f



misc: Unix-like permissions in a language VM

reused again, I have had some interesting arguments regarding this idea 
vs another security methodology:
http://en.wikipedia.org/wiki/Object-capability_model

(the person I was arguing with of course thought that the idea of using 
permissions checking in a VM was pointless and stupid).


the basic summary of the idea below is that of making use of a UID/GID 
and access-rights checking scheme in a compiler and VM (sort of like a 
simplistic version of a Unix-like model, and also absent ACLs or similar).

note that these UID/GID pairs would be local to the VM hosting the app, 
and are not the same as what may be used by the host OS, and would 
generally apply to pieces of code, rather than to human users (each 
module and thread could have different access rights).


note the language in question is a personally-developed language related 
somewhat to JavaScript and ActionScript (and mostly implements ECMA-262 
5th Ed), and mostly intended for app scripting (sort of like Python or 
Lua or similar...).


basically, I am gathering general opinions (good idea? stupid idea? ...).


---
[reused from an email of mine]

well, ok, this is currently mostly about my own language, but I figured 
it might be relevant/interesting.

the basic idea is this:
not all code may be from trusted sources.
consider, say, code comes from the internet.

what is a "good" way of enforcing security in such a case?


first obvious thing seems to be to disallow any features which could 
directly circumvent security.
say, the code is marked untrusted, and the first things likely to happen 
would be to disable access to things like raw pointers and to the C FFI.

the second thing seems to be the option of moving the code to a local 
toplevel where its ability to see certain things is severely limited.

both of these pose problems:
simply disabling compiler features may not be sufficient, since there 
may be ways of "using" the language which may be insecure and which go 
beyond simply enabling/disabling certain features in the compiler.

anything still visible may be tampered with, for example, suppose a 
global package is made visible in the new toplevel, and the untrusted 
code decides to define functions in a system package, essentially 
overwriting the existing functions. this is useful, say, for writing 
program mods, but may be a bad things from a security perspective.

a partial option is to give untrusted code its own "shadowed" packages, 
but this poses other problems.

similarly, an exposed API function may indirectly give untrusted code 
"unexpected levels of power" if it, by default, has unhindered access to 
the system, placing additional burden on library code not to perform 
operations which may be exploitable.

consider something trivial like:

function getTopVar(name) { return top[name]; }

which, if exposed under a visibility-based security scheme, and the 
function was part of a library package (with full system access), now 
suddenly the whole security model is dead. essentially it would amount 
to trying to create "water tight" code to avoid potential "security leaks".


another security worry is created by, among other things, the semantics 
of object delegation (at least in my language), where assigning through 
a delegated object may in-turn move up and assign the variable in a 
delegated-to object (at the VM level there are multiple assignment 
operators to address these different cases, namely which object will 
have a variable set in...).

this in-turn compromises the ability to simply use delegation to give 
each module its own local toplevel (effectively, the toplevel, and any 
referenced scopes, would need to be cloned, so as to avoid them being 
modified), ...


so, I am left idly wondering:
could a variation of, say, the Unix security model, be applied at the VM 
level?

in this case, any running code would have, say, a UID (UserID, more 
refers to the origin of the code than to the actual user) and GID 
(GroupID). VM objects, variables, and methods, would themselves (often 
implicitly) have access rights assigned to them (for example: 
Read/Write/Execute/Special).

possible advantages:
could be reasonably secure without going through contortions;
lessens the problem of unintended levels of power;
reasonably transparent at the language level (for the most part);
....

disadvantages:
have to implement VM level security checking in many places;
there are many cases where static validation will not work, and where 
runtime checks would be needed (possible performance issue);
may add additional memory costs (now, several types of memory objects 
will have to remember their owner and access rights, ...);
it could in some cases require funky attributes "$[mode(0xF51),setuid] 
public function foo() ...";
....

