txlyre
/
avram


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
							<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html401/loose.dtd">
<html>
<!-- Created on November 8, 2012 by texi2html 1.82
texi2html was written by: 
            Lionel Cons <[email protected]> (original author)
            Karl Berry  <[email protected]>
            Olaf Bachmann <[email protected]>
            and many others.
Maintained by: Many creative people.
Send bugs and suggestions to <[email protected]>
-->
<head>
<title>avram - a virtual machine code interpreter: 1.7 Security</title>

<meta name="description" content="avram - a virtual machine code interpreter: 1.7 Security">
<meta name="keywords" content="avram - a virtual machine code interpreter: 1.7 Security">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="texi2html 1.82">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.smallquotation {font-size: smaller}
pre.display {font-family: serif}
pre.format {font-family: serif}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: serif; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: serif; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.roman {font-family:serif; font-weight:normal;}
span.sansserif {font-family:sans-serif; font-weight:normal;}
ul.toc {list-style: none}
-->
</style>


</head>

<body lang="en" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#800080" alink="#FF0000">

<a name="Security"></a>
<table cellpadding="1" cellspacing="1" border="0">
<tr><td valign="middle" align="left">[<a href="Other-Diagnostics-and-Warnings.html#Other-Diagnostics-and-Warnings" title="Previous section in reading order"> &lt; </a>]</td>
<td valign="middle" align="left">[<a href="Example-Script.html#Example-Script" title="Next section in reading order"> &gt; </a>]</td>
<td valign="middle" align="left"> &nbsp; </td>
<td valign="middle" align="left">[<a href="User-Manual.html#User-Manual" title="Beginning of this chapter or previous chapter"> &lt;&lt; </a>]</td>
<td valign="middle" align="left">[<a href="User-Manual.html#User-Manual" title="Up section"> Up </a>]</td>
<td valign="middle" align="left">[<a href="Virtual-Machine-Specification.html#Virtual-Machine-Specification" title="Next chapter"> &gt;&gt; </a>]</td>
<td valign="middle" align="left"> &nbsp; </td>
<td valign="middle" align="left"> &nbsp; </td>
<td valign="middle" align="left"> &nbsp; </td>
<td valign="middle" align="left"> &nbsp; </td>
<td valign="middle" align="left">[<a href="avram.html#Top" title="Cover (top) of document">Top</a>]</td>
<td valign="middle" align="left">[<a href="avram_toc.html#SEC_Contents" title="Table of contents">Contents</a>]</td>
<td valign="middle" align="left">[<a href="Function-Index.html#Function-Index" title="Index">Index</a>]</td>
<td valign="middle" align="left">[<a href="avram_abt.html#SEC_About" title="About (help)"> ? </a>]</td>
</tr></table>
<hr size="1">
<a name="Security-1"></a>
<h2 class="section">1.7 Security</h2>

<a name="index-security"></a>
<p>A few obvious security considerations are relevant to running untrusted
virtual code applications. These points are only as reliable as the
assumption that the <code>avram</code> executable has not been modified to the
contrary.
</p>
<ul>
<li><a name="index-filter-mode-1"></a>
</li><li> The applications with the best protection from malicious code are
those that run in filter mode, because they have no access to any
information not presented to them in standard input, nor the ability to
affect anything other than the contents of standard output (provided that
the <code>--jail</code> command line option is used). The worst
they can do is use up a lot of memory, which can be prevented with the
<code>ulimit</code> command. Unfortunately, not all applications are usable
in this mode.
</li><li> Parameter mode applications that do not involve the &lsquo;<samp>-i</samp>&rsquo;,
<a name="index-parameter-mode-2"></a>
<a name="index-standard-input-3"></a>
&lsquo;<samp>-t</samp>&rsquo; or &lsquo;<samp>-s</samp>&rsquo; options are almost as safe (also assuming
<code>--jail</code>). They have (read-only) access to environment variables, and to the files that are
indicated explicitly on the command line. If standard input is one of
the files (as indicated by the use of <code>-</code> as a parameter), the
virtual code application may infer the current date and time.  However,
a parameter mode application may write any file that the user has
permission to write. The &lsquo;<samp>--ask-to-overwrite</samp>&rsquo; option should be
used for better security, or at least the &lsquo;<samp>--quiet</samp>&rsquo; option should
not be used.  The virtual code can neither override nor detect the use
of these options.
</li><li> Interactive parameter mode applications (those that use either the
<a name="index-interactive-applications-1"></a>
&lsquo;<samp>-i</samp>&rsquo;, &lsquo;<samp>-t</samp>&rsquo; or &lsquo;<samp>-s</samp>&rsquo; options) are the least secure
because they can execute arbitrary shell commands on behalf of the
user. This statement also applies to filter mode and parameter mode
applications where the &lsquo;<samp>--jail</samp>&rsquo; option is not used.  Use of
&lsquo;<samp>--step</samp>&rsquo; is preferable to &lsquo;<samp>-i</samp>&rsquo; for making an audit
trail of all commands executed, but the application could probably
subvert it. The &lsquo;<samp>--step</samp>&rsquo; option may be slightly better because
it can allow the user to inspect each command and interrupt it if
appropriate. However, in most cases a command will not be displayed
until it is already executed. Commands executed by non-interactive
applications normally will display no output to that effect. A
<code>chroot</code> environment may be the only secure way of running
untrusted interactive applications.
</li></ul>


<hr size="1">
<table cellpadding="1" cellspacing="1" border="0">
<tr><td valign="middle" align="left">[<a href="Other-Diagnostics-and-Warnings.html#Other-Diagnostics-and-Warnings" title="Previous section in reading order"> &lt; </a>]</td>
<td valign="middle" align="left">[<a href="Example-Script.html#Example-Script" title="Next section in reading order"> &gt; </a>]</td>
<td valign="middle" align="left"> &nbsp; </td>
<td valign="middle" align="left">[<a href="User-Manual.html#User-Manual" title="Beginning of this chapter or previous chapter"> &lt;&lt; </a>]</td>
<td valign="middle" align="left">[<a href="User-Manual.html#User-Manual" title="Up section"> Up </a>]</td>
<td valign="middle" align="left">[<a href="Virtual-Machine-Specification.html#Virtual-Machine-Specification" title="Next chapter"> &gt;&gt; </a>]</td>
<td valign="middle" align="left"> &nbsp; </td>
<td valign="middle" align="left"> &nbsp; </td>
<td valign="middle" align="left"> &nbsp; </td>
<td valign="middle" align="left"> &nbsp; </td>
<td valign="middle" align="left">[<a href="avram.html#Top" title="Cover (top) of document">Top</a>]</td>
<td valign="middle" align="left">[<a href="avram_toc.html#SEC_Contents" title="Table of contents">Contents</a>]</td>
<td valign="middle" align="left">[<a href="Function-Index.html#Function-Index" title="Index">Index</a>]</td>
<td valign="middle" align="left">[<a href="avram_abt.html#SEC_About" title="About (help)"> ? </a>]</td>
</tr></table>
<p>
 <font size="-1">
  This document was generated on <i>November 8, 2012</i> using <a href="http://www.nongnu.org/texi2html/"><i>texi2html 1.82</i></a>.
 </font>
 <br>

</p>
</body>
</html>