retroforth/doc/html/chapters/tech-notes/security.html

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>.</title>
<style type="text/css">

    * { color: #000; background: #fff; max-width: 700px; }
    tt, pre { background: #dedede; color: #111; font-family: monospace;
             white-space: pre; display: block; width: 100%; }
    .indentedcode { margin-left: 2em; margin-right: 2em; }
    .codeblock {
      background: #dedede; color: #111; font-family: monospace;
      box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.2), 0 6px 20px 0 rgba(0, 0, 0, 0.19);
      padding: 7px;
      display: block;
    }

    .indentedlist { margin-left: 2em; color: #000; }

    span { white-space: pre; }
    .text  { color: #000; white-space: pre; background: #dedede; }
    .colon { color: #000; background: #dedede; }
    .note  { color: #000; background: #dedede; }
    .str   { color: #000; text-decoration: underline; background: #dedede; }
    .num   { color: #000; background: #dedede; font-weight: bold; font-style: italic; }
    .fnum  { color: #000; font-weight: bold; background: #dedede; }
    .ptr   { color: #000; font-weight: bold; background: #dedede; }
    .fetch { color: #000; font-style: italic; background: #dedede; }
    .store { color: #000; font-style: italic; background: #dedede; }
    .char  { color: #000; background: #dedede; }
    .inst  { color: #000; background: #dedede; }
    .defer { color: #000; background: #dedede; }
    .imm   { color: #000; font-weight: bold; background: #dedede; }
    .prim  { color: #000; font-weight: bolder; background: #dedede; }

    .tt    { white-space: pre; font-family: monospace; background: #dedede; }

    .h1, .h2, .h3, .h4 { white-space: normal; }
    .h1 { font-size: 125%; }
    .h2 { font-size: 120%; }
    .h3 { font-size: 115%; }
    .h4 { font-size: 110%; }
    .hr { display: block; height: 2px; background: #000000; }
</style>
</head><body>
<p><span class="h1">Security Concerns</span>
<br/><br/>
The standard Retro is not a good choice for applications
needing to be highly secure.
<br/><br/>
<span class="h2">Runtime Checks</span>
<br/><br/>
The Retro system performs only minimal checks. It will not
load an image larger than the max set at build time. And
stack over/underflow are checked for as code executes.
<br/><br/>
The system does not attempt to validate anything else, it's
quite easy to crash.
<br/><br/>
<span class="h2">Isolation</span>
<br/><br/>
The VM itself and the core code is self contained. Nga does
not make use of malloc/free, and uses only standard system
libraries. It's possible for buffer overruns within the image
(overwriting Nga code), but the Retro image shouldn't leak
into the C portions.
<br/><br/>
I/O presents a bigger issue. Anything involving I/O, especially
with the <span class="tt">unix:</span> words, may be a vector for attacks.
<br/><br/>
<span class="h2">Future Direction</span>
<br/><br/>
I'm not planning to add anything to the <strong>image</strong> side as, for me,
the performance hit due to added checks is bigger than the
benefits.
<br/><br/>
The story is different on the VM side. I've already begun taking
steps to address some of the issues, using functions that check
for overruns with strings and doing some minor testing for these
conditions. I will be gradually addressing the various I/O
related extensions, though it's unlikely to ever be fully guarded
against attacks.
<br/><br/>
<span class="h2">Rationale</span>
<br/><br/>
Retro is, primarily, a personal system. I'm running code I wrote
to solve problems I face. On the occasions where I run code sent
to me by others, I read it carefully first and then run inside a
sandboxed environment if I'm worried about anything in it.
</p>
</body></html>