Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.forth > #24424
| From | "Rod Pemberton" <do_not_have@notemailnotq.cpm> |
|---|---|
| Newsgroups | comp.lang.forth |
| Subject | Re: WWW-safe Forth? |
| Date | 2013-07-12 03:31 -0400 |
| Organization | Aioe.org NNTP Server |
| Message-ID | <krob4u$43g$1@speranza.aioe.org> (permalink) |
| References | (9 earlier) <a46aa97a-faa0-4dfc-a7c7-1caed4f765fc@googlegroups.com> <kredus$lsg$1@speranza.aioe.org> <9P-dnY5wTdNgtkbMnZ2dnUVZ_ridnZ2d@supernews.com> <krhtud$65r$1@speranza.aioe.org> <WI2dncHJ98zEFUHMnZ2dnUVZ_oudnZ2d@supernews.com> |
"Elizabeth D. Rather" <erather@forth.com> wrote in message
news:WI2dncHJ98zEFUHMnZ2dnUVZ_oudnZ2d@supernews.com...
> On 7/9/13 11:09 AM, Rod Pemberton wrote:
> But you also need to know a little more about the nature of
> Forth and the sealed vocabulary mechanism I'm proposing.
> For example, how would a hacker find out the names and
> locations of insecure words that are not in the public wordlist?
I already mentioned a few. ' (tick) -ing words to find address
ranges of XTs. Shotgunning XTs. Assumptions about memory
locations of dictionaries and vocabularies, i.e., before, after, or
near the current one.
> Every implementation does these underlying things
> differently, so the names would be different, and every
> specific platform would put them at different locations.
> Assume DUMP is not available (which it wouldn't be in
> this scenario)?
The hacker is only trying to breach one.
> You've just described a common scenario for hacking a C program.
> Now, consider a Forth system in which only a limited subset of
> words are visible in the wordlist. These do not include DUMP or
> any access to code space, and limited access to data space. You
> do not know the implementation strategy (e.g. ITC, optimized
> code, etc.). And the implementer is too smart to use C strings
> because he knows they're vulnerable. So, what kind of hack are
> you concerned about?
If I where a hacker, whatever I can find or come up with to crash
the system, trash the system, transfer execution to my code, etc.
Can I , (comma) into the dictionary? (i.e., place to store machine
code)
Can I ALLOT space in the dictionary?
Can I access HERE or DP?
Can I store to memory? (i.e., place to store machine code)
Can I store in PAD?
Can I store in TIB?
Can I store in VARIABLEs?
Can I store into CONSTANTs?
Can I store in the dictionary?
Can I use CMOVE , CMOVE>, or MOVE ?
Can I use SP@ SP! RP! RP@ to allot stack space?
Can I input and store text with S" ." or C" in a definition?
Can I input text via KEY , ACCEPT , EXPECT, QUERY? (i.e., directly
enter machine code as text)
Can I determine the address of the screen location where text is
displayed? (i.e., to transfer execution there)
Can I emit strings or hex? (i.e., look for things ...)
Can I change input or output streams? (e.g., change where written
or what is read)
Can I change input or output devices?
Can I obtain XTs by FIND ? (i.e., Forth code to execute)
Can I obtain XTs by ' (tick) ?
Can I start a colon definition?
Can I obtain an XT by a :NONAME definition?
Can I start a definition via CREATE ?
Can I use ; (semicolon) without : (colon)?
Can I redefine : (colon) and ; (semicolon)?
Are words that could use , (comma) available for abuse?
(e.g., COMPILE [COMPILE] COMPILE, POSTPONE )
Are words which could use ' (tick) availabe for abuse?
(e.g., FIND TO [COMPILE] ['])
Are words which could use CREATE available for abuse?
(e.g., CONSTANT VARIABLE 2CONSTANT 2VARIABLE VALUE SET DEFER)
Can I find a range XTs by using ' (tick) against the first and last
dictionary entry?
