From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: package security auditing and isolation Date: Thu, 06 Apr 2017 14:19:23 -0400 Message-ID: References: <87h9211v1c.fsf@lifelogs.com> <87d1cp1qvd.fsf@lifelogs.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1491502866 18693 195.159.176.226 (6 Apr 2017 18:21:06 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 6 Apr 2017 18:21:06 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Apr 06 20:21:00 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cwC1f-0003m3-7G for ged-emacs-devel@m.gmane.org; Thu, 06 Apr 2017 20:20:55 +0200 Original-Received: from localhost ([::1]:47238 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cwC1l-0001h2-8H for ged-emacs-devel@m.gmane.org; Thu, 06 Apr 2017 14:21:01 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:37542) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cwC0l-0001KZ-R4 for emacs-devel@gnu.org; Thu, 06 Apr 2017 14:20:00 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cwC0i-0002g5-M1 for emacs-devel@gnu.org; Thu, 06 Apr 2017 14:19:59 -0400 Original-Received: from [195.159.176.226] (port=37034 helo=blaine.gmane.org) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cwC0i-0002fv-Fy for emacs-devel@gnu.org; Thu, 06 Apr 2017 14:19:56 -0400 Original-Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1cwC0O-0004tG-Po for emacs-devel@gnu.org; Thu, 06 Apr 2017 20:19:36 +0200 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 34 Original-X-Complaints-To: usenet@blaine.gmane.org Cancel-Lock: sha1:ESY3TRW6Ge4fjJO5SGm5O5oqh8Q= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 195.159.176.226 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:213718 Archived-At: SM> Are you thinking of this to protect against accidental problems, or to SM> protect against a malicious attacker? > To help code reviews find malicious changes. Then it's problematic: if it's a more or less standard procedure, you can assume than any attacker will know about it and will hence use workarounds to evade detection. Such "heuristic detection" can only work via obscurity, either by keeping the reviewing criteria secret or making them somehow unpredictable (not sure what that could look like in this context). Unless workarounds are *really* difficult or impossible, of course. But in the current Emacs design, I'd expect any need for a workaround would be trivial to satisfy (e.g. call (intern (concat "shel" "l-command")) to avoid detection) or end up making it more difficult for the non-malicious packages to do their job. > Can you elaborate on what could make it effective? Or, alternatively, > why the idea is fundamentally flawed and if there are better ones? Rather than try and detect dangerous patterns, we'd have to make "unsafe" behavior impossible, via something like isolation. SM> That could be done, but it's a major restructuring, which will probably SM> require major changes to be able to isolate packages from each other. > If you, with your deep knowledge of the C core, could start a > *top-level* list of the necessary changes, that would be really helpful. Just trying to design the system will be a significant effort. I'm not really interested, sorry. Stefan