Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

PROTECT bug

 [1/12] from: g::santilli::tiscalinet::it at: 8-Dec-2001 17:52


Hello Gregg! On 07-Dic-01, you wrote: GI> Regarding use of 'protect: Can you protect an entire context, GI> or the words *in* a context? I haven't figured out how to do GI> that yet. The problem is:
>> obj: make object! [
[ a: 1 [ b: 1 [ protect 'a [ protect 'b [ ]
>> set in obj 'a 3
** Script Error: Word a is protected, cannot modify. ** Where: set in obj 'a 3
>> obj/a: 3
== 3 which looks like a bug to me... Anyone sent it to feedback? Regards, Gabriele. -- Gabriele Santilli <[giesse--writeme--com]> - Amigan - REBOL programmer Amiga Group Italia sez. L'Aquila -- http://www.amyresource.it/AGI/

 [2/12] from: rotenca:telvia:it at: 8-Dec-2001 20:19


Hi Gabriele,
> >> set in obj 'a 3 > ** Script Error: Word a is protected, cannot modify.
<<quoted lines omitted: 3>>
> which looks like a bug to me... > Anyone sent it to feedback?
Yes, I sent exactly the same thing. Here it is the answer (#6864): -------------- This is known. However, an important note is that protect is not a security feature. It does not stop amnything from doing an UNPROTECT. It is meant as a tool to help prevent scripts from overwriting system critical functions or data. REBOL Support --- Ciao Romano

 [3/12] from: greggirwin:mindspring at: 8-Dec-2001 15:19


Gabriele, Romano, et al What you posted, Gabriele, is exactly what I ran into. << This is known. However, an important note is that protect is not a security feature. It does not stop amnything from doing an UNPROTECT. It is meant as a tool to help prevent scripts from overwriting system critical functions or data. >> I don't want it for "security" purposes, but rather to catch me when I inadvertantly attempt to change something that shouldn't be changed. E.g. if I build a math library, and include the constant value of e: 2.71828182845905, I don't want anyone (including me) to change that value accidentally. Maybe it's my background, but one of the most confusing things for me with REBOL objects is the lack of distinction between public and private elements. For example, examining the View/VID source (sans comments of course as it is dumped) and trying to figure out what you might need to access (slider values being a prime example) and what you absolutely *shouldn't* touch. Hopefully the rumored support for modules will help in this regard. --Gregg

 [4/12] from: g:santilli:tiscalinet:it at: 9-Dec-2001 11:48


Hello Romano! On 08-Dic-01, you wrote: RT> -------------- RT> This is known. However, an important note is that protect is RT> not a security feature. It does not stop amnything from doing RT> an UNPROTECT. It is meant as a tool to help prevent scripts RT> from overwriting system critical functions or data. RT> REBOL Support RT> --- Once you unset UNPROTECT, you can use it as a security feature. :) (Other possibilities are: saving and restoring system/words; running the untrusted code in a copy of system/words) About tourists, I think an implementation could even just use a dialect. Regards, Gabriele. -- Gabriele Santilli <[giesse--writeme--com]> - Amigan - REBOL programmer Amiga Group Italia sez. L'Aquila -- http://www.amyresource.it/AGI/

 [5/12] from: rotenca:telvia:it at: 10-Dec-2001 0:20


> Once you unset UNPROTECT, you can use it as a security feature. :)
I agree.
> (Other possibilities are: saving and restoring system/words; > running the untrusted code in a copy of system/words)
I think that also protecting system/words is not secure, because a program can change a field in an object, like system/user/... without changing global words. You can not save all the system with a copy deep.
> About tourists, I think an implementation could even just use a > dialect.
A dialect or launch with IPC should be better choices. --- Ciao Romano

 [6/12] from: lmecir:mbox:vol:cz at: 10-Dec-2001 9:26


Hi Gabriele, <<Gabriele>> Hello Romano! On 08-Dic-01, you wrote: RT> -------------- RT> This is known. However, an important note is that protect is RT> not a security feature. It does not stop amnything from doing RT> an UNPROTECT. It is meant as a tool to help prevent scripts RT> from overwriting system critical functions or data. RT> REBOL Support RT> --- Once you unset UNPROTECT, you can use it as a security feature. :) (...) <</Gabriele>> I disagree. It is insufficient to unset UNPROTECT to create an environment that is secure against malicious modifications, as I have proven some time ago.