Can I find XTs by shotgunning or picking random addresses?
Can I guess XTs?
Can I guess where other dictionaries are located? (i.e., prior,
after, near...)
Can I create CODE words?
Can I mark words as IMMEDIATE? (i.e., to ensure they execute)
Can I execute Forth words directly?
Can I execute Forth words via their XT? e.g., EXECUTE
Can I execute Forth words by changing STATE ?
Can I execute Forth words by changing their immediacy?
Can I execute Forth words by using [ and ] inside definitions?
Can I transfer execution to Forth words via >R ?
Can I transfer execution to machine code via , (comma) to a CFA
field?
Can I transfer execution to machine code via CREATE ?
Can I transfer execution to machine code via DOES> ?
Can I transfer execution to machine code via CODE words?
Can I overflow the data stack?
Can I underflow the data stack?
Can I overflow the return stack?
Can I underflow the return stack?
Can an underflow or overflow allow me to transfer execution to
machine code?
Can an underflow or overflow allow me to exit the Forth environment
to the host OS, if not Forth?
Can I use SP@ SP! RP! RP@ to cause an under/overflow?
If I can't execute a word interactively or use EXECUTE, can I still
compile ( [COMPILE] COMPILE COMPILE, ) or comma or
POSTPONE the word in a definition and have it execute?
Are there unmatched return stack operations? (i.e., to pop or push
data to the return stack. e.g., can I abuse >R R> R@ 2>R 2R>
2R@ I J K UNLOOP ?DO LOOP EXIT by using them incorrectly
or in the wrong order to push or pop return stack values?)
Can I used mismatched control flow words to patch in an XT or
address or offset into a branch or conditional branch? (i.e.,
use
"unbalanced" IF THEN ELSE BEGIN AGAIN UNTIL AHEAD
WHILE REPEAT to transfer execution to an arbitrary value on
the data stack)
Can random combinations of QUIT ABORT COLD BYE etc cause
the system crash?
Is RECURSE implemented correctly so as to not cause a return/data
stack under/overflow?
Do DO LOOP ?DO LOOP+ work for all combinations and entry values?
(i.e., looking for a crash)
Are number to text routines safe with bad or non-existent base
values for BASE?
Can I overflow PAD TIB or the default text input buffer?
Does Forth, if non-OS, use buffered or unbuffered input? (i.e.,
escape codes available? i.e, OS or Forth input buffer large
enough)
[...]
As stated previously, there are only two things required to breach
a system, both of which are nearly impossible to prevent on a
computing platform designed to provide both:
1) ability to enter code, i.e., storage space
2) ability to execute the code, i.e., execute Forth words or
machine code
Unfortunately, Forth allows the ability to execute not one, but two
types of code: Forth code, machine code. All those questions above
pertain both #1 or #2.
> Those are generalized assertions. My question is, how would
> you approach doing any of these things in the Forth I described
> above?
>
> [...]
>
> How would you even know whether the Forth calls the OS, or
> whether there is an OS (vs. a native Forth)? All you're doing is
> asserting that it's possible, without any clue how.
You can't know all possible attack vectors. That's the problem.
> Unless you can look at actual potential attack strategies, it's
> impossible to have a fruitful discussion of possible defenses.
Then, you'd never discuss security at all with anyone at any time.
> >> [SNIP, revisit SMUDGEd XT]
> >
> > In the snipped portion of the conversation, you asked about
> > how a user would find an XT that's hidden. Well, I mentioned
> > shotgunning, i.e., testing a range of values assumed to be
> > correct, based on the first and last WORDS in a dictionary.
> > But, an XT could also be known in advance. E.g., I have
> > gforth-itc v0.7.0 installed on my system. It *ALWAYS*
> > returns an XT for BYE of 416128432. This is true even
> > with multiple windows. I can enter 416128432 directly
> > and type EXECUTE and BYE will EXECUTE.
