#276 Auditor protocol is insecure

Need_for_security
open
auditors (6)
7
2005-08-15
2005-08-15
No

From
http://www.eros-os.org/pipermail/e-lang/2005-August/010936.html

On Aug 8, 2005, at 9:53, Mark Miller wrote:

> bind OptionallyDeepFrozen implements DeepFrozenStamp {
> to audit(objectExpr, witness) {
> escape fail {
> requireAudit(objectExpr, witness, fail)
> witness.ask(DeepFrozenStamp)
> }
> return false
> }
> }

? def dfs
> OptionallyDeepFrozen.audit(
> e`thunk {}`,
> def falseWitness { to ask(bind dfs) {} })
> dfs
# value: <DeepFrozenStamp>

Introducing a Witness guard that OptionallyDeepFrozen
can check doesn't help:

? def MightAsWellBeDeepFrozenStamp {
> to audit(objectExpr, witness) {
> OptionallyDeepFrozen.audit(
> e`thunk {}`,
> witness)
> return false
> }
> }

Two fixes:
* Eliminate "ask": the auditor protocol is safe if
auditors do no authorization and only answer questions.
* Add a Witness guard, and make the Witness provide
the objectExpr so that clients of an auditor can't
provide the wrong objectExpr. The Witness would then be
the only argument to the auditor, and should be renamed.

Discussion

    • assigned_to: nobody --> caplet
     
  • Logged In: YES
    user_id=54168

    We have done most of the second bullet:

    Witness has been renamed Audition.
    ask is given only an Audition.
    The Auditor asks the Audition for the source.
    Perhaps we still need an Audition guard, in which case the
    Java Audition interface should be declared a marker
    interface. Until this is resolved, this bug remains open.

     
  • Logged In: YES
    user_id=54168
    Originator: YES

    From <http://www.eros-os.org/pipermail/e-lang/2006-November/011568.html>

    A guard is needed for auditors to verify that the audition they
    receive will behave properly in its ask/1 method. Without that guard,
    you merely can't use ask if you don't want the auditor you provide to
    it to be revealed/fiddled with/whatever.

    Furthermore, I think there ought to be a separate EAudition guard,
    which passes witnesses providing getObjectExpr/0 and scope
    examination, etc. This is so that if we introduce auditing of other
    or not-quite-E languages in the same 'ELib', programs can avoid
    accidentally approving something that doesn't match the semantics
    they assumed.