote:
>
> 2017-04-12 18:32 GMT+02:00 Ben Coman <[hidden email]>:
>>
>> If you want hostile actors working directly within the Image with a full
>> environment, then Pharo is probably not suitable.  Its easy to get hold of
>> global class from the Playground references and overwrite/compile any method
>> in the system like this...
>>
>> SomeClass compile: 'initialize
>>     MyEvilHack dostuff.
>>     ^ super initialize '
>>
>> You might want to consider Newspeak, which runs on the same VM as Pharo
>> and has a focus on security.
>
>
> Interesting how they address your example?

Not a direct response, but in Newspeak forum I see Gliad [1] respond
to LaeMing... "Newspeak (note the capitalization) fits with your
concerns around security and asynchrony, though the reality needs
work. The main implementation runs on Smalltalk and as such is
insecurable.  There are less complete implementations based on
compiling to Javascript and to the Truffle VM, and Ryan's Psoup VM,
which is probably the most compliant version."

[1] https://groups.google.com/forum/#!searchin/newspeaklanguage/laeming%7Csort:relevance/newspeaklanguage/0-20dj5m6wo/f5xpYnBFBgAJ

cheers -ben


Reply | Threaded
Open this post in threaded view
|

Re: Security in the image

philippeback
But what makes Pharo nice is also that there are no such limitations.

There are security things in Pharo, like disabling socket acces etc.
Maybe putting the VM in a true sandbox would be more adequate.
That can be done in a lot of ways at the OS level. Think containers.

Phil

On Sun, Apr 23, 2017 at 1:33 PM, Guillermo Polito <[hidden email]> wrote:
Generally speaking, and from my understanding, you will not be able to do:

SomeClass compile: 'initialize
     MyEvilHack dostuff.
     ^ super initialize '

In newspeak.

And that's because you are not able to do: 

SomeClass compile: '...'

Newspeak uses object capabilities, and following those principles, you will only be able to compile and install code in a class, if somebody gives you a capability to do so.

Then, the problem is that right now Pharo's reflective API is convoluted with the base API, and thus from any piece of code you can do e.g.,:

anyObject superclass superclass allSubclasses...

A possible solution to this is to separate the reflective API from the base API.

On Sun, Apr 23, 2017 at 9:16 AM, Ben Coman <[hidden email]> wrote:
On Thu, Apr 13, 2017 at 3:54 PM, Denis Kudriashov <[hidden email]> wrote:
>
> 2017-04-12 18:32 GMT+02:00 Ben Coman <[hidden email]>:
>>
>> If you want hostile actors working directly within the Image with a full
>> environment, then Pharo is probably not suitable.  Its easy to get hold of
>> global class from the Playground references and overwrite/compile any method
>> in the system like this...
>>
>> SomeClass compile: 'initialize
>>     MyEvilHack dostuff.
>>     ^ super initialize '
>>
>> You might want to consider Newspeak, which runs on the same VM as Pharo
>> and has a focus on security.
>
>
> Interesting how they address your example?

Not a direct response, but in Newspeak forum I see Gliad [1] respond
to LaeMing... "Newspeak (note the capitalization) fits with your
concerns around security and asynchrony, though the reality needs
work. The main implementation runs on Smalltalk and as such is
insecurable.  There are less complete implementations based on
compiling to Javascript and to the Truffle VM, and Ryan's Psoup VM,
which is probably the most compliant version."

[1] https://groups.google.com/forum/#!searchin/newspeaklanguage/laeming%7Csort:relevance/newspeaklanguage/0-20dj5m6wo/f5xpYnBFBgAJ

cheers -ben



Reply | Threaded
Open this post in threaded view
|

Re: Security in the image

Ben Coman
On Sun, Apr 23, 2017 at 8:33 PM, [hidden email] <[hidden email]> wrote:
> But what makes Pharo nice is also that there are no such limitations.
>
> There are security things in Pharo, like disabling socket acces etc.
> Maybe putting the VM in a true sandbox would be more adequate.
> That can be done in a lot of ways at the OS level. Think containers.
>
> Phil

But that doesn't help us take over the world with *everyone* working
within the Giant-Single-Galactic-Image.    mhahHaHaHAhaaaaa....
cheers -ben

