[e-lang] A broken brand?
Toby Murray
toby.murray at comlab.ox.ac.uk
Thu Mar 13 10:00:05 EDT 2008
On Sat, 2008-03-01 at 23:38 -0800, David Wagner wrote:
> I've been reading the Caja spec. It includes an example of a brand
> implemented in Caja, using an implementation technique attributed to
> Marc Stiegler. I think I may have found an attack on it, and I was
> curious whether this was well-known.
[snip]
> It doesn't look too difficult to
> modify the brand to defend against the above attack (e.g., by resetting
> flag to false and squirrel to null before unseal() returns), although
> I haven't checked whether there are any other attacks.
Marc Stiegler's original implementation, to which I believe the
attribution in the Caja spec is referring, appears as part of his
"PictureBook of Secure Cooperation"
http://www.skyhunter.com/marcs/SecurityPictureBook.ppt
(BTW, someone really ought to wikify this thing on wiki.erights.org ...)
Examining the code, reveals that it would not suffer from this
vulnerability. The original code in E:
def makeSealerUnsealerPair() {
var shared := def none {}
def sealer {
to seal(obj) {
return def box { to share() { shared := obj }}
}
}
def unsealer {
to unseal(box) {
shared := none
try { box.share(); require(shared != none)
return shared
} finally { shared := none }
}
}
return [sealer,unsealer]
}
Here, "shared" takes on the role of both "flag" and "squirrel". "shared
== none" here is equivalent to "!flag" in the Caja version.
I believe that the "finally { shared := none }" ensures that this attack
would not succeed on this code.
More information about the e-lang
mailing list