Conversation with #inferno at Wed Jun 11 17:24:25 2014 on powerman@chat.freenode.net (irc)
(17:24:25) #inferno: Topic for #inferno set by mennis at 17:30:16 on 12/28/09
(17:25:00) norayr: ok let me repeat last messages for you.
(17:25:08) norayr: (06:25:51 ) norayr: So it should be possible to mov smth to other process's address space and exploit it.
(17:25:08) norayr: (06:25:53 ) norayr: Or not?
(17:25:08) norayr: (06:25:56 ) norayr: that's my question.
(17:25:49) norayr: or may be I don't understand inferno well enough.
(17:26:11) norayr: how protection works in a single address space system.
(17:26:57) powerman1: I've read dis spec years ago, so I don't remember how it address things - is control over available pointers done by limbo compiler or by dis.
(17:27:24) norayr: it has instructions like regular RISC asm has. With let's say mov.
(17:28:28) norayr: So I guess it's possible to mov something to other process's memory and explode it.
(17:28:36) qrstuv: it is
(17:28:48) norayr: Limbo protects from that as a language. But does dis?
(17:29:06) norayr: qrstuv: really? hmmm.
(17:29:23) norayr: norayr: I had a hope that it's not. actually.
(17:29:30) qrstuv: there's a dis assembler if you want to play around
(17:29:34) powerman1: norayr: implementation of DIS opcodes are in /libinterp/xec.c, so you can check it
(17:31:41) qrstuv: it's not much different from commodity operating systems
(17:32:00) powerman1: at a glance you operate with special data structs, generated by other dis opcodes (like NEW)
(17:32:15) qrstuv: there's always something untrusted code can exploit
(17:32:28) powerman1: which probably mean you can only access memory which was returned to you by other dis opcodes
(17:32:42) qrstuv: dis just admits as much up front
(17:33:10) powerman1: and I think this may be enough to protect against attempt to access random memory
(17:34:29) powerman1: norayr: so, my bet is everything should be safe ☺
(17:38:41) qrstuv: the solution is to not run untrusted code
(17:38:55) qrstuv: or not run anything from an untrusted compiler
(17:39:36) qrstuv: dis has module signing which can help with that sort of thing
(17:40:15) norayr: ok, your answers differ, as I understand.
(17:40:28) norayr: But anyway, yes, I was thinking about not running untrusted code as a solution.
(17:40:44) norayr: Will think more, and research more, and may be we'll talk about it again.
(17:40:53) norayr: thank you all.
(17:40:58) qrstuv: it's been a while since i looked at this stuff, so i could be wrong
(17:43:31) norayr left the room (quit: Quit: Leaving.).
(17:45:56) powerman1: qrstuv: yeah, I may be wrong too, but in xec.c I didn't see OPs which may modify pointers (like add something to pointer), so I suppose it should be safe
(17:46:09) powerman1: at least it looks this way at a glance
(17:47:59) powerman1: while dis opcodes work only with pointers returned by dis opcodes (i.e. either NEW or chan recv) it should be safe
(17:49:07) qrstuv: yeah, but a malicious compiler can generate whatever pointer ops it needs
(17:49:51) powerman1: I don't think .dis contain actual structs with pointers inside
(17:50:59) qrstuv: i don't know what you mean
(17:52:15) powerman1: I mean malicious .dis may contain only opcodes like "create new array and save it into this register/variable" but not actual struct which describe that pointer to array
(17:52:21) qrstuv: you can address whatever you want relative to mp or fp
(17:56:37) powerman1: I don't think so. Address relative to mp/fp should be in REG.d, and I don't think you can put any value there. At a glance values for REG.d provided by dis and always point to some existing thing.
(17:58:52) qrstuv: what's stopping you from putting whatever you want there?
(17:59:59) powerman1: qrstuv: there is no dis OP to set .d to user-provided value
(18:00:11) qrstuv: right, but you don't need that
(18:00:20) qrstuv: you just generate the malicious dis code
(18:01:30) powerman1: even malicious dis code will contain only existing dis OPs and registers/vars, it can't contain pre-filled value of some REG struct
(18:01:52) powerman1: i.e. that code can't contain hardcoded value for .d
(18:03:11) powerman1: which means it'll have to call some OPs to get .d values, and won't be able to freely change it after that - only use it as is
(18:06:04) powerman1: hmm. need to check how access to constants implemented in .dis
(18:07:01) powerman1: if constants stored in .dis as prepared struct with pointers inside then these pointers may be modified by editing .dis
(18:08:00) powerman1: but if these struct initialized while loading .dis (most likely case) then everything should be safe
(19:25:13) aksr [~aksr@unaffiliated/aksr] entered the room.
