Security - avram - a virtual machine code interpreter

Next: Example Script, Previous: Diagnostics, Up: User Manual

1.7 Security

A few obvious security considerations are relevant to running untrusted virtual code applications. These points are only as reliable as the assumption that the avram executable has not been modified to the contrary.

The applications with the best protection from malicious code are those that run in filter mode, because they have no access to any information not presented to them in standard input, nor the ability to affect anything other than the contents of standard output (provided that the --jail command line option is used). The worst they can do is use up a lot of memory, which can be prevented with the ulimit command. Unfortunately, not all applications are usable in this mode.
Parameter mode applications that do not involve the -i, -t or -s options are almost as safe (also assuming --jail). They have (read-only) access to environment variables, and to the files that are indicated explicitly on the command line. If standard input is one of the files (as indicated by the use of - as a parameter), the virtual code application may infer the current date and time. However, a parameter mode application may write any file that the user has permission to write. The --ask-to-overwrite option should be used for better security, or at least the --quiet option should not be used. The virtual code can neither override nor detect the use of these options.
Interactive parameter mode applications (those that use either the -i, -t or -s options) are the least secure because they can execute arbitrary shell commands on behalf of the user. This statement also applies to filter mode and parameter mode applications where the --jail option is not used. Use of --step is preferable to -i for making an audit trail of all commands executed, but the application could probably subvert it. The --step option may be slightly better because it can allow the user to inspect each command and interrupt it if appropriate. However, in most cases a command will not be displayed until it is already executed. Commands executed by non-interactive applications normally will display no output to that effect. A chroot environment may be the only secure way of running untrusted interactive applications.