On May 1, 2008, at 7:35 AM, Christian Schmitz wrote:
> Hi,
>
> have you ever thought about plugin security?
>
> I mean methods to prevent that a plugin is replaced by another one?
>
> the RB runtime could at least:
>
> load only the plugins which match by name and not just load all
> plugins in the frameworks folder. This allows very easy code
> injection!
>
> and check the plugins by name, size and a checksum to make sure the
> correct plugin is there.
That sounds like a very solid feature request.
What I perceive is that the IDE creates an internal checksum (maybe a
SHA1 hash value) that is stored within the executable and is then
compared at runtime by the runtime framework.
Tim
_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>
Search the archives:
<http://support.realsoftware.com/listarchives/lists.html>
From Thu 1 May 2008 18:42:41 +0200
Delivered-To: listarchive at realsoftware dot com
Received: by 10.142.80.15 with SMTP id d15cs83201wfb;
Thu, 1 May 2008 09:42:51 -0700 (PDT)
Received: by 10.141.161.6 with SMTP id n6mr913001rvo.201.1209660170849;
Thu, 01 May 2008 09:42:50 -0700 (PDT)
Return-Path: <realbasic-plugins-bounces at lists dot realsoftware dot com>
Received: from lists.realsoftware.com (m.realsoftware.com [66.116.103.65])
by mx.google.com with ESMTP id f21si2753655rvb.0.2008.05.01.09.42.46;
Thu, 01 May 2008 09:42:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of realbasic-plugins-bounces at lists
dot realsoftware dot com designates 66.116.103.65 as permitted sender)
client-ip=66.116.103.65;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
realbasic-plugins-bounces at lists dot realsoftware dot com designates
66.116.103.65 as permitted sender) smtp dot mail=realbasic-plugins-bounces at
lists dot realsoftware dot com
Received: from m.realsoftware.com (localhost [127.0.0.1])
by lists.realsoftware.com (Postfix) with ESMTP id 0BDF2144C7A2;
Thu, 1 May 2008 11:42:45 -0500 (CDT)
X-Original-To: realbasic-plugins at lists dot realsoftware dot com
Delivered-To: realbasic-plugins at lists dot realsoftware dot com
Received: from smtprelay11.ispgateway.de (smtprelay11.ispgateway.de
[80.67.29.28])
by lists.realsoftware.com (Postfix) with ESMTP id 411FC144C797
for <realbasic-plugins at lists dot realsoftware dot com>;
Thu, 1 May 2008 11:42:42 -0500 (CDT)
Received: from [84.175.87.215] (helo=[192.168.1.80])
by smtprelay11.ispgateway.de with esmtpa (Exim 4.68)
(envelope-from <realbasiclists at monkeybreadsoftware dot de>)
id 1Jrbrl-00066B-FY for realbasic-plugins at lists dot realsoftware dot
com;
Thu, 01 May 2008 18:42:41 +0200
To: realbasic-plugins at lists dot realsoftware dot com (REALbasic Plugins)
In-Reply-To: <4EB26A8C-B189-4E8E-AD5B-2EB77FDB14A3 at tolisgroup dot com>
Subject: Re: REALbasic plugin security?
From: realbasiclists at monkeybreadsoftware dot de (Christian Schmitz)
Date: Thu, 1 May 2008 18:42:41 +0200
Message-ID: <1ig9ymw dot 8schro8i3d4cM%realbasiclists at monkeybreadsoftware
dot de>
MIME-Version: 1.0
User-Agent: MacSOUP/D-2.8.2 (Mac OS X version 10.5.2 (x86))
X-Df-Sender: 363246
X-BeenThere: realbasic-plugins at lists dot realsoftware dot com
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: REALbasic Plugins <realbasic-plugins at lists dot realsoftware dot
com>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: realbasic-plugins-bounces at lists dot realsoftware dot com
Errors-To: realbasic-plugins-bounces at lists dot realsoftware dot com
Tim Jones <tjmac at tolisgroup dot com> wrote:
> That sounds like a very solid feature request.
I submitted this text:
***************** snip
have you ever thought about plugin security?
I mean methods to prevent that a plugin is replaced by another one?
the RB runtime could at least:
load only the plugins which match by name and not just load all plugins
in the frameworks folder. This allows very easy code injection!
and check the plugins by name, size and a checksum to make sure the
correct plugin is there.
For RB 2008r1 you can replace any plugin in the Frameworks
folder with a new one. =
At some point in RB the plugins are loaded. So the runtime could call a
function to load a plugin and pass: name and size.
This would make sure that not all dylibs are loaded and code injection
is much more difficult. Also it would make it a little bit harder to
replace the plugin files.
A checksum like SHA1 or simple CRC32 is also welcome.
***************** snip
If you like the idea, I can place another one.
Gru=DF
Christian
-- =
Over 1000 classes with 20000 functions in one REALbasic plug-in. =
The Monkeybread Software Realbasic Plugin v8.2. =
<http://www.monkeybreadsoftware.de/realbasic/plugins.shtml>
_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>
Search the archives:
<http://support.realsoftware.com/listarchives/lists.html>
|