(19:37:45) Code_Man` [~Code_Man@2a02:1205:505a:7fc0:223:54ff:fe38:82c2] entered the room.
(19:42:16) bbarker [uid33544@gateway/web/irccloud.com/x-zqcnhqvydosgcfyd] entered the room.
(21:34:40) Fish [~Fish@APuteaux-653-1-22-168.w86-195.abo.wanadoo.fr] entered the room.
(21:38:28) qrstuv left the room (quit: Quit: jmk added reentrancy for threads).
(22:47:55) bbarker left the room (quit: Quit: Connection closed for inactivity).
(23:39:53) yiyus left the room (quit: *.net *.split).
(23:39:53) newmanbe left the room (quit: *.net *.split).
(23:39:53) yshurik left the room (quit: *.net *.split).
(23:40:01) newmanbe [~newmanbe@ma.sdf.org] entered the room.
(23:40:09) yiyus [1242712427@je.je.je] entered the room.
(23:40:19) yshurik [~yshurik@62.92.189.109.customer.cdi.no] entered the room.
(00:19:33) aksr left the room (quit: Ping timeout: 272 seconds).
(00:53:51) Code_Man` left the room (quit: Ping timeout: 265 seconds).
(05:25:18) qrstuv [~tw@50.103.228.19] entered the room.
(08:19:09) aksr [~aksr@unaffiliated/aksr] entered the room.
(09:29:55) Fish left the room (quit: Quit: WeeChat 0.4.3).
(09:34:02) aksr left the room (quit: Read error: Connection reset by peer).
(09:34:59) aksr [~aksr@unaffiliated/aksr] entered the room.
(11:02:43) norayr [~noch@212.73.74.28] entered the room.
(11:05:27) Code_Man` [~Code_Man@252-167.5-85.cust.bluewin.ch] entered the room.
(13:11:06) fgudin left the room (quit: Ping timeout: 276 seconds).
(13:16:27) norayr left the room (quit: Quit: Leaving.).
(13:48:31) norayr [~noch@212.73.74.28] entered the room.
(15:31:26) qrstuv left the room (quit: Ping timeout: 252 seconds).
(15:48:52) qrstuv [~tw@50.103.254.221] entered the room.
(18:10:32) norayr left the room (quit: Quit: Leaving.).
(18:11:59) aksr left the room (quit: Read error: Connection reset by peer).
(18:22:43) aksr [~aksr@unaffiliated/aksr] entered the room.
(18:26:37) aksr left the room (quit: Read error: Connection reset by peer).
(18:27:20) aksr [~aksr@unaffiliated/aksr] entered the room.
(19:13:57) aksr left the room (quit: Read error: Connection reset by peer).
(19:15:09) aksr [~aksr@unaffiliated/aksr] entered the room.
(20:05:54) aksr left the room (quit: Ping timeout: 264 seconds).
(20:48:25) aksr [~aksr@unaffiliated/aksr] entered the room.
(21:08:18) aksr left the room (quit: Read error: Connection reset by peer).
(21:15:14) Fish [~Fish@APuteaux-653-1-2-201.w86-195.abo.wanadoo.fr] entered the room.
(22:10:01) aksr [~aksr@unaffiliated/aksr] entered the room.
(22:22:33) aksr left the room (quit: Read error: Connection reset by peer).
(22:23:50) fgudin [fgudin@odin.sdf-eu.org] entered the room.
(22:23:55) fgudin left the room (quit: Client Quit).
(22:24:45) fgudin [fgudin@odin.sdf-eu.org] entered the room.
(22:44:46) Code_Man` left the room (quit: Remote host closed the connection).
(23:34:05) aksr [~aksr@unaffiliated/aksr] entered the room.
(00:13:23) aksr left the room (quit: Ping timeout: 252 seconds).
(00:45:18) Code_Man` [~Code_Man@252-167.5-85.cust.bluewin.ch] entered the room.
(01:09:38) Code_Man` left the room (quit: Remote host closed the connection).
