While that is an issue, the accounting for time can be done in another layer.
The idea is to allow a whitelist of commands that allow remote connections to
make queries or delegate computing for what could be several clients/peers.
The "server" can be integrated into another application, and so global limits
on time/space aren't a good solution, .
The whitelist is limited to single word commands that are executed monadically.
Each allowable command has to be intentionally included, and the do command is
not recommended. In terms of possible system abuse, there is not much
difference between 1 process that takes 1 hour, or 100 users calling 1000
processes per minute that each execute fairly quickly.
Here is a more interesting and more vulnerable whitelist locale
cocurrent_z_ 'authserver'
(18!:5 '') 18!:2 ] 18!:5 ''NB. remove _z_
create =: 3 : 0
'successloc conn' =: y
reqlogin ''
addreply__conn 18!:5 ''
)
brownlist =: i.0
attempts =: 0
success =: 0
reqlogin =: 3 : '(''login'' loc 18!:5 '''') REQ__conn ;:''login username
password'''
login =: 3 : 0
success =: testlogin y
if. success do. codestroy '' [ addreply__conn successloc return.
else. attempts =: >: attempts end.
if. 3 < attempts do. onfail '' return. else. reqlogin '' end.
)
testlogin =: ('pepe silvia';'hunter2') & -:
onfail =: 3 : 0
brownlist_authserver_ =: brownlist_authserver_ , 2{ a: ,~
sdgetpeername_jsocket_ sock__sender__conn
close__conn ''
codestroy_z_ ''
)
new=: 4 : '(x;y) conew_z_ 18!:5 ''''' NB. y is connection. x is locale/reply
loop to launch on success
_____
The above is intended as a list of available remote commands right after a
socket is connected, to establish authorization, and on success grants access
to a new list of commands. Its a group of functions that work together and can
manage state per user (when a new instance is created for each user), as well
as tracking global/classwide state (brownlist of ip names that fail login
repeatedly). (the code probably won't work on your system because it is
dependent on a connection object, but hopefully the idea is understandable...
can remove lines that reference conn for testing)
cannot read or set variables.
(<'authserver') rexec 'success';'=:';'1'
┌──┬────────────────────────────────────────────────────────────────────┐
│19│|syntax error: apply | (<'authserver') rexec'success';'=:';'1' │
└──┴────────────────────────────────────────────────────────────────────┘
(<'authserver') rexec <'success =: 1'
┌──┬─────────────────────────────────────────────────────────────────┐
│19│|syntax error: apply | (<'authserver') rexec<'success =: 1' │
└──┴─────────────────────────────────────────────────────────────────┘
only monadic functions may be called, so remote cannot flood 'new' calls.
(<'authserver') rexec 'new';0;0
┌─┬─────────────────────────────────────────────────────────────────────┐
│3│|domain error: new_authserver_ | (<'authserver') rexec'new';0;0 │
└─┴─────────────────────────────────────────────────────────────────────┘
calling onfail is safe to the application, because the remote is just closing
his own connection.
the one security "failure" is exposing the testlogin verb, and allows the
"attacker" unlimited guesses at username;password, instead of going through the
intended guess counting login verb.
(<'authserver') rexec 'testlogin';'wronguname';'hunter2'
┌─┬─┐
│0│0│
└─┴─┘
that is fixed by making testlogin an internal only verb by the following
(turning it into dyad definition):
testlogin =: 4 : '(''pepe silvia'';''hunter2'') & -: y'
and calling it internally with a dummy x argument.
________________________________
From: Björn Helgason <[email protected]>
To: Programming forum <[email protected]>
Sent: Thursday, November 28, 2013 12:51:36 AM
Subject: Re: [Jprogramming] safe remote execution
You may want to be able to set a time or space limit for each statement?
Also a try. catch.
On Nov 28, 2013 4:20 AM, "Devon McCormick" <[email protected]> wrote:
> I haven't yet put it up on the J wiki, but we had a segment at this month's
> NYCJUG about generating random J phrases. I won't go into the why and how
> but here's some things I uncovered with this exercise.
