[Mono-list] Security

Sebastien Pouliot sebastien.pouliot at gmail.com
Mon May 8 08:54:04 EDT 2006


Bonjour Matthias,

On Mon, 2006-05-08 at 10:37 +0200, Matthias Gutheil wrote:
> Salut Sebastien,
> 
> many thanks for your detailed answer. 
> Can I ask you another question?

Sure. I'm c.c.ing the mono-list as the answers can be useful to other
people as well...

> Can I call mono from Java to compile/run C# code?

(It's been a while since I did any Java but) I'm 100% confident that
Java can call an external compiler and execute it's output.

> We need to compile/run C# code on Linux which we don't trust.

Sadly that won't help.

It's just like having the MS runtime (with a complete security manager)
calling a C compiler and executing the output (or even a Java compiler
and a Java application). In your case the Java security manager cannot
extend itself to resources it doesn't know (C# compiler and the compiled
application).

Any application that can call external resources (e.g. p/invoking
unmanaged libraries, calling external programs...) must be a (not
necessarily fully) trusted application.

So neither Java, nor .NET, can enforce their security policies to
_external_ process. However there are products, like Novell's AppArmor
(now open sourced), that can provide something very similar.

http://www.novell.com/products/apparmor/

Regards,
Sebastien

> Nice greetings from Mannheim
> 
> 
> erstmal vorne anfangen:
> - wie kompiliert man mit mono?
> - kann man das programmatisch (aus Java raus) machen?
> - wie führt man mit mono etwas aus?
> - kann man das programmatisch (aus Java raus) machen?
> 
> > --- Ursprüngliche Nachricht ---
> > Von: Sebastien Pouliot <sebastien.pouliot at gmail.com>
> > An: Matthias Gutheil <Matthias.Gutheil at gmx.de>
> > Kopie: mono-list at lists.ximian.com
> > Betreff: Re: [Mono-list] Security
> > Datum: Sun, 07 May 2006 20:53:15 -0400
> > 
> > Hello Matthias,
> > 
> > On Sun, 2006-05-07 at 17:47 +0200, Matthias Gutheil wrote:
> > > on one of the Mono pages I read that the security manager is not
> > complete
> > > enough to run not trusted code. Is this still the case?
> > 
> > Yes, it's still true. For many reasons (e.g. auditing the whole class
> > library) this wasn't a goal of Mono 1.2, but the current security
> > manager is complete enough for interested people that want to play with
> > it (e.g. test applications, embedding Mono).
> > 
> > >  So when I will run
> > > C# code which I not trust, I have a security problem?
> > 
> > Well, there's no simple answer to this simple question, so...
> > 
> > <answer format="short">
> > Yes, you have a security problem if you execute untrusted code. 
> > 
> > And this is true for most existing languages/environments. Also note
> > that having a (working/complete) security manager doesn't mean you don't
> > have a security problem ;-)
> > </answer>
> > 
> > <answer format="long">
> > The fact that you have a security problem running untrusted code doesn't
> > mean the security manager will solve it. Why ? the security manager is
> > there to enforce a security policy, which is selected based on
> > evidences.
> > 
> > So depending on how you're executing the untrusted code it is possible
> > that the security manager won't do anything to stop "bad things"(tm)
> > >from happening. 
> > 
> > E.g. you download r3411yc0114pp.zip, decompress and execute it. Because
> > the application is executed locally, the evidence will point to the
> > local computer and the current user, both of them are trusted (by
> > default). The security policy will give this process "full trust" which
> > means it can do about anything (good or bad) with your computer.
> > 
> > Now to be (really) useful we need more than a (working) security
> > manager, we also need environments that use it. Sadly there are very few
> > such environment (generally) and even less for Mono. Some examples are:
> > - hosting web applets in a browser (e.g. Java applets, IE for .NET);
> > - managed stored proc in a database server (e.g. SQL Server, DB2);
> > - a game engine running scripts/bots (e.g. NRobots which works on
> > Mono :)
> > 
> > The main point of those environment is to create some limits around what
> > can be done. E.g. ever wondered, from an end-user point of view, why a
> > screensaver could delete all your files ?
> > 
> > (Current) reality dictates that many kind of applications cannot run
> > without having "full trust" (e.g. interoperability with existing
> > unmanaged code). On a positive note that means that Mono, even without a
> > security manager, is useful and more secure than other technologies
> > (e.g. buffer overflows are "more difficult" using managed code). On a
> > negative note it means that running untrusted code is still a risky
> > business ;-)
> > 
> > p.s. it's a long, but still very incomplete, answer ;-)
> > </answer>
> > -- 
> > Sebastien Pouliot  <sebastien at ximian.com>
> > Blog: http://pages.infinit.net/ctech/
> > 
> 
-- 
Sebastien Pouliot  <sebastien at ximian.com>
Blog: http://pages.infinit.net/ctech/



More information about the Mono-list mailing list