Re: [ease-dev] Verify script before execution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [ease-dev] Verify script before execution

From: Christian Pontesegger <christian.pontesegger@xxxxxx>
Date: Mon, 1 Aug 2016 21:32:56 +0200
Delivered-to: ease-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/ease-dev>
List-help: <mailto:ease-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/ease-dev>, <mailto:ease-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/ease-dev>, <mailto:ease-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0

Hi Varun,

I was thinking a lot about scripts, signatures and possibilities to inject code lately. There are so many sources a script could come from that we will need a more elaborate model for this in the future. However this was not planned as part of your GSoC assignment, so the proposed code sample is perfectly fine. In future we will need some whitelist scheme where users may enter sites/locations from which they accept scripts from.

Not sure about scripts with altered content and if we should ignore this. Think of a user that gets a signed script and starts altering it to his needs. He will quite likely not touch the signature on each file change but the script might still refuse to run due to an invalid signature. I'd say we will simply try this out and wait until we have more experience with signed scripts and how they get used.

Christian

On 07/31/2016 08:56 PM, Varun Raval wrote:

Hi Christian,

I uploaded patch [1] which shows implementation of VerifySignature class to perform verification of remote files.

This patch contain class SignatureCheck which contain method canExecute. Depending upon return value, we can chose to execute/not execute remote script. It takes into account preference while computing result.

I am taking two kinds of files while performing check. Script on remote server and script on local machine.

Following is the flow within canExecute method

if script is a remote

if can execute remote without signature (depending upon preference)

if signature is not present

return true

else (signature is present)

check for signature

else

check for signature

else (script is local)

if can execute local script without signature (depending upon preference)

if signature is not present

return true

else (signature is present)

check for signature

else

check for signature

What should happen when user has set preferences for executing script without signature and scripts is containing signature? In cases when signature is present and file is modified, it is more harmful than scripts that don't contain signature at all because, here we are catching a possible malicious intent.

For this reason, I have placed a check for signature even when user has specified via preference to execute files that don't contain signature but script contain signature.

[1]: https://git.eclipse.org/r/#/c/78230/

Thanking you,

--

Varun Raval
_______________________________________________
ease-dev mailing list
ease-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/ease-dev

References:
- [ease-dev] Verify script before execution
  - From: Varun Raval

Prev by Date: [ease-dev] Sign and Verify Script
Next by Date: [ease-dev] Jupyter Kernels dependencies
Previous by thread: [ease-dev] Verify script before execution
Next by thread: [ease-dev] Jupyter Kernels dependencies
Index(es):
- Date
- Thread

Breadcrumbs