On Thu, 25 May 2000, Mark Guzdial wrote:
> So, one of the reasons that I started down the Squeak road is that
> our Computing and Network Services people wanted me to move all my
> collaborative software research *OFF* of UNIX and *ONTO* Macs. A
> UNIX CGI script is a fairly insecure thing -- many of them have been
> hacked in lots of different ways. Macintosh Web servers are
> amazingly secure -- one of the benefits of not having a command line
> :-).
But Squeak, of course, *is* a command line of sorts :)
[snip]
> Squeak maintains that security in the sense that (if you don't
> include AppleScript and don't compile in OSProcessGoodies) you can't
> possibly execute anything on the server other than Squeak. You can't
> spawn a sniffer, you can't su as root, etc.
Writing files and opening sockets may be sufficient for a variety of
secondary attacks (as well as the obvious direct attacks). For example, if
you can write out a pre-compiled AppleScript to the "startup" folder, it
will get executed next startup.
> Squeak on a Mac feels pretty darn secure. Squeak on other boxes
> still seems more secure than generic CGI scripts.
But, this isn't based on a scrutiny, right? PWS initializeAll loads up a
slew of dangerous stuff (codeloaders and remote workspaces). A lot of risk
assessment require analysis of what malicious insiders can do (which is
quite a bit).
> The kinds of risks that Bijan lists (denial of service attacks,
> uploading bad things, trashing a Swiki) are inherent to Wiki-like
> systems -- doesn't matter what they're written in.
Well, some of them. Many Wiki's don't allow uploads. My worry about
uploads isn't *just* that one could upload a malicious program, but that
you could upload a malicious program and then use some other technique
(i.e., by screwing with Squeak file commands) to move the program
somewhere where it would get executed (a la the infamous "Cuckoo's
egg" hack).
Any full Squeak is less secure than a "normal" web server because of the
possibility of gaining control of Squeak itself. And while most internal
operations are safe (i.e, sure, you can trash the image, but unless you go
to io you're not going to mess up the rest of the system), there remains
the possibility, I'd guess, of buffer overflow errors in the primatives
(depending, of course, on whether they're slanged, or just a plugin).
Fortuneately, a lot of that stuff is dumpable, and what isn't is pretty
easy to scan.
(But, for example, I could easily see having a Squeak web app that
depended heavily on the regex plugin. That uses a third party library
(PCRE).)
A *lot* depends on your setup, and on how anal you are (or need to
be). But imagine *this* scenario: You crack Squeak (which is running
root), telnet (from inside Squeak) to a machine inside the firewall (which
is trusting you), and they proceed to wreak havoc. Or you find a passwords
file and serve it up.
However, of course, the likelihood of somehow having both the knowledge
and inclination for doing this is small, and isn't even more wildly
unlikely that there'd be scripts for the script kiddies floating
about. Sometimes security by obscurity *does* lower your risk.
OTOH, the swiki.net folks must have done *some* of this kind of
thinking. They don't seem too worried ;)
Cheers,
Bijan.
