From: Ted Zlatanov <tzz@lifelogs.com>
To: emacs-devel@gnu.org
Subject: Re: package security auditing and isolation
Date: Thu, 06 Apr 2017 15:26:02 -0400 [thread overview]
Message-ID: <8737dl1gol.fsf@lifelogs.com> (raw)
In-Reply-To: jwv7f2xwgnk.fsf-monnier+gmane.emacs.devel@gnu.org
On Thu, 06 Apr 2017 14:19:23 -0400 Stefan Monnier <monnier@iro.umontreal.ca> wrote:
SM> Are you thinking of this to protect against accidental problems, or to
SM> protect against a malicious attacker?
>> To help code reviews find malicious changes.
SM> Then it's problematic: if it's a more or less standard procedure, you
SM> can assume than any attacker will know about it and will hence use
SM> workarounds to evade detection.
I don't buy that argument from either end. Right now, attackers need no
workarounds so the cost-benefit analysis is heavily in their favor.
SM> Such "heuristic detection" can only work via obscurity, either by
SM> keeping the reviewing criteria secret or making them somehow
SM> unpredictable (not sure what that could look like in this context).
We have to operate openly, because it's the only practical choice other
than forming a cabal or ignoring the problem. Heuristics are not what I
had in mind.
Here are some questions for the list:
a) Can the parse tree of a package be analyzed safely (without running
code in the package)? Is it deterministic?
b) If the parse tree of a package is analyzed, and only has whitelisted
functions such as `string-equal' in it, does that make the package safe?
c) Can the parse tree of a package be compared deterministically at two
separate VCS checkpoints to find what's changed?
d) Can the changes to the parse tree between two VCS checkpoints be
signed by a reviewer?
>> Can you elaborate on what could make it effective? Or, alternatively,
>> why the idea is fundamentally flawed and if there are better ones?
SM> Rather than try and detect dangerous patterns, we'd have to make
SM> "unsafe" behavior impossible, via something like isolation.
...
SM> Just trying to design the system will be a significant effort.
SM> I'm not really interested, sorry.
Right. Thanks for your comments.
Ted
next prev parent reply other threads:[~2017-04-06 19:26 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-06 14:15 package security auditing and isolation Ted Zlatanov
2017-04-06 14:48 ` Stefan Monnier
2017-04-06 14:57 ` Yuri Khan
2017-04-06 15:45 ` Ted Zlatanov
2017-04-06 18:19 ` Stefan Monnier
2017-04-06 19:26 ` Ted Zlatanov [this message]
2017-04-06 20:12 ` Stefan Monnier
2017-04-06 21:57 ` Ted Zlatanov
2017-04-07 6:58 ` Tim Cross
2017-04-06 20:17 ` Clément Pit-Claudel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8737dl1gol.fsf@lifelogs.com \
--to=tzz@lifelogs.com \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.