uncertain:
a means could be provided for a program to request "trust" from the 
user, probably in a manner vaguely similar to UAC ("User Access 
Control") in Windows, or the digital-signing requests;
if one allows for a system similar to digital signing, there is a 
potential risk of forged/stolen keys (effectively requiring 
user-vigilence), the main alternative being that the user authorize 
modules individually if they require certain features (more similar to 
installing apps on Android);
....


probable semantics:
declaration permissions (variable/function/class) are likely to be 
applied in a manner similar to lexical scoping, where a declaration will 
retain the UID in effect at the time of its creation. this will also 
likely be the case for functions and methods. this is also likely to be 
the model employed for static security checks.

run-time security is likely to follow a model similar to dynamic 
scoping, and will likely be applied on a per-thread basis (the current 
UID and GID then being a part of the current VM context).

will likely be applied to:
functions/methods, which will mostly themselves care about execute 
permissions;
objects, which will care both about access to themselves, and to 
individual members.

say, object:
Read, needed to read from any field;
Write, needed to assign to any field;
Execute, needed to call any ordinary method (special cases may require RX).

field/method:
Read, get value from field, get function/method handle;
Write, assign to field, replace/override method;
Execute: call method (N/A for fields);

block/lambda:
Read/Write: N/A
Execute: call lambda.

probably, for now, I will pack all of this into a 32-bit value, say:
12-bits, access flags; 10 bits, owner UID; 10 bits, owner GID.
setuid/setgid would probably be stored with the modifier flags 
(currently a 64-bit value present in fields/methods/blocks, yes I really 
do have this many modifier flags... sadly...).


any thoughts?...
0
cr88192355 (1928)
8/13/2011 8:00:36 AM
comp.arch 7611 articles. 0 followers. carchreader (32) is leader. Post Follow

0 Replies
426 Views

Similar Articles

[PageSpeed] 31

Reply:

Similar Artilces:

Hello,Where is declared the "end" var present in arch/arm/boot/compressed/misc.c ? In the file arch/arm/boot/compressed/misc.c a var "end" is declared : extern int end; I'd like to kno
Hello, In the file arch/arm/boot/compressed/misc.c a var "end" is declared : extern int end; I'd like to know where this var comes from. Since it's extern, I guess it should be declared in another file, but I can't find which one. I've tried, in source tree, find . -name "*.o" -exec nm {} \; > nm.txt then I looked in the generated file, but can't find the "end" var ... If you have an idea ... Thanks Yann yannouch wrote: > Hello, > > In the file arch/arm/boot/compressed/misc.c > a var "end" is declared : > > extern int end; > > I'd like to know where this var comes from. Since it's extern, I guess > it should be declared in another file, but I can't find which one. > > I've tried, in source tree, > > find . -name "*.o" -exec nm {} \; > nm.txt > > then I looked in the generated file, but can't find the "end" var ... > > If you have an idea ... > It is also possible to declare externals in a linker script. Have a look at the file vmlinux.lds.in in the same directory. For the linker behaviour see the GNU binutils documentation. -- Tauno Voipio tauno voipio (at) iki fi yannouch wrote: > Hello, > > In the file arch/arm/boot/compressed/misc.c > a var "end" is declared : > > extern int end; > > I'd like to know where this var comes from. Since it's extern,...

pwrite() on Unix and Unix-like OSes
Hello, I am interested in pwrite() system call behavior on different Unix and Unix-like OSes. On Red Hat Enterprise Linux 7, the manual page for pread(2)/pwrite(2) says: BUGS POSIX requires that opening a file with the O_APPEND flag should have no affect on the location at which pwrite() writes data. However, on Linux, if a file is opened with O_APPEND, pwrite() appends data to the end of the file, regardless of the value of offset. So consider this simple C-program: =============================================================== #include <unistd.h>...

