From: "Stephen J. Turnbull" <stephen@xemacs.org>
To: Matthias Dahl <ml_emacs-lists@binary-island.eu>
Cc: Stefan Monnier <monnier@IRO.UMontreal.CA>, emacs-devel@gnu.org
Subject: Re: security of the emacs package system, elpa, melpa and marmalade
Date: Thu, 26 Sep 2013 10:12:56 +0900 [thread overview]
Message-ID: <87d2nw1j3b.fsf@uwakimon.sk.tsukuba.ac.jp> (raw)
In-Reply-To: <52432BE9.1070402@binary-island.eu>
Matthias Dahl writes:
> Hello Stefan...
>
> > Security problems in Emacs are everywhere, indeed.
>
> Actually not quite the statement one wants to read _ever_ about the
> software one loves to use. ;)
>
> The question that is bugging me now: Why is that? Since Emacs, imho,
> addresses a more technical audience and is maintained by professionals,
> I wouldn't expect such a thing, actually.
Then your model of security is inadequate. Software is *inherently*
insecure. Any regular behavior provides an attack surface; large
amounts of regular behavior provides a large attack surface. A single
breach of the attack surface and you lose. Interfaces between
software systems are prolific sources of weak points.
Emacs provides a huge attack surface on the individual user *because*
it is so capable, and provides interfaces to so many other software
systems. That's all there is to it.
The fact that Emacs is mostly implemented in Lisp is also a security
feature, since it wraps, rather than calls directly, the system
functions. This means that although such functions are available
(which is an attack vector), serious security breaches such as
exploiting a buffer overflow are hard to engineer, and the operating
system is likely to be able to protect itself from attacks via Lisp.
By the same token, as long as individual users have little power (for
example, not being able to bind to privileged ports), they're
generally not attractive targets for such attacks. If they are
attacked (eg, to get a privilege escalation started), the attacker
will eschew use of Emacs and head straight for the C compiler. That,
combined with the relative security of Lisp itself, means that the
incentive for Emacs developers to put in the necessary effort for a
serious security audit and a complete redesign of the Lisp
implementation is rather low.
> Hooks. If a security context is attached to a function (let's say
> transitively through its package):
>
> function A is running with all permissions
> function A calls its hook
> each hook is executed within its own security context (=> narrowing)
*pong* Function on function-hook doesn't have permission to frob.
Allow frob? (0 = no; 1 = just this time; 2 = always; -1 = never) _
But this is really self-defeating. Since in general hooks should be
empty by default, what you're saying is that a function that the user
has probably explicitly specified and may have written herself should
run with less privilege than functions that the user is only vaguely
aware of.
For example, I don't know who's broken, but every time my "smart"
phone upgrades, I have to re-login to my employer's wireless network.
And every time, I'm told that the certificate can't be tracked to a
trusted root. Of course the phone software is very little help in
figuring out what's wrong; it just shows the certificates. I know how
to trace the transitive trust, but even so, why should I trust a
self-signed root claiming to be the Japanese Ministry of Education,
Science, and Technology's IT department? These guys don't have
sufficient clue to get a path to a universally trusted root! I also
am aware that sub-authorities have gone rogue or been hacked in the
past. But ... I enable. Wouldn't you?
Definitely my colleagues have no clue. They don't even think about it
any more, so many servers present keys for a parent domain or sister
domain. Even the CS Department (the initial entry point of the first
large-scale virus infection at my university after the virus checker
was installed on the mail gateway). Most of these guys are theorists
(including in crypto where you'd think they'd be aware -- but no,
they're not) and have zero sysadmin experience (and probably haven't
read The Cuckoo's Egg).
> Don't get me wrong, I'm not complaining or trying to force something.
> Just trying raise a little awareness and maybe ignite some discussion
> that potentially leads to a solution that improves overall
> security.
I'm sure the leadership is aware. But the basic answer is the same as
in any security context: avoid exposing regular behavior to potential
enemies, and establish a community watch on community resources.
next prev parent reply other threads:[~2013-09-26 1:12 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-23 7:30 security of the emacs package system, elpa, melpa and marmalade Matthias Dahl
2013-09-23 14:17 ` Stefan Monnier
2013-09-25 8:11 ` Matthias Dahl
2013-09-25 17:00 ` Stefan Monnier
2013-09-25 18:31 ` Matthias Dahl
2013-09-25 22:42 ` Bastien
2013-09-26 9:02 ` Matthias Dahl
2013-09-27 14:02 ` Bastien
2013-09-27 14:17 ` Matthias Dahl
2013-09-27 14:19 ` Bastien
2013-09-27 18:29 ` Matthias Dahl
2013-09-26 1:09 ` Stefan Monnier
2013-09-26 9:02 ` Matthias Dahl
2013-09-26 9:21 ` Óscar Fuentes
2013-09-26 14:41 ` Stefan Monnier
2013-09-27 14:17 ` Matthias Dahl
2013-09-27 15:47 ` Stefan Monnier
2013-09-28 14:15 ` Richard Stallman
2013-09-30 15:12 ` Matthias Dahl
2013-09-30 21:11 ` Richard Stallman
2013-09-30 15:31 ` Matthias Dahl
2013-09-26 1:12 ` Stephen J. Turnbull [this message]
2013-09-26 9:02 ` Matthias Dahl
2013-09-27 7:10 ` Stephen J. Turnbull
2013-09-27 14:18 ` Matthias Dahl
2013-09-27 17:31 ` Stephen J. Turnbull
2013-09-30 15:25 ` Matthias Dahl
2013-10-01 2:19 ` Stephen J. Turnbull
2013-09-27 20:12 ` chad
2013-09-26 9:31 ` Andreas Röhler
2013-09-26 16:25 ` Richard Stallman
2013-09-27 14:18 ` Matthias Dahl
2013-09-27 15:04 ` Óscar Fuentes
2014-09-13 17:57 ` Thomas Koch
2013-09-29 10:12 ` Ted Zlatanov
2013-09-29 9:53 ` Ted Zlatanov
2013-09-29 17:49 ` Daiki Ueno
2013-09-29 18:18 ` Ted Zlatanov
2013-09-30 13:25 ` Ted Zlatanov
2013-09-30 14:50 ` Stephen J. Turnbull
2013-09-30 15:10 ` Matthias Dahl
2013-09-30 17:18 ` Ted Zlatanov
2013-10-01 14:03 ` Matthias Dahl
2013-10-02 2:45 ` Stephen J. Turnbull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d2nw1j3b.fsf@uwakimon.sk.tsukuba.ac.jp \
--to=stephen@xemacs.org \
--cc=emacs-devel@gnu.org \
--cc=ml_emacs-lists@binary-island.eu \
--cc=monnier@IRO.UMontreal.CA \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).