From: Helmut Eller on
* Frode V. Fjeld [2010-01-20 10:13+0100] writes:

> Helmut Eller <eller.helmut(a)gmail.com> writes:
>
>> Tell me your implementation and I'll show how to modify v1.
>
> Tell me your flavor of unix and I'll show you how to modify another
> process. Here's an example form the machine I'm sitting at now:
>
> frode(a)shevek:~$ sleep 1000 &
> [1] 21184
> frode(a)shevek:~$ ll /proc/21184/mem
> -rw------- 1 frode frode 0 2010-01-20 09:47 /proc/21184/mem
>
> My point is, in all security problems you have to be explicit about what
> the threat you're protecting against is.

But Unix at least makes a try, by forcing all programs to use syscalls
and can refuse to execute some.

That was simply not possible on Lisp Machines; everybody could call and
modify every function.

> Typical linux desktops today have two security domains: "root" and some
> user. Root privileges are if I'm not mistaken required only to do
> permanent damage to the system as such (i.e. ruin the file-system other
> than /home). Note that in at least one sense this is the least
> protection-worthy part of the system because you can always download a
> new OS CD and reinstall it.

Still, you don't want to allow the bad guys to install key-loggers by
modifying libc and the like.

> (Of course I know there are other issues
> involved, but I'm making a one-sided argument here..) Most MS-windows
> desktops don't even bother with this protection, and provide the user
> with administrator privileges.

From a security point of view, it would be better to minimize
privileges. Windows at least has some support for that while Lisp
Machines has nothing to offer in this regard.

> If you have user privileges you can still read and write *everything*
> you (qua user) have on disk and in memory, so privacy is out, and safety
> is out.

So you are saying Unix's security model is bad. What then is the Lisp
Machine model? Very bad?

> I'm not saying there aren't advantages to the inter-process safety
> that e.g. linux provides, but it's not absolute safety, and these
> things do crash, and I suspect there is a heavy, heavy cost in terms
> of usability (for sure) and performance (perhaps) incurred by this
> safety model.

All true, but I still think that isolation is very desirable feature and
the cost seems quite bearable in the Unix case.

Helmut
From: Pascal J. Bourguignon on
Helmut Eller <eller.helmut(a)gmail.com> writes:

> * Pascal J. Bourguignon [2010-01-19 21:24+0100] writes:
>
>> So you can happily use an OS written in lisp, without a hardware MMU.
>>
>> (let ((v1 (vector 1 2 3)))
>> (defun f (x)
>> (if (<= 0 x 2) (aref v1 x))))
>>
>> (defun g (v i)
>> (setf (aref v i) 0))
>>
>> There is no way to call g so that it modify v1: there is isolation in lisp!
>
> Tell me your implementation and I'll show how to modify v1. Since all
> current cl implementations use in-process debugging, it pretty easy to use
> the debugging facilities to extract v1 from the closure stored in F's
> function slot. E.g. for CLISP, which seems your favorite
> implementation, you could do:
>
> (compile 'f)
> (setq vv (aref (nth 2 (sys::closure-consts #'f)) 1))
> (g vv 1)
> (f 1) => 0

Yes, but look at what you had to do here! You had to use a function
from SYS. It is easy enough to forbid such a access, thus rendering
the system safe.

--
__Pascal Bourguignon__ http://www.informatimago.com/
From: Pascal J. Bourguignon on
Scott Burson <fset.slb(a)gmail.com> writes:

> On Jan 19, 12:24 pm, p...(a)informatimago.com (Pascal J. Bourguignon)
> wrote:
>>
>> There is no way to call g so that it modify v1: there is isolation in lisp!
>
> But not on the LispM, which had subprimitives (with names like SI:%P-
> CONTENTS-OFFSET if memory serves) to read and write arbitrary
> locations within any object, and which were not bounds-checked either.

Again, you had to use the specific SI package, which can be prevented
easily enough.


--
__Pascal Bourguignon__ http://www.informatimago.com/
From: Frode V. Fjeld on
Helmut Eller <eller.helmut(a)gmail.com> writes:

> * Frode V. Fjeld [2010-01-20 10:13+0100] writes:

>> My point is, in all security problems you have to be explicit about
>> what the threat you're protecting against is.