(02:00:13) qrstuv: apparently sys->announce has been broken for decades and no one ever noticed
(02:00:22) qrstuv: but dial->announce gets it right
(02:01:57) qrstuv: /emu/port/dial.c:/^nettrans doesn't account for namespaces like at /appl/lib/dial.b:/^nettrans/+/redir
(02:03:25) qrstuv: though sys->announce, ->dial, and ->listen really just need to be removed altogether
(02:30:07) powerman1: probably they still used by some apps, or charles think they may be used, and thus didn't remove them
(02:30:48) qrstuv: they're still used all over
(02:31:12) qrstuv: by listen(1) most prominently
(03:15:47) bbarker [uid33544@gateway/web/irccloud.com/x-wroazvdyhncfxrhl] entered the room.
(05:46:10) _sl left the room (quit: Read error: Connection reset by peer).
(08:02:17) aksr [~aksr@unaffiliated/aksr] entered the room.
(08:25:32) aksr left the room (quit: Read error: Connection reset by peer).
(08:26:19) aksr [~aksr@unaffiliated/aksr] entered the room.
(08:42:54) aksr left the room (quit: Read error: Connection reset by peer).
(08:43:30) aksr [~aksr@unaffiliated/aksr] entered the room.
(08:45:09) aksr left the room (quit: Read error: Connection reset by peer).
(08:45:49) aksr [~aksr@unaffiliated/aksr] entered the room.
(08:57:56) bbarker left the room (quit: Quit: Connection closed for inactivity).
(09:03:19) aksr left the room (quit: Read error: Connection reset by peer).
(09:03:58) aksr [~aksr@unaffiliated/aksr] entered the room.
(10:20:17) aksr left the room (quit: Ping timeout: 264 seconds).
(10:51:34) aksr [~aksr@109.228.116.57] entered the room.
(10:51:40) aksr left the room (quit: Changing host).
(10:51:40) aksr [~aksr@unaffiliated/aksr] entered the room.
(10:58:16) norayr [~noch@212.73.74.28] entered the room.
(11:02:56) aksr left the room (quit: Ping timeout: 252 seconds).
(11:12:04) doublec left the room (quit: Remote host closed the connection).
(11:12:19) doublec [~doublec@gateway/tor-sasl/doublec] entered the room.
(11:17:18) Code_Man` [~Code_Man@252-167.5-85.cust.bluewin.ch] entered the room.
(12:18:13) yshurik1 [~Adium@193.69.63.210] entered the room.
(12:27:21) aksr [~aksr@unaffiliated/aksr] entered the room.
(12:52:01) norayr left the room (quit: Quit: Leaving.).
(13:28:10) norayr [~noch@212.73.74.28] entered the room.
(13:32:39) fdd left the room (quit: Read error: Connection reset by peer).
(13:34:27) fdd [~fdd@unaffiliated/fdd] entered the room.
(13:35:53) fdd left the room (quit: Read error: Connection reset by peer).
(13:37:20) fdd [~fdd@unaffiliated/fdd] entered the room.
(14:08:03) fdd left the room (quit: Ping timeout: 240 seconds).
(14:28:05) norayr left the room (quit: Ping timeout: 252 seconds).
(14:29:00) norayr [~noch@212.73.74.28] entered the room.
(14:35:21) yshurik1 left the room (quit: Quit: Leaving.).
(14:54:50) HGeiger [~HGeiger@vas34-1-88-127-20-101.fbx.proxad.net] entered the room.
(14:58:43) HGeiger left the room (quit: Client Quit).
(16:07:22) fdd [~fdd@unaffiliated/fdd] entered the room.
(17:12:59) fdd left the room (quit: Read error: Connection reset by peer).
(20:01:31) norayr left the room (quit: Quit: Leaving.).
(20:01:47) norayr [~noch@212.73.74.28] entered the room.
(20:04:25) norayr left the room (quit: Client Quit).
(20:08:42) qrstuv: here's the fix from plan 9: http://www.9paste.net/none/315-872-9640
(21:57:31) fdd [~fdd@188.24.66.21] entered the room.
(21:57:31) fdd left the room (quit: Changing host).
(21:57:31) fdd [~fdd@unaffiliated/fdd] entered the room.
(22:11:35) fdd left the room (quit: Read error: Connection reset by peer).
(22:48:05) qrstuv: http://www.9paste.net/qrstuv/trampoline.b
(22:48:25) qrstuv: maybe i could have combined listen, dial, and cat to do the same thing, but i couldn't figure it out
(22:57:09) bjorkintosh left the room (quit: Ping timeout: 276 seconds).
(22:58:35) bjorkintosh [~bjork@68.13.229.200] entered the room.