TCPIP USB MISC LIKE GPIB MISC
I used to use GPIB misc a lot to send code through GPIB after VISA is closed to set instrument to local, etc. Now I am try to control the instrument through USB and TCPIP, it seems there is no corresponding MISC VI for USB and TCPIP such as GPIB MISC. Is there any way to do 'loc' function under TCPIP/USB connection after VISA is closed? Hello Qualcomm, &nbsp; From my understanding of your situation, you can have a similar functionality by using a property node to check the status of the device from the VISA palette.&nbsp;&nbsp;By&nbsp;using the&nbsp;property node&a...

Forth as a VM/Implementation-language for oher languages.
There have been a few threads on using forth to implement other languages in the "lightweight languages" discussion list. The list archives can be found at: https://lists.csail.mit.edu/pipermail/ll-discuss/ (From April 2004) or http://people.csail.mit.edu/gregs/ll1-discuss-archive-html/maillist.html (before April 2004) Roberto Waltman. [ Please reply to the group, return address is invalid ] ...

Unix permissions
I have a folder which I store php generated images in. The app only seems to function when I have the rights set to 0777, but I don't understand why I need "execute" to read/write a PNG file. What am I missing? Mat On 26 Jun 2006 15:19:32 -0800, yf110@vtn1.victoria.tc.ca (Malcolm Dew-Jones) wrote: >Matthew Augier \(dps\) (Matthew@dps.uk.com) wrote: >: I have a folder which I store php generated images in. The app only seems to >: function when I have the rights set to 0777, but I don't understand why I >: need "execute" to read/write a PNG file...

aio functions on sockets, on various UNIX/UNIX-like OSes
Greetings, Please answer the following question : Can we use asynchronous I/O operations (aio_* functions) on sockets, on the following OS-es/kernels : 1) on Linux 2.6.2x 2) on FreeBSD 6.x 3) on FreeBSD 7.x 4) on Solaris 10 ? Thank you, Alexandru alexandrug wrote, On 12.4.2009 23:07: > Greetings, > > Please answer the following question : > > Can we use asynchronous I/O operations (aio_* functions) on sockets, > on the following OS-es/kernels : > > 1) on Linux 2.6.2x > 2) on FreeBSD 6.x > 3) on FreeBSD 7.x > 4) on Solaris 10 ? You should read documentat...

a language is a language
Okay, I've seen some comments here and in other groups about languages. Here's the question: What constitutes a programming language? Examples to consider C Assembler SQL PERL HTML PL/SQL Postscript Jscript bash runoff, pic, eqn JCL BASIC RTL (Register Transfer Language) Excell (yes the spreadsheet) ORACLE FORMS What do you consider a programming language and why? (I really want to hear some thoughtful justification rather than just "that's my view" posts.) I'll post my views a little later. Ed "Ed Prochak" <edprochak@gmail.com> writes: > Ok...

Unix-like?
Just took a closer look at the CUPS 1.6.2 web interface home page: "CUPS is the standards-based, open source printing system developed by Apple Inc. for OS® X and other UNIX®-like operating systems." OS® X and *other* UNIX®-like operating systems? Seems Cupertino agrees with me that OSX, just like e.g. GNU/Linux, Solaris and FreeBSD is a UNIX-like operating system :-) This ties in with how I look at the situation: there's a bunch of UNIX-like operating systems, UNIX-like in the sense that they are much like the original AT&T UNIX. It's a ...

Unix Like ?
Does CPM is an Unix Like ? where I can find information about this OS, is it based on an Unix or somthing like that ? since where it life ? thx "L�opold VALLAURI" <lvallauri@grimaldiforum.com> wrote in message news:3f2a5c7e$0$24777$626a54ce@news.free.fr... > Does CPM is an Unix Like ? where I can find information about this OS, is > it based on an Unix or somthing like that ? since where it life ? > > > thx CP/M is not related to unix. Go to www.google.com and type "CP/M FAQ" to search for information. ...

language design implications for variant records in a pascal-like language
A while back, I created a toy language and compiler with a syntax similar to Pascal or Oberon (like what you'd do in an undergrad compiler course). Now I'm working on expanding it to a "real" language. I plan eventually to add a class type (in the sense of Java or C++ classes), but at present I'm working on expanding some of the "procedural language" components, such as a selection statement, pointers, floating point type, etc. My compiler is rather unsophisticated. It's recursive-descent with a scanner and parser written "from scratch". It loosel...

