October 08, 2022

On Saturday, 8 October 2022 at 19:57:35 UTC, kdevel wrote:

>

What about

   ~/.ssh/authorized_keys?

or

   ~/.profile
   ~/.bashrc

Now assume someone coaxes you to compile his code under your account. See the problem which does not exist if the compiler could only read those files?

https://xkcd.com/1958/

"Except... the program could also just write those files when you run it. What's stopping people now?"

"Yeah, messing with people's home folder isn't hard."

"I guess it's just that most people aren't criminals?"

"Oh right, I always forget."

"An underappreciated component of our computer security system."

October 08, 2022

On Saturday, 8 October 2022 at 20:14:24 UTC, FeepingCreature wrote:

>

https://xkcd.com/1958/

"Except... the program could also just write those files when you run it. What's stopping people now?"

Andrey asked for compilation only. Of course the program is ran under a separate user.

>

"Yeah, messing with people's home folder isn't hard."

True if you set the file perms to 0777. Uh sorry. std.conv.octal!"777".to!int.

>

"I guess it's just that most people aren't criminals?"

An open door may tempt a saint.

October 08, 2022

On Saturday, 8 October 2022 at 07:33:42 UTC, Araq wrote:

>

Fwiw Nim supports that since about a decade now... It's of course harder to be excited about something that already actually exists and works. ;-)

Wow - I've kept my eye on Nim a bit over the years, but I didn't realize that it already does do things like reading files at compile-time out of the box. Very cool. However, there are some limitations still:

import std/httpclient

proc doCrazyStuff(): string =
  var client = newHttpClient()
  let content = client.getContent("https://forum.dlang.org/thread/ijvehaanfbuhywaziqns@forum.dlang.org")
  echo content

const stuff = doCrazyStuff()
/usr/lib/nim/pure/httpclient.nim(335, 12) Error: cannot evaluate at compile time: defaultSslContext

Jai should already be capable of this, seeing as how it can load a window, play sounds, etc. Hopefully competition ramps up in this area. :o)

October 09, 2022

On Saturday, 8 October 2022 at 20:44:15 UTC, kdevel wrote:

>

An open door may tempt a saint.

A better analogy would be "the safest house is one that doesn't exist". Closing the door doesn't impair the capabilities of your house. The ban on compile-time output severely impairs the capabilities of the compiler.

October 09, 2022

On Saturday, 8 October 2022 at 20:44:15 UTC, kdevel wrote:

>

On Saturday, 8 October 2022 at 20:14:24 UTC, FeepingCreature wrote:

>

https://xkcd.com/1958/

"Except... the program could also just write those files when you run it. What's stopping people now?"

Andrey asked for compilation only. Of course the program is ran under a separate user.

Under what circumstances would you compile a program on an account with more sensitive data than the one you run it on?

October 09, 2022

On Sunday, 9 October 2022 at 08:00:58 UTC, FeepingCreature wrote:

> >

Andrey asked for compilation only. Of course the program is ran under a separate user.

Under what circumstances would you compile a program on an account with more sensitive data than the one you run it on?

The D program P is compiled before another program Q is compiled, both on the same account. After compilation the programs are deployed to the production machine/account where the "more sensitive data" reside. By mere compilation P can alter the source code of Q. Though P is never executed in the production environment its code is run via Q.

Note that for pure scripting languages (without separate compilation stage) this attack vector does not exist.

October 10, 2022

On Saturday, 8 October 2022 at 19:57:35 UTC, kdevel wrote:

>

On Saturday, 8 October 2022 at 13:28:54 UTC, Andrey Zherikov wrote:
[...]

> > >

How does write access change the risk in principle?

Nice try.

Tis is not an answer to the question how does writing make security risks higher comparing to existing reading.

What about

   ~/.ssh/authorized_keys?

or

   ~/.profile
   ~/.bashrc

Now assume someone coaxes you to compile his code under your account. See the problem which does not exist if the compiler could only read those files?

I see what you mean and I agree with you that unrestricted writing should not be allowed.

But I see that my question was a bit unclear so let me re-phrase it. Right now D has restricted compile-time reading: you can read a file only in a subdir of -J CLI parameter (if there is no -J then DMD will error out). What additional security risks do you see if writing has the same restrictions as reading: requires command line option (error out otherwise) and be allowed to create files under specified (by CLI) folder only?

October 10, 2022

On Sunday, 9 October 2022 at 12:33:59 UTC, kdevel wrote:

>

The D program P is compiled before another program Q is compiled, both on the same account. After compilation the programs are deployed to the production machine/account where the "more sensitive data" reside. By mere compilation P can alter the source code of Q. Though P is never executed in the production environment its code is run via Q.

Note that for pure scripting languages (without separate compilation stage) this attack vector does not exist.

Again though, refer to my last post. We already have this problem with basically all of our other build systems that way have today. The world hasn't ended yet because of that, so we may as well at the very least reduce the layers of tooling complexity at the same time.

October 10, 2022

On Monday, 10 October 2022 at 01:10:42 UTC, Andrey Zherikov wrote:

>

What additional security risks do you see if writing has the same restrictions as reading: requires command line option (error out otherwise) and be allowed to create files under specified (by CLI) folder only?

If the context which invokes dmd -J already has write permission and the source code of the context and the source code handed over to dmd is of same origin then none.

October 10, 2022

On Monday, 10 October 2022 at 12:59:30 UTC, kdevel wrote:

>

On Monday, 10 October 2022 at 01:10:42 UTC, Andrey Zherikov wrote:

>

What additional security risks do you see if writing has the same restrictions as reading: requires command line option (error out otherwise) and be allowed to create files under specified (by CLI) folder only?

If the context which invokes dmd -J already has write permission and the source code of the context and the source code handed over to dmd is of same origin then none.

I don't think that -J should support writing so let's introduce new CLI option, say -pragma-out=<dir>. Now, if context that invokes dmd -pragma-out has no write permissions then compilation should error out when it tries to write to file.

Regarding "source code of the context", I'm not sure I get what you mean here. If you mean something that calls dmd then is it makefile or build tool? The first one is usually written by owners of the code you are compiling, the second one is not.

1 2
Next ›   Last »