1.7 Security
A few obvious security considerations are relevant to running untrusted
virtual code applications. These points are only as reliable as the
assumption that the avram
executable has not been modified to the
contrary.
- The applications with the best protection from malicious code are
those that run in filter mode, because they have no access to any
information not presented to them in standard input, nor the ability to
affect anything other than the contents of standard output (provided that
the
--jail
command line option is used). The worst
they can do is use up a lot of memory, which can be prevented with the
ulimit command. Unfortunately, not all applications are usable
in this mode.
- Parameter mode applications that do not involve the -i,
-t or -s options are almost as safe (also assuming
--jail
). They have (read-only) access to environment variables, and to the files that are
indicated explicitly on the command line. If standard input is one of
the files (as indicated by the use of -
as a parameter), the
virtual code application may infer the current date and time. However,
a parameter mode application may write any file that the user has
permission to write. The --ask-to-overwrite option should be
used for better security, or at least the --quiet option should
not be used. The virtual code can neither override nor detect the use
of these options.
- Interactive parameter mode applications (those that use either the
-i, -t or -s options) are the least secure
because they can execute arbitrary shell commands on behalf of the
user. This statement also applies to filter mode and parameter mode
applications where the --jail option is not used. Use of
--step is preferable to -i for making an audit
trail of all commands executed, but the application could probably
subvert it. The --step option may be slightly better because
it can allow the user to inspect each command and interrupt it if
appropriate. However, in most cases a command will not be displayed
until it is already executed. Commands executed by non-interactive
applications normally will display no output to that effect. A
chroot environment may be the only secure way of running
untrusted interactive applications.