Apps Messaging -- A New Approach
Mark Taylor
m.b.taylor at bristol.ac.uk
Fri Apr 27 02:15:31 PDT 2007
Hi Mike,
On Thu, 26 Apr 2007, Mike Fitzpatrick wrote:
> Security
>
> The spoofing thing is a minor breach (IMHO), but I pointed it out
> more for the purpose of asking why an app would need to know its, or
> any other, ID in the first place. It seems to me this is entirely a
> construct in the Hub and shouldn't be part of the user interface since
> it presents some complications (which I'll point out in the use cases
> I've been neglecting to post).
> While this has a feel-good aura about it, I'd like to see the
> security put off to a later version unless somebody can convince me this
> is a real issue in a one-user, one-desktop system. Again, I'm just saying
> spoofing=silly_reason_to_have_appID_in_the_interface.
Security is not something I'm keen to have in just for the sake of it:
what got me thinking about it was a scenario along following lines
(this is a real situation which cropped up when PLASTICising GAIA):
A certain application implements a message which can have serious
side-effects (in my case it was executing some arbitrary Tcl code,
which could include something along the lines of 'exec rm *').
With no security at all, there's nothing to stop another application
(which may not be running under the user ID of the person running
the hub) finding out or guessing the port where the hub resides,
and sending a destructive message. The receiving application has
no way of knowing that this is not from a legitimate participant
in the messaging conversation.
What's needed to fix this is for requests to other applications
(via the hub) to be only possible for applications which know
something private to the user - this might be gathered from a
(600) ~/.ivoamsg file or granted by the user explicitly permitting
the hub to grant access to that program when it requests a connection.
In general the hub will have to be told which application is making
a request to it in any case, so that it can inform other applications
etc. Thus applications sending messages will need to provide some kind
of self-id with these messages. So (I'd argue) it might as well
be a private (hub-generated) one, since this removes worries about
whether it's going to be unique and also prevents spoofing.
Mark
--
Mark Taylor Astronomical Programmer Physics, Bristol University, UK
m.b.taylor at bris.ac.uk +44-117-928-8776 http://www.star.bris.ac.uk/~mbt/
More information about the apps
mailing list