Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Embed secure VM - Opt-Out File-IO #921

Open
frehberg opened this issue Jan 2, 2022 · 3 comments
Open

Embed secure VM - Opt-Out File-IO #921

frehberg opened this issue Jan 2, 2022 · 3 comments

Comments

@frehberg
Copy link
Contributor

frehberg commented Jan 2, 2022
edited

Using Gluon as secure embedded engine, for security reasons it should be possible to remove file-io capabilities from std-libraries of Gluon VM.
Also, any form of library for network IO or handling of sub-processes should be optional as well.
@Marwes
Copy link
Member

Marwes commented Jan 3, 2022

IO actions, invoking arbitrary rust code and debug functions (which is rust code that specifically circumvents iO) are the only ways to have side effects so in theory you can just disable IO https://docs.rs/gluon/0.18.1/gluon/trait.ThreadExt.html#method.run_io and thereby avoid any side effects.

@frehberg
Copy link
Contributor Author

frehberg commented Jan 3, 2022
edited

Ah, thanks, I will check the run_io feature.
Maybe, just a few ideas that came into mind:

  • Is there a way to restrict the modules that can be loaded via "import!" ? Would it be possible per VM instance to define a whitelist of modules an expression may load into symbol-space via "import!" ?
  • Is there a pool of system-threads being managed by a VM? Would it be possible to define an upper bound of system-threads an expression may create?
  • As for File-IO, would it be possible to define an interceptor trait, auditing the file-open (read-only/read-write) actions, or maybe enforcing file-IO to certain directory (root-directory) only. And maybe a similar interceptor trait for network-connects to well known remote hosts, and binding listeners to local IPs/network-interfaces.

@Marwes
Copy link
Member

Marwes commented Jan 3, 2022

Is there a way to restrict the modules that can be loaded via "import!" ? Would it be possible per VM instance to define a whitelist of modules an expression may load into symbol-space via "import!" ?

In theory, yes. import! is just a macro so it could be removed/replaced with something that does whatever you want (such as restricting possible imports). There may be code that assumes that the "correct import!" macro is in place though so it may not work out of the box.

Is there a pool of system-threads being managed by a VM? Would it be possible to define an upper bound of system-threads an expression may create?

No, https://gluon-lang.org/doc/crates_io/std/std/thread.html is rather primitive right now and has no support for limiting its use (other than not using it)

As for File-IO, would it be possible to define an interceptor trait, auditing the file-open (read-only/read-write) actions, or maybe enforcing file-IO to certain directory (root-directory) only. And maybe a similar interceptor trait for network-connects to well known remote hosts, and binding listeners to local IPs/network-interfaces.

No, same as for threading. You will have to prevent this modules use/replace it with our own.

@OfekShochat OfekShochat mentioned this issue Jan 9, 2022
Closed
@Marwes Marwes mentioned this issue Oct 25, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Marwes @frehberg