>
> On Sun, Apr 23, 2017 at 1:33 PM, Guillermo Polito
> <[hidden email]> wrote:
>>
>> Generally speaking, and from my understanding, you will not be able to do:
>>
>> SomeClass compile: 'initialize
>>      MyEvilHack dostuff.
>>      ^ super initialize '
>>
>> In newspeak.
>>
>> And that's because you are not able to do:
>>
>> SomeClass compile: '...'
>>
>> Newspeak uses object capabilities, and following those principles, you
>> will only be able to compile and install code in a class, if somebody gives
>> you a capability to do so.
>>
>> Then, the problem is that right now Pharo's reflective API is convoluted
>> with the base API, and thus from any piece of code you can do e.g.,:
>>
>> anyObject superclass superclass allSubclasses...
>>
>> A possible solution to this is to separate the reflective API from the
>> base API.
>>
>> On Sun, Apr 23, 2017 at 9:16 AM, Ben Coman <[hidden email]> wrote:
>>>
>>> On Thu, Apr 13, 2017 at 3:54 PM, Denis Kudriashov <[hidden email]>
>>> wrote:
>>> >
>>> > 2017-04-12 18:32 GMT+02:00 Ben Coman <[hidden email]>:
>>> >>
>>> >> If you want hostile actors working directly within the Image with a
>>> >> full
>>> >> environment, then Pharo is probably not suitable.  Its easy to get
>>> >> hold of
>>> >> global class from the Playground references and overwrite/compile any
>>> >> method
>>> >> in the system like this...
>>> >>
>>> >> SomeClass compile: 'initialize
>>> >>     MyEvilHack dostuff.
>>> >>     ^ super initialize '
>>> >>
>>> >> You might want to consider Newspeak, which runs on the same VM as
>>> >> Pharo
>>> >> and has a focus on security.
>>> >
>>> >
>>> > Interesting how they address your example?
>>>
>>> Not a direct response, but in Newspeak forum I see Gliad [1] respond
>>> to LaeMing... "Newspeak (note the capitalization) fits with your
>>> concerns around security and asynchrony, though the reality needs
>>> work. The main implementation runs on Smalltalk and as such is
>>> insecurable.  There are less complete implementations based on
>>> compiling to Javascript and to the Truffle VM, and Ryan's Psoup VM,
>>> which is probably the most compliant version."
>>>
>>> [1]
>>> https://groups.google.com/forum/#!searchin/newspeaklanguage/laeming%7Csort:relevance/newspeaklanguage/0-20dj5m6wo/f5xpYnBFBgAJ
>>>
>>> cheers -ben
>>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Security in the image

philippeback
I was thinking of using Denis remote thing with an XMPP XEP so that we could IM our way into an image.

That would be message passing. Coupled with a file transfer feature, well, could become interesting (and wild).

That's 

On Sun, Apr 23, 2017 at 7:36 PM, Ben Coman <[hidden email]> wrote:
On Sun, Apr 23, 2017 at 8:33 PM, [hidden email] <[hidden email]> wrote:
> But what makes Pharo nice is also that there are no such limitations.
>
> There are security things in Pharo, like disabling socket acces etc.
> Maybe putting the VM in a true sandbox would be more adequate.
> That can be done in a lot of ways at the OS level. Think containers.
>
> Phil

But that doesn't help us take over the world with *everyone* working
within the Giant-Single-Galactic-Image.    mhahHaHaHAhaaaaa....
cheers -ben