"Unix-like systems like VAX/VMS"
Is VMS like Unix? I like the butter commercial: "We'll never say we taste like margarine." ------- Forwarded message follows ------- EVANGELIST Puts Linux v/s Microsoft Debate To Rest CXOtoday.com - India ... has core similarities to Unix, and the same Dave Cutler that is responsible for developing and designing Windows NT, has designed Unix-like systems like VAX/VMS ... <http://www.cxotoday.com/cxo/jsp/index.jsp?section=News&subsection=Peo ple&subsection_code=6&file=template1.jsp&storyid=966> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ...

unix permissions
I know a user can belong to more than 1 group by adding him to a list in /etc/group, but a Client of mine has users set up in 2 groups. We wants one of the groups to have rwx permissions, but the second only gets read. Is there a way to assign multiple groups to a directory? I thought I could use a symbolic link and give it a different group, but it wouldn't let me! In article <xOnPe.773$Ld.318972@news20.bellglobal.com>, Ron Kirschner <ron@jedron.com> wrote: >I know a user can belong to more than 1 group by adding him to >a list in /etc/group, but a Client of ...

aio functions on socket, on various UNIX/UNIX-like OSes
Greetings, Please answer the following question : Can we use asynchronous I/O operations (aio_* functions) on sockets, on the following OS-es/kernels : 1) on Linux 2.6.2x 2) on FreeBSD 6.x 3) on FreeBSD 7.x 4) on Solaris 10 ? Thank you, Alexandru ...

Fortran Unix Like Front End for MS Services for Unix
Does anybody know if there is a Unix like front end for the Compaq or Intel Fortran for Microsoft Services for Unix? I am trying to port a UNIX Fortran program over to Windows. I would like to keep the same development and runtime environment. There are some Fortran to C calls, so I would like to not have to rewrite the C code. The main problem is that that Windows Fortan compilers don't accept arguements like -o or -O3, because Windows is not case sensitive. (But SFU is....) I would have to think someone has done this before. Thanks, Tony In article <c6n3kn$klr$1@sulawes...

Unix Permissions
Hi, I am trying to create user accounts with weird permissions. I want to be able to create a user who is the "adminstrator" of other users. Other users or "children" of this administrator should be able to create new files and change existing files, but not be able to change the permissions of the file. THe reason that I want his is because I want the "administrator" to always have read/write access to all the child's files (and the child cannot change this with chmod). Any suggestions? I have tried combinations of group permissions/ACL's, but I can't get completely what I want. --Thanks in advance, Sachin In article <1108155019.608731.75930@l41g2000cwc.googlegroups.com>, intercom5 <ssdas4eva@yahoo.com> wrote: >I am trying to create user accounts with weird permissions. I want to >be able to create a user who is the "adminstrator" of other users. >Other users or "children" of this administrator should be able to >create new files and change existing files, but not be able to change >the permissions of the file. THe reason that I want his is because I >want the "administrator" to always have read/write access to all the >child's files (and the child cannot change this with chmod). >Any suggestions? I have tried combinations of group permissions/ACL's, >but I can't get completely what I want. You didn't explain...

Re: "Unix-like systems like VAX/VMS"
John Smith wrote: >"Jan-Erik S=F6derholm" <aaa@aaa.com> wrote in message >news:40ADC43F.C15F0A86@aaa.com... > =20 > >>As an reply to this mail to "hineshjethwani@cxotoday.com" : >> >> =20 >> >>>>Gentlemen ! >>>> >>>>Having read the following : >>>> >>>> =20 >>>> >>>>>[Copy of the posted snippet...] >>>>> =20 >>>>> >>>>I must ask, have you ever written anything about comupters >>>&...

