Security.html 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
  1. <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html401/loose.dtd">
  2. <html>
  3. <!-- Created on November 8, 2012 by texi2html 1.82
  4. texi2html was written by:
  5. Lionel Cons <[email protected]> (original author)
  6. Karl Berry <[email protected]>
  7. Olaf Bachmann <[email protected]>
  8. and many others.
  9. Maintained by: Many creative people.
  10. Send bugs and suggestions to <[email protected]>
  11. -->
  12. <head>
  13. <title>avram - a virtual machine code interpreter: 1.7 Security</title>
  14. <meta name="description" content="avram - a virtual machine code interpreter: 1.7 Security">
  15. <meta name="keywords" content="avram - a virtual machine code interpreter: 1.7 Security">
  16. <meta name="resource-type" content="document">
  17. <meta name="distribution" content="global">
  18. <meta name="Generator" content="texi2html 1.82">
  19. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  20. <style type="text/css">
  21. <!--
  22. a.summary-letter {text-decoration: none}
  23. blockquote.smallquotation {font-size: smaller}
  24. pre.display {font-family: serif}
  25. pre.format {font-family: serif}
  26. pre.menu-comment {font-family: serif}
  27. pre.menu-preformatted {font-family: serif}
  28. pre.smalldisplay {font-family: serif; font-size: smaller}
  29. pre.smallexample {font-size: smaller}
  30. pre.smallformat {font-family: serif; font-size: smaller}
  31. pre.smalllisp {font-size: smaller}
  32. span.roman {font-family:serif; font-weight:normal;}
  33. span.sansserif {font-family:sans-serif; font-weight:normal;}
  34. ul.toc {list-style: none}
  35. -->
  36. </style>
  37. </head>
  38. <body lang="en" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#800080" alink="#FF0000">
  39. <a name="Security"></a>
  40. <table cellpadding="1" cellspacing="1" border="0">
  41. <tr><td valign="middle" align="left">[<a href="Other-Diagnostics-and-Warnings.html#Other-Diagnostics-and-Warnings" title="Previous section in reading order"> &lt; </a>]</td>
  42. <td valign="middle" align="left">[<a href="Example-Script.html#Example-Script" title="Next section in reading order"> &gt; </a>]</td>
  43. <td valign="middle" align="left"> &nbsp; </td>
  44. <td valign="middle" align="left">[<a href="User-Manual.html#User-Manual" title="Beginning of this chapter or previous chapter"> &lt;&lt; </a>]</td>
  45. <td valign="middle" align="left">[<a href="User-Manual.html#User-Manual" title="Up section"> Up </a>]</td>
  46. <td valign="middle" align="left">[<a href="Virtual-Machine-Specification.html#Virtual-Machine-Specification" title="Next chapter"> &gt;&gt; </a>]</td>
  47. <td valign="middle" align="left"> &nbsp; </td>
  48. <td valign="middle" align="left"> &nbsp; </td>
  49. <td valign="middle" align="left"> &nbsp; </td>
  50. <td valign="middle" align="left"> &nbsp; </td>
  51. <td valign="middle" align="left">[<a href="avram.html#Top" title="Cover (top) of document">Top</a>]</td>
  52. <td valign="middle" align="left">[<a href="avram_toc.html#SEC_Contents" title="Table of contents">Contents</a>]</td>
  53. <td valign="middle" align="left">[<a href="Function-Index.html#Function-Index" title="Index">Index</a>]</td>
  54. <td valign="middle" align="left">[<a href="avram_abt.html#SEC_About" title="About (help)"> ? </a>]</td>
  55. </tr></table>
  56. <hr size="1">
  57. <a name="Security-1"></a>
  58. <h2 class="section">1.7 Security</h2>
  59. <a name="index-security"></a>
  60. <p>A few obvious security considerations are relevant to running untrusted
  61. virtual code applications. These points are only as reliable as the
  62. assumption that the <code>avram</code> executable has not been modified to the
  63. contrary.
  64. </p>
  65. <ul>
  66. <li><a name="index-filter-mode-1"></a>
  67. </li><li> The applications with the best protection from malicious code are
  68. those that run in filter mode, because they have no access to any
  69. information not presented to them in standard input, nor the ability to
  70. affect anything other than the contents of standard output (provided that
  71. the <code>--jail</code> command line option is used). The worst
  72. they can do is use up a lot of memory, which can be prevented with the
  73. <code>ulimit</code> command. Unfortunately, not all applications are usable
  74. in this mode.