>
> That assumes, first, that you know the Forth you're using is
> gforth-itc v0.7.0 and second, that EXECUTE is available to you.
> It's probable that neither is true. Certainly EXECUTE is one of
> the words that I would *not* include in a sandboxed Forth!
What about ' (tick)? What about IMMEDIATE? What about parts of
the inner interpreter for DTC/ITC Forth which execute words? What
about FIND? Well, many, many more... In fact, I mentioned all of
these in the large paragraph right under: "That's a good point that
execution is the problem." up a post or two.
https://groups.google.com/d/msg/comp.lang.forth/gTdeGO2QdG0/dnwhHJGPaVwJ
> It's probable that neither is true.
It's extremely probable that the hacker can identify the OS before
attacking it. A good Forth hacker with experience in different
Forths should be able to tell which Forth he's hacking too, at
least a large percentage of the time. E.g., bigForth works
differently in regards to ALLOT as compared to other Forths. Some
Forths have TIB. Some don't. Ditto for DP LIT PAD. Some are
Forth 83. Some Forth 79. Some ANS. What is the size of a cell?
There are many characteristics that are different. If the Forth is
ANS, which additional wordsets does it support? Which ANS words
are missing? etc.
> The question was, how would you make a "sandboxed" Forth
> available on the internet.
I listed eight things in my first post to this thread for making
Forth more secure. I also provided links to a secure Linux, a
secure microkernel, and a Linux virtual machine that could be used
for sandboxing.
https://groups.google.com/d/msg/comp.lang.forth/gTdeGO2QdG0/MFpdCCpqADUJ
But, to answer your question:
Simple. Put one up.
Do you want a secure "sandboxed" Forth? Forget it.
Lock it down as tight as you can and hope for the best. I would
start with *both* the secure microkernel and the Linux that
supports virtual machines. Then, I'd go through the other eight
items on securing Forth. However, to make Forth secure, you end up
with two problems, both previously mentioned: you can't eliminate
everything you need to or the system won't function, and you can't
identify as all potential breaches in advance as you need to.
Basically, your depending on the idea that most hackers aren't
anywhere near as brilliant as Einstein was. If Einstein was a
hacker, would any system be secure? If the answer to that is:
"No.", then no system is secure. If that's the case, then the
goals change:
1) increasing the difficulty of effecting a break
2) prolonging the time it takes to breach
3) figuring out how to minimize damage if there is a breach
> We have a bunch of considerations already, including a
> limited, sealed vocabulary whose words can only directly access
> an authorized region of data space. Assuming that all the user
> knows is the url to access it, it's reasonable to assume that the
> user would also have a very hard time finding out what version
> of Forth, what implementation strategy, under what OS, or any
> other features that would clue you in to a vulnerability. For all
> you know, it isn't even an x86 underneath.
The OS can be determined before ever connecting to the
"sandboxed" Forth. Most network testing tools can do this.
