[racket-dev] sandbox and file-/directory-existence tests

From: Matthew Flatt (mflatt at cs.utah.edu)
Date: Mon Aug 19 21:08:33 EDT 2013

Thanks! Instead of changing 'exists permissions, I think I found the
right approach to moving the computation so that it doesn't interact
with the sandboxes.

At Mon, 19 Aug 2013 16:49:28 -0400, Eli Barzilay wrote:
> A few minutes ago, Sam Tobin-Hochstadt wrote:
> > On Mon, Aug 19, 2013 at 4:34 PM, Matthew Flatt <mflatt at cs.utah.edu> wrote:
> > >
> > > Is there a situation where allowing an arbitrary file- or
> > > directory-existence test would be bad?
> > 
> > This all depends on how paranoid we want to be.  There are certainly
> > situations when this will be bad -- it lets you determine who else
> > has an account on a computer, for example.  But there are contexts
> > where having GC be observable is a security hole as well, so we have
> > to pick a spot on the continuum.
> 
> Getting some hacker-useful information from an observable GC time is
> much harder than doing so from FS existence tests.  Two quick
> examples:
> 
>   * On a unix machine, check if there's a /tmp/shadow file -- if there
>     isn't then you have a machine that is a potential gold mine for
>     hackers.
> 
>   * On a windows machine you can use some network drive or a drive of
>     some random device for a kind of a local DOS attack.
> 
> (There's probably a lot of similar things that are much more
> sophisticated; probe attacks in general are very common now.)
> 
> -- 
>           ((lambda (x) (x x)) (lambda (x) (x x)))          Eli Barzilay:
>                     http://barzilay.org/                   Maze is Life!

Posted on the dev mailing list.