>
> On Sun, Apr 23, 2017 at 1:33 PM, Guillermo Polito
> <[hidden email]> wrote:
>>
>> Generally speaking, and from my understanding, you will not be able to do:
>>
>> SomeClass compile: 'initialize
>>      MyEvilHack dostuff.
>>      ^ super initialize '
>>
>> In newspeak.
>>
>> And that's because you are not able to do:
>>
>> SomeClass compile: '...'
>>
>> Newspeak uses object capabilities, and following those principles, you
>> will only be able to compile and install code in a class, if somebody gives
>> you a capability to do so.
>>
>> Then, the problem is that right now Pharo's reflective API is convoluted
>> with the base API, and thus from any piece of code you can do e.g.,:
>>
>> anyObject superclass superclass allSubclasses...
>>
>> A possible solution to this is to separate the reflective API from the
>> base API.
>>
>> On Sun, Apr 23, 2017 at 9:16 AM, Ben Coman <[hidden email]> wrote:
>>>
>>> On Thu, Apr 13, 2017 at 3:54 PM, Denis Kudriashov <[hidden email]>
>>> wrote:
>>> >
>>> > 2017-04-12 18:32 GMT+02:00 Ben Coman <[hidden email]>:
>>> >>
>>> >> If you want hostile actors working directly within the Image with a
>>> >> full
>>> >> environment, then Pharo is probably not suitable.  Its easy to get
>>> >> hold of
>>> >> global class from the Playground references and overwrite/compile any
>>> >> method
>>> >> in the system like this...
>>> >>
>>> >> SomeClass compile: 'initialize
>>> >>     MyEvilHack dostuff.
>>> >>     ^ super initialize '
>>> >>
>>> >> You might want to consider Newspeak, which runs on the same VM as
>>> >> Pharo
>>> >> and has a focus on security.
>>> >
>>> >
>>> > Interesting how they address your example?
>>>
>>> Not a direct response, but in Newspeak forum I see Gliad [1] respond
>>> to LaeMing... "Newspeak (note the capitalization) fits with your
>>> concerns around security and asynchrony, though the reality needs
>>> work. The main implementation runs on Smalltalk and as such is
>>> insecurable.  There are less complete implementations based on
>>> compiling to Javascript and to the Truffle VM, and Ryan's Psoup VM,
>>> which is probably the most compliant version."
>>>
>>> [1]
>>> https://groups.google.com/forum/#!searchin/newspeaklanguage/laeming%7Csort:relevance/newspeaklanguage/0-20dj5m6wo/f5xpYnBFBgAJ
>>>
>>> cheers -ben
>>>
>>
>


Reply | Threaded
Open this post in threaded view
|

Re: Security in the image

philippeback
In reply to this post by Guillermo Polito

On Sun, Apr 23, 2017 at 1:33 PM, Guillermo Polito <[hidden email]> wrote:
Generally speaking, and from my understanding, you will not be able to do:

SomeClass compile: 'initialize
     MyEvilHack dostuff.
     ^ super initialize '

In newspeak.

And that's because you are not able to do: 

SomeClass compile: '...'

Newspeak uses object capabilities, and following those principles, you will only be able to compile and install code in a class, if somebody gives you a capability to do so.

Then, the problem is that right now Pharo's reflective API is convoluted with the base API, and thus from any piece of code you can do e.g.,:

anyObject superclass superclass allSubclasses...

A possible solution to this is to separate the reflective API from the base API.

On Sun, Apr 23, 2017 at 9:16 AM, Ben Coman <[hidden email]> wrote:
On Thu, Apr 13, 2017 at 3:54 PM, Denis Kudriashov <[hidden email]> wrote:
>
> 2017-04-12 18:32 GMT+02:00 Ben Coman <[hidden email]>:
>>
>> If you want hostile actors working directly within the Image with a full
>> environment, then Pharo is probably not suitable.  Its easy to get hold of
>> global class from the Playground references and overwrite/compile any method
>> in the system like this...
>>
>> SomeClass compile: 'initialize
>>     MyEvilHack dostuff.
>>     ^ super initialize '
>>
>> You might want to consider Newspeak, which runs on the same VM as Pharo
>> and has a focus on security.
>
>
> Interesting how they address your example?

Not a direct response, but in Newspeak forum I see Gliad [1] respond
to LaeMing... "Newspeak (note the capitalization) fits with your
concerns around security and asynchrony, though the reality needs
work. The main implementation runs on Smalltalk and as such is
insecurable.  There are less complete implementations based on
compiling to Javascript and to the Truffle VM, and Ryan's Psoup VM,
which is probably the most compliant version."

[1] https://groups.google.com/forum/#!searchin/newspeaklanguage/laeming%7Csort:relevance/newspeaklanguage/0-20dj5m6wo/f5xpYnBFBgAJ

cheers -ben