Re: DCL versus Unix CLIs, was: Re: File output like Unix
From: clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) > [...] (But don't forget that to Unix the filename/filetype combination > is just a string of characters - as with ODS-5 now, file.tar.gz is a > perfectly valid Unix filename). You're kidding yourself if you think that ODS5 does not distinguish between a file name and a file type (extension) in exactly the same way as ODS2. ODS5 accepts dots in names, but there's still always one special dot. Look at the output from a DIRECTORY command for your "file.tar.gz" to demonstrate the difference b...

New Common Language Runtime (CLR / VM) from Microsoft has support for Dynamic Languages
MS claims that .Net 3.5 has optimized support for dynamic languages. So far Python and Ruby are being developed perhaps someone can develop a Smalltalk version. Many of Smalltalk's features have now made it into C# 3.0, e.g., Blocks (closures) and the ability to extend base classes with your own methods. You can also use the equivalent of collect: select:, etc. in C# (see LINQ). Additionally, MS is building a smaller CLR as a browser plug-in that will also work with other browsers, Safari, Firefox, etc. This is mostly for building Rich Internet Applications (RIA) using XA...

RE: DCL versus Unix CLIs, was: Re: File output like Unix #2
Check out the new "/wild" switch in Search re: your need to search "begins with" or "ends with". Mike Farrell -----Original Message----- From: David J. Dachtera [mailto:djesys.nospam@NeOaSrPtAhMlNiOnWk.net]=20 Sent: Saturday, April 29, 2006 10:53 PM To: Info-VAX@Mvb.Saic.Com Subject: Re: DCL versus Unix CLIs, was: Re: File output like Unix "Richard B. Gilbert" wrote: >=20 > AEF wrote: > > Simon Clubley wrote: > > > >>In article <1145989404.330424.164290@g10g2000cwb.googlegroups.com>, bob@instantwhip.com writes: > &g...

Seeking old post on developers who like IDEs vs developers who like simple languages
A few years ago someone, somewhere on the Web, posted a blog in which he observed that developers, by general temperament, seem to fall into two groups. On the one hand, there are developers who love big IDEs with lots of features (code generation, error checking, etc.), and rely on them to provide the high level of support needed to be reasonably productive in heavy-weight languages (e.g. Java). On the other hand there are developers who much prefer to keep things light-weight and simple. They like clean high-level languages (e.g. Python) which are compact enough that you can keep the whol...

Re: Seeking old post on developers who like IDEs vs developers who like simple languages
Hi guys, I think this issue is long-long displute over tools and IDE-s. No need to combine it with the question of the complexity of the programming language used. I know guys, who did every development project using a simple GVIM and command line tools, and vere extremly productive. Even in Java, C++, and any other languages. For myself I can say, I am a seasoned Emacs user, and would not switch to any fancy IDE. BUT that is personal view. IMHO this question does not bellong here, though I was very pleased to read arguments instead of flames.... :-)) Gabor -- Linux: Choice of a GNU Generation ...

does wx has anything like opendir(), rewinddir(), readdir() functions like unix?[2.4.2]
Dear ALL -- does wx has these functions? what are the names? Thanks in the advance --Roger --------------------------------------------------------------------- To unsubscribe, e-mail: wx-users-unsubscribe@lists.wxwidgets.org For additional commands, e-mail: wx-users-help@lists.wxwidgets.org On Fri, 18 Mar 2005 14:09:31 -0800, Roger Chen <foxtailsroger@gmail.com> wrote: > Dear ALL -- > > does wx has these functions? > what are the names? Read docs: <http://www.wxwidgets.org/manuals/2.5.4/wx_wxdir.html#wxdir> -- David Norris dano...

