[racket-dev] sandbox and file-/directory-existence tests

From: Eli Barzilay (eli at barzilay.org)
Date: Mon Aug 19 16:49:28 EDT 2013

A few minutes ago, Sam Tobin-Hochstadt wrote:
> On Mon, Aug 19, 2013 at 4:34 PM, Matthew Flatt <mflatt at cs.utah.edu> wrote:
> >
> > Is there a situation where allowing an arbitrary file- or
> > directory-existence test would be bad?
> This all depends on how paranoid we want to be.  There are certainly
> situations when this will be bad -- it lets you determine who else
> has an account on a computer, for example.  But there are contexts
> where having GC be observable is a security hole as well, so we have
> to pick a spot on the continuum.

Getting some hacker-useful information from an observable GC time is
much harder than doing so from FS existence tests.  Two quick

  * On a unix machine, check if there's a /tmp/shadow file -- if there
    isn't then you have a machine that is a potential gold mine for

  * On a windows machine you can use some network drive or a drive of
    some random device for a kind of a local DOS attack.

(There's probably a lot of similar things that are much more
sophisticated; probe attacks in general are very common now.)

          ((lambda (x) (x x)) (lambda (x) (x x)))          Eli Barzilay:
                    http://barzilay.org/                   Maze is Life!

Posted on the dev mailing list.