From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Delivered-To: caml-list@yquem.inria.fr Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by yquem.inria.fr (Postfix) with ESMTP id 1DF51BC48 for ; Tue, 5 Apr 2005 14:55:43 +0200 (CEST) Received: from pauillac.inria.fr (pauillac.inria.fr [128.93.11.35]) by concorde.inria.fr (8.13.0/8.13.0) with ESMTP id j35CtgoX001514 for ; Tue, 5 Apr 2005 14:55:42 +0200 Received: from nez-perce.inria.fr (nez-perce.inria.fr [192.93.2.78]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id OAA29348 for ; Tue, 5 Apr 2005 14:55:42 +0200 (MET DST) Received: from publilogics.com (pouic.publilogics.com [213.186.50.35]) by nez-perce.inria.fr (8.13.0/8.13.0) with SMTP id j35CtgrG026979 for ; Tue, 5 Apr 2005 14:55:42 +0200 Received: (qmail 6539 invoked from network); 5 Apr 2005 12:55:41 -0000 Received: from unknown (HELO PWARP) ([61.213.94.147]) (envelope-sender ) by pouic.publilogics.com (qmail-ldap-1.03) with SMTP for ; 5 Apr 2005 12:55:41 -0000 Message-ID: <000f01c539de$c1859fd0$0c05a8c0@PWARP> From: "Nicolas Cannasse" To: "Richard Jones" , References: <20050405121459.GA29378@furbychan.cocan.org> Subject: Re: [Caml-list] Securely loading and running untrusted modules Date: Tue, 5 Apr 2005 21:55:32 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Miltered: at concorde with ID 42528ACE.000 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)! X-Miltered: at nez-perce with ID 42528ACE.000 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)! X-Spam: no; 0.00; cannasse:01 warplayer:01 caml-list:01 untrusted:01 compiler:01 bytecode:01 bytecode:01 api:01 load-time:01 runtime:01 cannasse:01 securely:98 modules:01 checking:01 loops:02 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on yquem.inria.fr X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled version=3.0.2 X-Spam-Level: > To prevent infinite loops, starting an alarm(2) before loading the > module should kill the Apache process if it uses too much CPU time. > > I'm fairly sure that the method above should cope with everything > barring bugs in the compiler and bugs in SafeAPI. > > Am I thinking right? > > Rich. I think that current VM is optimized for speed and doesn't do more bytecode checking than strictly necessary. That means that someone could forge some bytecode file that would take control of the VM and then can call the whole C api. Tricky, but feasible. You might need to add load-time or runtime bytecode checks in order to secure the VM. Regards, Nicolas Cannasse