Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: Is this code secure, can I test it on my machine?

by Xilman (Hermit)
on May 23, 2010 at 09:31 UTC ( [id://841246]=note: print w/replies, xml ) Need Help??


in reply to Is this code secure, can I test it on my machine?

I keep saying this, on PerlMonks and elsewhere, but the message still doesn't seem to be widely understood: evaluating security is very difficult in the absence of an explicit threat model. What do you consider to be the threats? Against what type of attacker, with what resources available to them, are you attempting to protect what kind of assets? What is the value of your assets to you and what is the expected value of your assets to the attacker? How much are you prepared to spend in order to protect your assets?

Once you have a threat model, you are in a position to evaluate the costs and benefits of performing a security analysis. Until then, you can only go on guided guesswork and try to avoid the simple pitfalls with low-cost countermeasures. With that in mind, the following material consists only of a few general principles to consider in addition to the items you've already mentioned.

Any output could be dangerous. Consider, for example, what would happen if the code rewrote your kernel, your password database, the binaries of your critical utilities ...

Some input could be dangerous (keyboard grabbers, password database, PKCS private keys ...) if the utility could later hijack a communications mechanism to leak the secrets. Note that the output channel need not be obvious --- there are any number of ways of setting up a covert channel.

A commonly used environment for testing security properties of software is to run it in a sandbox where it can't easily do as much harm as running it on a production system. For example, download the package onto a local machine but do not install it there. Fire up a virtual machine, ensuring the VM has no connection with any other system, including its host's filesystem and network. Then install the package on the VM and see what happens. Note that this approach will not detect all security vulnerabilities, not least because it depends critically on the "see what happens" stage. Nonetheless, it tends to pick up quite a few of the more obvious attacks.

Paul

  • Comment on Re: Is this code secure, can I test it on my machine?

Replies are listed 'Best First'.
Re^2: Is this code secure, can I test it on my machine?
by szabgab (Priest) on May 23, 2010 at 10:21 UTC
    "threat model"

    Well, I understand that I should explicitly state what do I consider as a threat and what not but that in itself is to difficult for me now. Besides when I am asked if this code can be trusted, usually the person who asks this has even less understanding than I do. Which, you might guess, is really little.

    So I go back thinking about the issue at hand.

    I guess we have an advantage here that we have the source code so we don't necessarily need to check the behavior. We can check the source code.

    In the code that raised the whole question one of the modules only contains some variables. most of the code is just looks like this: 

    # number of carnivores in the beginning
    $NUM_CARNIVORES = 30;

    [download]
    I am not a security expert but I think we can easily agree that such code in itself cannot be dangerous even though we are talking about carnivores here.

    That means if I want to evaluate the code - regardless of my threat model or lack of it I can disregard those line when I am checking the source code.

    OTOH if I see code like this: 

    use Carnivores;

    [download]
    that should immediately raise the red flag and tell me to look for the Carnivores.pm file to see what dangers might lurk in there.

[reply]
[d/l]
[select]
      Well, I understand that I should explicitly state what do I consider as a threat and what not but that in itself is to difficult for me now. Besides when I am asked if this code can be trusted, usually the person who asks this has even less understanding than I do.
      That's easy. In that case, the answer is No, I cannot trust the code. You just don't have enough information. Even if you do have perfect knowledge of the third party code, you still don't know enough of your own system.

      Suppose the code you're looking at contains something like this: 

      use Fcntl ':flock';
my $lockfile = "/var/lock/frobnitz";
open $lh, "+<", $lockfile or die $!;
flock $lh, LOCK_EX or exit;
sleep 600;
exit;

      [download]
      Harmless? Probably. Unless you have another program running that uses /var/lock/frobnitz for locking - that one will be blocked for 10 minutes.
[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://841246]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (2)
As of 2024-04-16 23:45 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found