Re: SECURITY ALERT! [Re: How do you execute shell scripts in Mosaic]

Marc VanHeyningen (mvanheyn@cs.indiana.edu)
Wed, 08 Jun 1994 16:28:53 -0500


> Marc said:
> > And naturally people who are security-conscious will want to hurry and
> > download the binaries for which source is not made available and check
> > them out. :-)
>
> The same security-consious people are using Mosaic binaries left and right,
> so what's your point ?

Er, no, they're grabbing the source and compiling it themselves.

I guess I don't see the point to withholding the source. It's a
rather trivial program anyway; probably could be done in perl in a few
lines.

> Besides, I did not make claims about the level of trustedness anyway, so....

That's certainly reassuring.

> Marc said:
> > Do you have any example programs for it (non-trivial
> > ones, I mean)?
>
> The sources will be available as soon as i clean up the code.
> what do you mean by example programs ? If you mean a URL that you can try
> this against, you may try:
> http://www.eit.com/cgi-bin/mediaform

By an example program I mean a program that you would feed to it and
have it do something. By non-trivial I mean a program that does
something more than just start up a different program.

Well, within the domain of moving around programs in a Web environment,
there are two somewhat different things (well, actually there's a
continuum between them, but anyway...)

- Using the Web to launch an application you already have installed
and certified as appropriate to this use; for instance,
o Launching WordPerfect
o Running a multimedia server
o Printing the current screen
o Popping up an xclock
- Using the Web to download an arbitrary program which provides some
functionality that was not preexisting and run it automatically; for
instance,
o An interactive form
o A simple animation controlled by the user
o Prompt the user for a ten numbers, then do an animation of a
bubble sort on that list
o A slideshow
o A guided tour

Each of these things has value, although to me the first is mostly a
special case of the second; that's why I'm much more interested in
trying to make the second happen. Attempting to accomplish the first
of these is the domain of things like the "exec" method for URLs.
Attempting to accomplish the second of these is the domain of safe
languages like Safe-Tcl.

>From what I can see, it looks as though your system is much closer to
being a application-launcher than a programming language. That
doesn't mean it's bad, but it means that making the language secure
has rather severely lobotomized it.

> Marc said:
> >
> > The C shell hardly seems a suitable language for evaluation of
> > untrusted code. What's wrong with Safe-Tcl?
> >
> Please tell us what is wrong with Safe-......!

Well, I don't think I would exactly say something is "wrong" with it.
If I understand it correctly, it can only exec other applications,
which makes calling it "vsafecsh" seems a bit misleading, since it
can't do anything that makes the C shell the C shell (since csh can
have conditionals, iteration, variables, substitution, pipes, and
other programming language stuff; it does it badly, and is an
extremely poor choice of shells to program in, but it does do it.)

I just hope that a language that gets widely used for client-side
execution is not just secure but also portable and powerful.

--
<A HREF="http://www.cs.indiana.edu/hyplan/mvanheyn.html">Marc VanHeyningen</A>