'Re: KDE Scripting Interface [2nd Try]'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: KDE Scripting Interface [2nd Try]
From:       Marc Mutz <Marc.Mutz () uni-bielefeld ! de>
Date:       2001-07-20 15:19:55
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I'm confident that I've identified where the misunderstandings lie:

On Friday 20 July 2001 14:06, Roberto Alsina wrote:
<snip>
> a) We provide a sandboxed scripting engine that can only manipulate
> said app, and only can manipulate said app in ways that are not
> dangerous.
>
> b) We provide a scripting engine that is useful ;-)
<snip>
> And I say a) doesn't even make the system any more secure than it is
> currently!
>
> For the only way a evil script can get into the user's application is
> that he downloads the script and installs it.
>
> And he could just download anything else in the internet, including
> damaging C based apps with pictures of feet ;-)
>
> I say: don't ever run anything downloaded unless you are fairly sure
> of what you are getting. And if the guy downloads a worm or a trojan
> or whatever: he can do that already. And he will still be able to do
> that afterwards.
<snip>

It's fundamentally different if you download an executable:
C, C++ program, perl script, "dcop"[1] script
or a _document_:
koffice doc with embedded macros and possibly onLoad Eventhandlers.
HTML page with Java{,Script}

A user who downloads and _installs_ (!) the former, is of course 
responsible for any action or damage she suffers when this script goes 
mad.

A user who downloads and _loads_ (!note the difference!) a KOffice 
document which contains a macro virus cannot be held responsible for 
that _per se_. It's the application's job to ensure that there's no 
possibility for a _document_ to do something nasty.

Take a look at JavaScript:

You can download .js files which represent nice functionality for your 
homepage or your local http server (think admin of intranet). As soon 
as you're going to install the stuff, it's your job to make sure it's 
not a worm or so.

OTOH, you can simply browse the net and a page happens to have JS code 
in it. Now it's konqi's job to make absolutly certain that the embedded 
script cannot do nasty things. It's _not_ the user's responsibility to 
check the .js file or the <script>foo</script> stuff in the HTMl file 
in kate before giving Konqi the "go, display".


Now, what does that mean for the devised dcop security levels?

It means that you have to sandbox any embedded macro/scripting language 
you use. And that giving such a script direct access to dcop (whether 
checked or not) is like shooting one's own foot (or both knees).

If you accept this, then you don't need dcop security levels.

It remains to look at external scripts and programs. Here, of course 
everything has to be considered: from {KDE,X,console} apps over scripts 
that run in their native interpreter (shell, python, perl) to plugins.

Securing dcop for this kind of executables is very difficult. The only 
chance you have is that every application checks their available dcop 
"slots" directly when a call arrives. A central manager for this 
security model is devisable, but doesn't change the model, ie. you can 
let the dcop server filter calls on the receiving app's preferences or 
you can let the apps do that themselves - the model is the same.

You would have to make it so that the sysadmin must grant each new 
application the right to and the frame in which to communicate with the 
desktop (meaning the set of all already installed dcop-aware apps). As 
soon as the user is able to change these settings herself, a script can 
do it, too.

Also you (as sysadmin) would have to sign the executable you have 
granted access and make the dcop server check that signature before 
accepting restricted calls, to prevent that the executable is changed 
to being nasty after you have given it access rights.

Then, the dcop server would have to protect itself against being killed 
and replaced by a less restrictive version. This would require the dcop 
server to sun priviledged...

As you can see, securing dcop is not an easy task and may well prove as 
unnessesary complexity. But we have to continue this disussion 
nonetheless. A secure desktop will become the most important aspect of 
computers in the future.

Marc

[1] There is no such thing as a "DCOP script". There are only scripts 
in other languages (python, perl, shell) that _use_ dcop to communicate 
with other apps. D_CO_P, not D_SC_P.

- -- 
Marc Mutz <Marc@Mutz.com>
http://marc.mutz.com/
http://www.mathematik.uni-bielefeld.de/~mmutz/
http://EncryptionHOWTO.sourceforge.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7WEwc3oWD+L2/6DgRAke1AJ9GmPQ8X1JANxCL3ln2MSjGbp9VFQCgrOot
J5FoSBTqAdH6PVllYv5iPpk=
=WHWg
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic