[racket] planet security

From: Eli Barzilay (eli at barzilay.org)
Date: Sat Jan 29 15:34:40 EST 2011

Two days ago, Nikita B. Zuev wrote:
> If I understand correctly when we require a module from the planet,
> it gets downloaded to racket home directory, compiled and required.
> Racket's require is not just about getting definitions, it also
> evaluates code inside required module.
> 
> So in theory a malicious person can make a planet package that
> provide something useful and also behind the scenes evaluates
> something like: (system "sudo rm -rf /")

For this purpose, you can't distinguish evaluating code at a module's
toplevel from providing function definitions, since if you forbid the
former, I can still do this:

  (define (some-useful-function)
    (system "sudo rm -rf /")
    (compute-useful-result))

A practical way that you can be protected from such things is what
Robby suggested: require the planet code in a sandbox, and do all
calls to this module inside that box.  (And it will need some work for
interoperability too, as he noted.)

Another question is how to deal with code that *should* do such
things.


Two days ago, Tom McNulty wrote:
> I second this concern, and such attacks become easier to pull of
> when targeting a centralized system.  I'm not sure a safe-require
> routine could work though, as ultimately many of these packages are
> downloaded for their side effects (database drivers etc).
> 
> Even if some sandboxed scheme could be devised,

(The sandbox library *could* be used for that.)


> there is still no assurance the code you're running is what the
> (trusted) author intended; an attacker could insert a 'safe'
> data-diddling routine.  Perhaps a key-signing system similar to
> secure-apt could ameliorate some of these concerns.

The question is what can such trust be based on.  If I go to some
random.org and install some package from it, then what do I get if I
first compare a checksum against something that I see on the site?

-- 
          ((lambda (x) (x x)) (lambda (x) (x x)))          Eli Barzilay:
                    http://barzilay.org/                   Maze is Life!


Posted on the users mailing list.