>> Helmut Eller <eller.helmut(a)gmail.com> writes:

> But Unix at least makes a try, by forcing all programs to use syscalls
> and can refuse to execute some.
>
> That was simply not possible on Lisp Machines; everybody could call
> and modify every function.

So, again, what exaxctly is the thread model here? You can argue that
some minimally modified lisp system also "makes a try" by some package
access scheme or whatever. What do you mean "can refuse to execute
some"? In the example I showed you, there's nothing preventing me from
bitbanging that process however I want, and the only reasonable
interpretation of "can refuse" I can see is where you apply some
extra-paranoid kernel patch to disallow this.

> Still, you don't want to allow the bad guys to install key-loggers by
> modifying libc and the like.

What is the essential difference between this and all the things that
can be done with "mere" user access?

> From a security point of view, it would be better to minimize
> privileges. Windows at least has some support for that while Lisp
> Machines has nothing to offer in this regard.

It is true that lisp machines have very little to offer anyone (in
concrete terms) today. We (or I) are trying here to establish precisely
what this support that windows/unix provides is.

> So you are saying Unix's security model is bad. What then is the Lisp
> Machine model? Very bad?

I'm not saying that unix's model is necessarily bad, I'm saying that
the difference between that and that of the lisp machines is perhaps not
as big as one perhaps initially things. In particular in the context of
personal desktop systems.

> All true, but I still think that isolation is very desirable feature
> and the cost seems quite bearable in the Unix case.

I think the cost in terms of usability is possibly quite unbearable. So
much software is so brittle and user-unfriendly it's downright
painful. In terms of performance the picture is more difficult to see, I
think.

--
Frode V. Fjeld
From: Helmut Eller on
* Frode V. Fjeld [2010-01-20 15:50+0100] writes:

> So, again, what exaxctly is the thread model here? You can argue that
> some minimally modified lisp system also "makes a try" by some package
> access scheme or whatever. What do you mean "can refuse to execute some"?

The Unix kernel can return EACCES "permission denied" instead of
executing the request.

> In the example I showed you, there's nothing preventing me from
> bitbanging that process however I want, and the only reasonable
> interpretation of "can refuse" I can see is where you apply some
> extra-paranoid kernel patch to disallow this.

If your process is executed as a different user than mine then you
aren't allowed to overwrite my /proc entries. You can also not
overwrite kernel memory and in particular not the parts which implement
access restrictions.

>> Still, you don't want to allow the bad guys to install key-loggers by
>> modifying libc and the like.
>
> What is the essential difference between this and all the things that
> can be done with "mere" user access?

Users can execute (access) stuff in libc but can not overwrite it.

>> From a security point of view, it would be better to minimize
>> privileges. Windows at least has some support for that while Lisp
>> Machines has nothing to offer in this regard.
>
> It is true that lisp machines have very little to offer anyone (in
> concrete terms) today. We (or I) are trying here to establish precisely
> what this support that windows/unix provides is.
>
>> So you are saying Unix's security model is bad. What then is the Lisp
>> Machine model? Very bad?
>
> I'm not saying that unix's model is necessarily bad, I'm saying that
> the difference between that and that of the lisp machines is perhaps not
> as big as one perhaps initially things. In particular in the context of
> personal desktop systems.

On the Lisp Machine, all memory was shared and readable and writable by
all processes, right? On Unix, the bulk of applications doesn't run in
kernel space. Seems quite a difference to me.

Considering that a whole industry is busy writing anti-virus programs
for those PCs, it seems that even a small improvement in the security
model could save a lot of money.

>> All true, but I still think that isolation is very desirable feature
>> and the cost seems quite bearable in the Unix case.
>
> I think the cost in terms of usability is possibly quite unbearable. So
> much software is so brittle and user-unfriendly it's downright
> painful. In terms of performance the picture is more difficult to see, I
> think.

Usability seems harder to measure than performance. I've the impression
that those Mac/iPhone using people are quite happy with usability.

Helmut