[Mono-dev] The State Of Mono Assembly Verification?

[Jim Purbrick]

Hi Everyone,

It's good to see a healthy debate about these issues
:-)

> I second this. It would be very very useful for us
> if mono wouldn't g_assert
> but throw exceptions when the dll is
> invalid/broken/obfuscated/maliciously
> modified.

Does that mean that you might be able to contribute
some time to this too, Joachim?

> I believe it would be useful to many people - even
> if most don't realize it today. Until then Mono is
> "restricted" to run trusted code which,
> IMHO, "limits" it usefulness (I admit the "limit" is
> probably rather low as there are very few 
> applications supporting partial trust today).

Certainly being able to run untrusted code was a big
reason for us to embed Mono as a scripting engine. We
want a system that will run untrusted code and to have
the performance to do some heavy lifting beyond the
lightweight scripting that is currently possible in
Second Life using the current LSL interpreter.

> Anyway the truth (please feel all free to prove me
> wrong ;-) is that security, especially runtime
> security, hasn't been very popular with
> contributors - in any form (e.g. code, samples,
> reviews, test cases...).

It's probably a catch 22. While you can't run
untrusted code on Mono, people who want to run
untrusted code won't use Mono and so won't contribute
to it.

While the implementation of security features is
incomplete it would be useful to make clear which
untrusted uses are possible and to aim to slowly
increase the gamut of untrusted uses.

It would seem that complete bytecode verification
might be a good starting point. Once a complete
verifier exists presumably untrusted code that makes
no framework calls can be used. In our case, where the
only method calls that can be made are iCalls that we
already trust, this minimal usage of untrusted code
would be very useful.

>From that point implementing CAS or other security
features in such a way that Mono X.Y can allow
untrusted code to be loaded as long as conditions N
and M are met would gradually increase the utility of
Mono for untrusted applications.

The question "Under what conditions can Mono be used
to run untrusted code?" is the one that I've been
trying to answer by talking to Sebastien, Miguel and
this list and I think its a useful question to have an
answer to. 

Having a number of partially implemented security
features seems to be of little use, while having some
completed features and an understanding of the
conditions under which they can be used seems to be
useful.

Cheers,

Jim.


		
___________________________________________________________ 
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com