Rod Pemberton
Back to comp.lang.forth | Previous | Next — Previous in thread | Next in thread | Find similar
WWW-safe Forth? papa@sdf.lNoOnSePsAtMar.org (David Meyer) - 2013-07-05 19:24 +0000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-05 13:37 -0700
Re: WWW-safe Forth? papa@sdf.lNoOnSePsAtMar.org (David Meyer) - 2013-07-05 21:17 +0000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-05 15:22 -0700
Re: WWW-safe Forth? papa@sdf.lNoOnSePsAtMar.org (David Meyer) - 2013-07-06 01:56 +0000
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-06 14:42 +0200
Re: WWW-safe Forth? Andrew Haley <andrew29@littlepinkcloud.invalid> - 2013-07-06 07:56 -0500
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-07 01:11 +0200
Re: WWW-safe Forth? Andrew Haley <andrew29@littlepinkcloud.invalid> - 2013-07-07 02:44 -0500
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-07 10:28 +0000
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-06 13:42 +0000
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-07 01:40 +0200
Re: WWW-safe Forth? albert@spenarnc.xs4all.nl (Albert van der Horst) - 2013-07-05 20:20 +0000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-06 12:41 -0400
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-06 12:03 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-06 12:41 -0700
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-06 14:01 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-06 14:26 -0700
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-06 12:32 -1000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-06 19:58 -0700
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-06 18:14 -1000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-06 21:51 -0700
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-06 21:01 -1000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 00:36 -0700
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-07 01:25 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 01:56 -0700
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-07 08:34 -1000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-07 07:08 -0400
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-07 08:41 -1000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 12:59 -0700
Re: WWW-safe Forth? albert@spenarnc.xs4all.nl (Albert van der Horst) - 2013-07-07 20:18 +0000
Re: WWW-safe Forth? albert@spenarnc.xs4all.nl (Albert van der Horst) - 2013-07-09 01:09 +0000
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-08 00:09 +0200
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 18:15 -0700
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-07 17:22 -1000
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-07 17:20 -1000
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-07 13:13 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 14:02 -0700
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-08 01:25 +0200
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 18:26 -0700
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-09 19:21 +0200
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-10 01:55 -0700
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-10 23:51 +0200
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-07 21:10 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 22:03 -0700
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-07 22:27 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-08 00:30 -0700
Re: WWW-safe Forth? Hannu Vuolasaho <hannu.vuolasaho@nospam.tut.fi.invalid> - 2013-07-08 13:08 +0000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-08 09:18 -0400
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-08 07:02 -0700
Re: WWW-safe Forth? Andrew Haley <andrew29@littlepinkcloud.invalid> - 2013-07-08 09:46 -0500
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-08 11:04 -0700
Re: WWW-safe Forth? Andrew Haley <andrew29@littlepinkcloud.invalid> - 2013-07-08 12:49 -0500
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-08 11:26 -0700
Re: WWW-safe Forth? Andrew Haley <andrew29@littlepinkcloud.invalid> - 2013-07-08 16:28 -0500
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-08 11:15 -1000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-09 17:09 -0400
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-09 12:02 -1000
Re: WWW-safe Forth? Hans Bezemer <the.beez.speaks@gmail.com> - 2013-07-10 23:52 +0200
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-12 03:04 -0400
Re: WWW-safe Forth? gavino_himself <visploveslisp@gmail.com> - 2013-07-28 02:32 -0700
Re: WWW-safe Forth? gavino_himself <visploveslisp@gmail.com> - 2013-07-27 22:18 -0700
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-12 03:31 -0400
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-11 23:03 -1000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-14 18:15 -0400
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-14 13:50 -1000
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-15 14:12 +0000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-15 10:22 -0700
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-15 17:07 +0000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-17 01:12 -0700
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-17 09:43 +0000
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-17 15:04 +0200
Re: WWW-safe Forth? albert@spenarnc.xs4all.nl (Albert van der Horst) - 2013-07-17 13:50 +0000
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-15 07:57 -1000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-15 22:45 -0400
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-15 18:21 -1000
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-15 07:52 -1000
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-16 16:15 +0000
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-16 08:17 -1000
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-17 09:33 +0000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-15 22:40 -0400
Re: WWW-safe Forth? Andrew Haley <andrew29@littlepinkcloud.invalid> - 2013-07-10 03:26 -0500
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-07 01:46 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 02:39 -0700
Re: WWW-safe Forth? AKK <akk@nospam.org> - 2013-07-07 11:56 +0200
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 03:20 -0700
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-07 01:21 +0200
Re: WWW-safe Forth? Hans Bezemer <the.beez.speaks@gmail.com> - 2013-07-09 23:22 +0200
Re: WWW-safe Forth? gavino_himself <visploveslisp@gmail.com> - 2013-07-27 21:34 -0700
csiph-web