[e-lang] Versioning of E and Kernel-E

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Tue Jul 25 13:15:14 EDT 2006 

Karp, Alan H wrote:
> MarkM wrote:
> 
>>The key to reducing cases is to have the result of
>>expansion/translation, no matter what the declared version, be fed
>>into the Kernel-E AST evaluator,

This is the important point.

>>and to have that evaluator itself be openly available.

This is not important; see below.

>>The declared version of source would only affect how
>>it expands to Kernel-E ASTs on a given version of E. Once expanded,
>>none of the further processing would be version dependent. By making
>>the evaluator itself openly accessible, if there's an security
>>vulnerability in the evaluator, it can be exploited anyway. Therefore,
>>there's no loss of security by putting these translating front-ends in
>>front of the evaluator.
> 
> I agree with this solution to the problem.  I'd just like to explain a
> bit about the vulnerability I was worried about.  My knowledge of E
> comes from the discussion with MarkM, so misundertandings are likely.
> 
> There are two steps involved in handling an imported object that concern
> me.  There is a version dependent expansion to Kernel-E and a version
> independent Kernel-E AST evaluator.  The expander is supposed to reject
> illegal E code.  However, due to a flaw, it might pass such a program.
> That program might be able to exploit a flaw in the Kernel-E AST
> evaluator.

Since Kernel-E (of a given version) is a strict subset of E (of the same
version), and a correct expander is supposed to be idempotent on E code
that is in that subset, any flaw in the Kernel-E AST evaluator would be
exploitable anyway, even if the Kernel-E evaluator were not directly
accessible.

Being able to declare the E version therefore does not give an attacker
any more opportunities than only being able to submit code in the current
version of E (given that the implemented version of Kernel-E is a subset of
the latter).

Note that the semantics of Kernel-E can change between versions (for
example to fix a security bug), and the above argument is not affected as
long as the expansion from the *current* version of E remains idempotent.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the e-lang mailing list