>
> DON'T TRY THIS AT HOME
> ====================
> If you want to use up all your memory, you may be able to do this (on a 3
> GB RAM machine):
>
> *.^:x:23
>
> but this probably will not work
>
> *.^:x:24
>
> and this won't (unless - maybe - you have more than 16GB):
>
> *.^:x:29
>
> If you look at the shape of this expression with a number smaller than 23,
> you'll get an idea of what the problem is.
>
> Don't try these at all:
>
> _.*.1
> 1:H.0:_.
> *f.H.1:_.
> 1:H.}:_.
> ,:/a.
>
> (these all lock up J so that it has to be killed or eventually use up all
> memory, at least on the two or three machines where I've tried it).
>
> I have a longer list of valid - but very bad - J phrases that I have to
> filter out from my randomly-generated phrases but this will have to wait
> until I have time to put up the longer essay. In any case, there are
> potentially dangerous J phrases you may not be able to filter out.
>
>
>
> On Wed, Nov 27, 2013 at 2:22 PM, Pascal Jasmin <[email protected]
> >wrote:
>
> > I'm not positive what you mean,
> >
> > w rexec 'do_z_';2;3;4
> > ┌─┬───────────────────────────────────────────────────────────────────┐
> > │4│|ill-formed name: do_z__testcommands_ | w rexec'do_z_';2;3;4 │
> > └─┴───────────────────────────────────────────────────────────────────┘
> >
> > the sanitize function picks the first word (;:) from cmd. As long as the
> > "whitelist" provided by the testcommands locale does not include
> something
> > like do or memw, then I don't think its possible to run a locative (?)
> >
> > I did find an error in sanitize, which assumed cmd is a string. Easiest,
> > atm, to preguard for that.
> >
> > w rexec 2;3;4
> > |domain error: sanitize
> > | w rexec 2;3;4
> >
> >
> > ________________________________
> > From: Henry Rich <[email protected]>
> > To: [email protected]
> > Sent: Wednesday, November 27, 2013 1:11:57 PM
> > Subject: Re: [Jprogramming] safe remote execution
> >
> >
> > What stops cmd from being a locative?
> >
> > Henry Rich
> >
> >
> > On 11/27/2013 10:37 AM, Pascal Jasmin wrote:
> > > These routines should allow for "safe" remote code execution from a not
> > completely trusted user, but I am posting here in case I missed anything.
> > Safe means should not crash, and should not execute any command outside
> the
> > sandbox locale. User passes a noun that consists of 'cmd';monadic y
> > arguments (maybe multiple boxes).
> > >
> > > mkerr_z_ =: ((0&;)@:) ( :: ((13!:11 ; 13!:12)@:(''"_)))
> > > chkerr_z_ =: ;@:}. ^:(0 = >@{.)
> > > sanitize_z_ =: (0&pick)@:;:
> > >
> > >
> > > rexec_z_ =: (sanitize@:>@{.@:] loc [) apply mkerr }.@:]
> > >
> > > cocurrent 'testcommands'
> > > (18!:5 '') 18!:2 ] 18!:5 '' NB. removes _z_
> > > double =: +:@:;
> > > echo =: ]
> > >
> > > in immediate window, (or use cocurrent 'base' if typed above
> > >
> > > w =. <'testcommands'
> > >
> > >
> > > w rexec 'double';2;3;4
> > > ┌─┬─────┐
> > > │0│4 6 8│
> > > └─┴─────┘
> > > chkerr w rexec 'double';2;3;4
> > > 4 6 8
> > >
> > > w rexec 'do_z';2;3;4
> > > ┌──┬─────────────────────────────────────────────────────┐
> > > │21│|value error: do_z_testcommands_ | (<0),<x u y │
> > > └──┴─────────────────────────────────────────────────────┘
> > >
> > > any improvements or security failure?
> > >
> > > Note the first line of 'testcommands' locale, is there a way to set the
> > search path to nothing (instead of self as done there)
> > >
> > > ----------------------------------------------------------------------
> > > For information about J forums see http://www.jsoftware.com/forums.htm
> > >
> > ----------------------------------------------------------------------
> > For information about J forums see http://www.jsoftware.com/forums.htm
> > ----------------------------------------------------------------------
> > For information about J forums see http://www.jsoftware.com/forums.htm
> >
>
>
>
> --
> Devon McCormick, CFA
> ----------------------------------------------------------------------
> For information about J forums see http://www.jsoftware.com/forums.htm
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm
