(cc'ing misc instead of tech)

On Sat, Nov 24, 2012 at 7:21 PM, William Ahern
<will...@25thandclement.com> wrote:
> On Thu, Nov 22, 2012 at 01:27:46PM -0430, Andres Perera wrote:
>> On Thu, Nov 22, 2012 at 11:58 AM, Kevin Chadwick <ma1l1i...@yahoo.co.uk> 
>> wrote:
>> > On Thu, 22 Nov 2012 09:30:41 -0430
>> > Andres Perera wrote:
>> >
>> >> i'm not sure how using js for configuration files, as opposed to using
>> >> a language commonly deployed for the same purpose, such as lua,
>> >> presents an innate constraint on security.
>> >
>> > Firstly the article mentioned JIT preventing true randomisation.
>> >
>> > Secondly pulling in JS as a dependency even on servers is rediculous and
>> > is a language very familiar to attackers and unfamiliar to many users.
>> > It would be especially, shall we say kind to attackers utilising rop
>> > attacks.
>>
>> but jit isn't irreparably interleaved with js
>>
>> am i compromising by running luajit in interpreter mode instead of the
>> reference implementation
>
> Almost certainly, yes. And that's not a slight against Mike Pall's skills.
> Complexity is the enemy of security, every time. Merely disabling a feature
> doesn't remove its footprint from the code base.

lets make something clear: using luajit as an example does not impose
a strict meaning on "disable". consider it an absolute requirement
that "disables" entails: not using mmap or mprotect directly, and more
importantly, impose memory layout constrictions outside of what system
malloc would

>
> And have you read any of those codebases? The reference Lua implementation
> is a model of clear programming, IMO.
>
>>, moreover, would that imply that lua the language is insecure or is the
>> specific implementation at fault?
>
> Lua-the-language is designed with implementation details in mind. When an
> implementation details become intolerably complex, they consider removing
> the feature (e.g. the new generational collector in 5.2).

i'm not interested in defending the position that having the ability
of choosing between two allocators, or even that the allocator is
exposed to the user at all, is part of the language. i consider it a
stupid argument to participate in. if the intention was to evoke the
idea that, in the real world, implementation and design are not
conveniently independent, then i would ask for an example that
correspondingly uses an implementation detail that is relevant to the
light use expected out of a configuration language by a project like
polkit

>>
>> why would the runtime be attractive for rop? what configuration vm
>> needs syscalls that would be attractive to an attacker that can change
>> the address of a jump? does the runtime really need to open sockets,
>> or spawn processes? (i'm not even talking about languages)
>
> Those syscalls are accessible in the run time environment, whether or not
> they're intentionally bound. And that's all that matters, at the end of the
> day. If intentions drove run time safety, there would never be attacks
> against real-world code.

i'm also not interested in perpetually repeating myself, specially
when opposing opinions differ on what's lacking in the imaginary,
js-driven sudo program. in the same message you quoted i used systrace
(no deferred arg-check) as a deterrent. there's no need for overly
simplistic quips like "If intentions drove run time safety, there
would never be attacks against real-world code"; i don't see how those
promote discussion at all

Reply via email to