  75. </li><li> Parameter mode applications that do not involve the &lsquo;<samp>-i</samp>&rsquo;,
  76. <a name="index-parameter-mode-2"></a>
  77. <a name="index-standard-input-3"></a>
  78. &lsquo;<samp>-t</samp>&rsquo; or &lsquo;<samp>-s</samp>&rsquo; options are almost as safe (also assuming
  79. <code>--jail</code>). They have (read-only) access to environment variables, and to the files that are
  80. indicated explicitly on the command line. If standard input is one of
  81. the files (as indicated by the use of <code>-</code> as a parameter), the
  82. virtual code application may infer the current date and time. However,
  83. a parameter mode application may write any file that the user has
  84. permission to write. The &lsquo;<samp>--ask-to-overwrite</samp>&rsquo; option should be
  85. used for better security, or at least the &lsquo;<samp>--quiet</samp>&rsquo; option should
  86. not be used. The virtual code can neither override nor detect the use
  87. of these options.
  88. </li><li> Interactive parameter mode applications (those that use either the
  89. <a name="index-interactive-applications-1"></a>
  90. &lsquo;<samp>-i</samp>&rsquo;, &lsquo;<samp>-t</samp>&rsquo; or &lsquo;<samp>-s</samp>&rsquo; options) are the least secure
  91. because they can execute arbitrary shell commands on behalf of the
  92. user. This statement also applies to filter mode and parameter mode
  93. applications where the &lsquo;<samp>--jail</samp>&rsquo; option is not used. Use of
  94. &lsquo;<samp>--step</samp>&rsquo; is preferable to &lsquo;<samp>-i</samp>&rsquo; for making an audit
  95. trail of all commands executed, but the application could probably
  96. subvert it. The &lsquo;<samp>--step</samp>&rsquo; option may be slightly better because
  97. it can allow the user to inspect each command and interrupt it if
  98. appropriate. However, in most cases a command will not be displayed
  99. until it is already executed. Commands executed by non-interactive
  100. applications normally will display no output to that effect. A
  101. <code>chroot</code> environment may be the only secure way of running
  102. untrusted interactive applications.
  103. </li></ul>
  104. <hr size="1">
  105. <table cellpadding="1" cellspacing="1" border="0">
  106. <tr><td valign="middle" align="left">[<a href="Other-Diagnostics-and-Warnings.html#Other-Diagnostics-and-Warnings" title="Previous section in reading order"> &lt; </a>]</td>
  107. <td valign="middle" align="left">[<a href="Example-Script.html#Example-Script" title="Next section in reading order"> &gt; </a>]</td>
  108. <td valign="middle" align="left"> &nbsp; </td>
  109. <td valign="middle" align="left">[<a href="User-Manual.html#User-Manual" title="Beginning of this chapter or previous chapter"> &lt;&lt; </a>]</td>
  110. <td valign="middle" align="left">[<a href="User-Manual.html#User-Manual" title="Up section"> Up </a>]</td>
  111. <td valign="middle" align="left">[<a href="Virtual-Machine-Specification.html#Virtual-Machine-Specification" title="Next chapter"> &gt;&gt; </a>]</td>
  112. <td valign="middle" align="left"> &nbsp; </td>
  113. <td valign="middle" align="left"> &nbsp; </td>
  114. <td valign="middle" align="left"> &nbsp; </td>
  115. <td valign="middle" align="left"> &nbsp; </td>
  116. <td valign="middle" align="left">[<a href="avram.html#Top" title="Cover (top) of document">Top</a>]</td>
  117. <td valign="middle" align="left">[<a href="avram_toc.html#SEC_Contents" title="Table of contents">Contents</a>]</td>
  118. <td valign="middle" align="left">[<a href="Function-Index.html#Function-Index" title="Index">Index</a>]</td>
  119. <td valign="middle" align="left">[<a href="avram_abt.html#SEC_About" title="About (help)"> ? </a>]</td>
  120. </tr></table>
  121. <p>
  122. <font size="-1">
  123. This document was generated on <i>November 8, 2012</i> using <a href="http://www.nongnu.org/texi2html/"><i>texi2html 1.82</i></a>.
  124. </font>
  125. <br>
  126. </p>
  127. </body>
  128. </html>