Digest of online comments at CXO about "Unix-like systems like VAX/VMS"
Minor spelling errors have been corrected- [any additions are in brackets] Enjoy. Comments of the day ======================================================================= Evangelist Puts Linux v/s Microsoft Debate To Rest 21/05/2004 12:03 PM Microsoft has got a MTBSS less than even 200 hours compared to Unix which is around 20,000 hours. Linux, whose kernel is like Unix will also give similar kind of stability. Hence in no way can some one compare the stability factor when it comes to Windows and Linux. Microsoft Windows was never supposed to be a secured system and hence all highe...

Turbozen Tiny Lisp : a lisp like language written to be a scripting language for Objective-C. Open Source
Tim Burks has been working on a new scripting language called Nu, a lisp like language written specifically to be a glue language for Objective-C. He's been writing very exciting things about it on: http://blog.neontology.com/posts/2007/08/16/nu-at-sf-ruby-meetup http://blog.neontology.com/posts/2007/08/17/a-few-nu-details-emerge http://blog.neontology.com/posts/2007/08/19/a-glimpse-of-nu http://blog.neontology.com/posts/2007/08/30/nu-world-order but he hasn't released the source code. I got tired of waiting and wrote my own dialect of Lisp for interfacing to Objective-C: http://turboZen.com/sourcecode/TinyLisp/ It is by no means as far along as his, but it only has 6 hours of work in it, not 6 months. An anonymous function is a lambda in expression like: (lambda (x) (+ x x)) normally, you'd assign it to a name with: (set 'double '(lambda (x) (+ x x))) Turbozen Tiny Lisp uses the unicode lambda character, but the newsreader I'm using to post this won't show the character. The web site has it right. Some features: • It has no lists! Instead it uses NSMutableArray to represent its list structures. • It uses NSMutableDictionary for its symbol table. • It uses NSNumber for its numbers. NSString for its strings. • It uses Cocoa's NSAutoreleasePools for its memory management. Its error handling is pitiful, and I haven't yet connected it to Cocoa using the foreign function interfa...

Web resources about - misc: Unix-like permissions in a language VM - comp.arch

Permission - Wikipedia, the free encyclopedia
Text is available under the Creative Commons Attribution-ShareAlike License ;additional terms may apply. By using this site, you agree to the ...

Facebook Tests Allowing Users To Start Games Instantly, Bypass Permissions Dialog
Facebook game developers Zynga , Kixeye , and Electronic Arts reached agreements with Facebook to test a new “start now” feature, that allows ...

Why is the Messenger app requesting permission to access features on my Android phone or tablet? - Facebook-Hilfebereich ...
If you install the Messenger app on your Android, your phone or tablet should let you know that the app is asking for your permission to access... ...

Permissions Reference - Facebook-Entwickler
When a user authenticates your application, by default, your app gets the ability to read only the u...

Facebook tests ‘start now’ option to allow users to begin playing games without authorizing permissions ...
Some Facebook canvas games are testing a new “start now” function to let users begin playing games immediately without the roadblock of a permissions ...


OOPS: without Permission, Paul Ryan and Family Show Up Washing Clean Dishes at Ohio Soup Kitchen - YouTube ...
The head of a charity in Ohio is not pleased with Paul Ryan's photo op at a soup kitchen in Ohio, saying that the Romney campaign "ramrodded ...

Arafat's widow grants permission for Swiss lab to test poisoning theory
The Palestinian Authority also approved the probe, which was requested by Palestinian president Mahmoud Abbas after a media investigation found ...

LeBron James sought sons' permission before his return to Ohio
Before LeBron James could return home to the Cavaliers, he first had to clear it with his children.

Scientists seek permission to edit the genes of human embryos
British scientists have applied for permission to edit the genes of human embryos in a series of experiments aimed at finding out more about ...

Resources last updated: 3/7/2016 3:46:30 PM