 [7/12] from: rotenca:telvia:it at: 10-Dec-2001 15:34


Hi Ladislav
> I disagree. It is insufficient to unset UNPROTECT to create an environment > that is secure against malicious modifications, as I have proven some time > ago.
Where? --- Ciao Romano

 [8/12] from: g:santilli:tiscalinet:it at: 10-Dec-2001 19:38


Hello Ladislav! On 10-Dic-01, you wrote: LM> I disagree. It is insufficient to unset UNPROTECT to create I didn't say it was sufficient. ;) Regards, Gabriele. -- Gabriele Santilli <[giesse--writeme--com]> - Amigan - REBOL programmer Amiga Group Italia sez. L'Aquila -- http://www.amyresource.it/AGI/

 [9/12] from: lmecir:mbox:vol:cz at: 11-Dec-2001 18:45


Hi Romano,
>> Where?
How much mutable are Rebol natives? See the following: protect 'secure system/error/script/type: "" system/error/script/expect-arg: [ ( change pick third :secure 3 reduce [word! block!] secure allow "I love you" ) ] change pick third :secure 3 reduce [unset! none!] ; the results are:
>> secure throw
** : I love you. ** Where: secure throw
>> secure []
== [net allow file allow] Regards Ladislav

 [10/12] from: nitsch-lists:netcologne at: 11-Dec-2001 20:02


RE: [REBOL] Re: PROTECT bug hmm. not here (linux, /view 1.2.1.4.2, started from desktop). [ rebol [] print "virus alert!" protect 'secure system/error/script/type: "" system/error/script/expect-arg: [ ( change pick third :secure 3 reduce [word! block!] secure allow ("I love you") ) ] change pick third :secure 3 reduce [unset! none!] secure throw print "hey!" probe secure query ] gives virus alert! ** : REBOL - Security Check: Script requests permission to lower security level Yes, allow all, no, or quit? (Y/A/N/Q) N ** Access Error: Attempt to change security level to none ** Near: secure allow ("I love you")
>> probe secure []
[net allow library ask shell ask file ask %/home/volker/rebol/view/user.r [allow read ask write ask execute] %/home/volker/rebol/view/prefs.r [allow read ask write ask execute] %/home/volker/rebol/view/public [allow read ask write ask execute] %/home/volker/rebol/view/local/sandbox allow] == [net allow library ask shell ask file ask %/home/volker/rebol/view/user.r [allow read ask write ask execute] %/home/volker/rebol... Iam doing something wrong? have to look where my core is ;-) -Volker [lmecir--mbox--vol--cz] wrote:

 [11/12] from: lmecir:mbox:vol:cz at: 12-Dec-2001 8:53


Hi Volker, I will describe what is the script doing. I just wanted to prove, that if you allow a malicious script to change something, you cannot rely on e.g. SECURE (or any other function or native). If you normally do secure throw , you know what you will get if you answer yes to the question [Yes, allow all, no, or quit? (Y/A/N/Q)]. If you do it after my modification, it will behave differently. Cheers Ladislav malicious-script: [ system/error/script/type: "" system/error/script/expect-arg: [ ( change pick third :secure 3 reduce [word! block!] secure allow ("I love you") ) ] change pick third :secure 3 reduce [unset! none!] ] Usage: protect 'secure print "virus alert!" do malicious-script secure throw

 [12/12] from: nitsch-lists:netcologne at: 12-Dec-2001 13:32


RE: [REBOL] Re: PROTECT bug
>> secure throw
** : REBOL - Security Check: Script requests permission to lower security level Yes, allow all, no, or quit? (Y/A/N/Q) N ** Access Error: Attempt to change security level to none ** Near: secure allow ("I love you") i say "no" and it protects me! Ah! iam stupid :) i would enter [secure throw] after doing some agent.. i would expect i go to _my_ security-choice and say yes, but there is someone behind the scenes to force _his_ security. and doing some nasty stuff immediate fter that, with system-access. i thought it was somehow possible to trick rebol out if i answer "no", or even to avoid the security-question, which would be very dangerous for using the reb. pheew, that works not. you show one cannot rely on the rebol-console after doing a malicious script, no way out. _never_ answer a security-question with yes! which means, one cannot give control temporary to agents, only with restricted access by dialect or launching seperate processes and throwing them away after agent finishs. yes, thats true. and launching needs some control about restricting runtime and memory access, which needs specialized system-access. sad, i like the idea of agents to.. BTW i never understand why rebol on linux shares the console. between different processes. hard to see who has the security-question. it would be so easy to launch with xterm -e rebol args no? -Volker [lmecir--mbox--vol--cz] wrote:

Notes
  • Quoted lines have been omitted from some messages.
    View the message alone to see the lines that have been omitted