Apps Messaging: security

John Taylor jontayler at gmail.com
Tue Apr 10 05:59:18 PDT 2007


On 10 Apr 2007, at 13:49, Mark Taylor wrote:

> On Tue, 10 Apr 2007, John Taylor wrote:
>
>>> actually that would be OK, and maybe tidier - we're vulnerable to  
>>> brute force in any case (app.exec(secret-id,args="rm -r .")). We  
>>> can just recommend that secret-ids ought to be hard to guess.
>>
>> I guess so - I was thinking that a brute force attack on the  
>> former allows you to get a particular application, while in the  
>> latter the bad guy  can't be sure which app you'll get.  I guess  
>> there's not much of a difference... Anyway, all we're trying to do  
>> is stop one application spoofing another.  A malicious application  
>> can still register legitimately and send a naughty command.  I  
>> don't see any way of stopping that - if you're going to run dodgy  
>> software it can execute "rm -r" on its own without our help!
>
> This does a bit more than that - the malicious application can only
> register if it knows hub-secret.

Sorry - I was referring to malicious apps running under the user's uid.

Anyway, here's the latest version:

http://www.ivoa.net/twiki/bin/view/IVOA/ 
ApplicationsMessagingHighLevelProtocol

> In the PLASTIC as it stands any process who can see the XML-RPC  
> port can do that, and it may be running for a different user.

We do obfuscate the URL, so they'd still need to crack that.  I don't  
think there's any protection on the RMI port though.

>   Admittedly you could solve that by
> just passing hub-secret around with all calls, but you'd still want  
> to have an application ID, and this effectively combines the two,
> as well as formalising the question of whether it is permissible
> to spoof.
>
> -- 
> Mark Taylor   Astronomical Programmer   Physics, Bristol  
> University, UK
> m.b.taylor at bris.ac.uk +44-117-928-8776 http://www.star.bris.ac.uk/ 
> ~mbt/
>



More information about the apps mailing list