[plt-scheme] Introducing... Stuffers

From: Jay McCarthy (jay.mccarthy at gmail.com)
Date: Fri Feb 6 23:10:03 EST 2009

On Fri, Feb 6, 2009 at 8:58 PM, Stephen Bloch <sbloch at adelphi.edu> wrote:
> On Feb 6, 2009, at 8:43 PM, Jay McCarthy wrote:
>> If you just use serialize-stuffer, then the user can change anything
>> they want. They can only get you to run code that you've already
>> written, but they can change values in the environment.
> I suspect "the environment" could well be a target,

Yes, it could be a target.

> but I'm more worried
> about "They can only get you to run code that you've already written."  What
> exactly does this mean; what are its limits?

The transformation gives a distinct name to every continuation in the
program. These names are allowed to occur in the serialized
representation. So, suppose the serialization contains "k20", a hacker
could change it to "k21" and see what happens, as so on. The only way
I can think of executing arbitrary code is if one of your continuation
is something like 'eval' that executes an s-expr in the environment.
(Just including a closure in the environment is not problematic...
these are labelled in the same way as continuations.)

> Would it be possible to change
> the continuation so, say, it loads a user-specified file on the server and
> evaluates a user-specified expression using definitions from that file?

If understand you, no. If the hacker could upload code through another
channel, they could compile it using the transformation and therefore
get the continuation to refer to it.

These "problems" are definitely hypothetical though. They can be
easily avoided with encryption, signing, or the hash-based storage.


Jay McCarthy <jay at cs.byu.edu>
Assistant Professor / Brigham Young University

"The glory of God is Intelligence" - D&C 93

Posted on the users mailing list.