>>See attached. I am concerned with the method in the passive breakin
>>section . . .
>
> I hadn't even realized that it builds up a shell command
>based on what you tell it. That's bad news. Because "sanitizing" it
>generally means "trying to guess what stupidities the other guy
>might have pulled." That leads to an arms race to see who can
>come up with more stupid ideas faster. :)
This same issue has been faced with respect to `enabled mail'. This is
the ability to attach a program to a message such that the program will
be executed automaticly when the message is processed. Contrary to your
(and my) first reaction, this can actually be done in a secure
fashion. There are two proposed systems, telescript and safe-tcl.
Telescript is a commercial product from General Magic, and safe-tcl is
a set of extensions and restrictions to the tcl language.
I've made several requests for technical information to General Magic,
but they've not responded. (Or rather, they've answered the phone and
said they'd send something, but nothing ever shows up. This seems to
be the general experience of anyone asking for technical data. If
you're listening, General Magic, I'd be happy to be proven wrong. If
you firewall people think I'm grumpy on the topic, you're right.)
Safe-tcl, by contrast, is generally available. Get the reference
implementation and docs from ftp.ics.uci.edu in mrose/safe-tcl. The
announcement is appended below. Please don't send me requests for how
it works, read the docs. The announcement came from Marshall Rose and
Nat Borenstein.
=========================================================================
ANNOUNCEMENT
We am pleased to announce an implementation of Enabled Mail (EM)
for many UNIX systems. This is a beta release.
The idea behind Enabled Mail is that messages contain programs
which get evaluated during delivery, receipt, and displaying. For
example, every time you receive a message, a program you specify
examines the message and performs some actions, such as filing,
sending a note to your pager, etc. This is an example of
receipt-time EM. Alternately, you might send a program to
someone with the intent of having it execute when the show the
message. This is an example of activation-time EM.
Earlier systems have done bits and pieces of this, within the
context of a very specific environment. With EM, we have tried to
provide a general model which can be used in a variety of
environments.
The choice of our programming language is Tcl - Ousterhout's Tool
Command Language, which is rapidly becoming a popular systems
language. With Tcl, we have integrated support for
- MIME, so you can deal with multimedia messages;
- display environments, so you use different UI paradigms
(e.g., screen-based, window-based) depending on what the
recipient has; and,
- execution safety, so you don't have to worry about someone
sending you a malicious program.
In the beta period, we hope to gain experience both with the
technology choices we've made (e.g., Tcl) and portability of the
implementation we provide. Of course, we also hope that others
will implement EM for their (non-UNIX) systems.
NOTICE
This package is openly available but is NOT in the public domain.
You are allowed and encouraged to take this software and use it for
any lawful purpose. However, as a condition of use, you are required
to hold harmless all contributors.
Permission to use, copy, modify, and distribute this software and
its documentation for any lawful purpose and without fee is hereby
granted, provided that this notice be retained unaltered, and that
the name of any contributors shall not be used in advertising or
publicity pertaining to distribution of the software without
specific written prior permission. No contributor makes any
representations about the suitability of this software for any
purpose. It is provided "as is" without express or implied
warranty.
ALL CONTRIBUTORS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR THE PARTICULAR PURPOSE, TITLE, AND
NON-INFRINGEMENT.
IN NO EVENT SHALL ANY CONTRIBUTOR BE LIABLE FOR ANY SPECIAL,
INDIRECT OR CONSEQUENTIAL DAMAGES, WHETHER IN CONTRACT, TORT, OR
OTHER FORM OF ACTION, ARISING OUT OF OR IN CONNECTION WITH, THE
USE OR PERFORMANCE OF THIS SOFTWARE.
AVAILABILITY
The software is available via anonymous FTP or a MIME-server. The
instructions are below.
There is a mailing list. Send a note to:
safe-tcl @
uunet .
uu .
net
to subscribe.
==========================================================================
--VAA10732.764995435/lokkur.dexter.mi.us--
--
Steve Simmons
|
|
