The goal is to track what we need to allow Mono to have a secure sandbox to execute arbitrary untrusted code and ensure that the untrusted code does not compromise the security of the system.
This is a new feature that we will be integrating into Mono, a scenario that so far we have not spent any energy on, as most of our users run their own code and do not execute untrusted code (code that might be potentially malicious, and provided by a third party).
The immediate concern of this page though, is to look at what needs to be done to ensure that one particular user (SecondLife) is able to do this, so a few of the options discussed here could rely on external tools or SecondLife-specific limitations.
Table of Contents
Security Issues
The following have been identified as areas that need work to ensure that malicious code does not cause problems:
- CIL verification
- Metadata integrity
- Code Access Security
- Audit of the runtime and assemblies
- Stack Overflow.
The problem with building a sandbox is that it requires all of these mechanisms to be complete before the sandbox is secure and so useful. CAS without bytecode verfication is not useful. In order to make sandboxes usable as soon as possible, we should implement all 3 systems together to support a series of progresively less restrictive sandboxes. A sandbox which allows no code to execute is trivial to implement, a next sandbox which allows no method calls might be useful for an embedded formula editor, but would require no CAS and so on.
CIL Verification
Mono currently only implements a subset of byte code verification, it is possible to create CIL instructions that are not supported or provide the user with access to data they should not have access to.
Mono team will implement a CIL verifier, Zoltan estimates that the work required to get this working is one man month.
If verification is done at compile time, or upload time, then the verifier need only support a subset of CIL opcodes initially and reject all assemblies containing unsupported opcodes.
A partial set of tests for CIL verification was developed by Jim and is available in mono/mono/tests/verifier, to run these you must run make test in that directory.
Metadata integrity
Currently the Mono runtime assumes that the assemblies that it loads have valid metadata. This poses a problem for SecondLife as a malicious user might upload an invalid image and might break the runtime.
There are a couple of possible solutions to this problem, the easiest one is to use an external tool to validate the metadata integrity. It could be one or more external tools:
- Running a remote session to a windows machine with PEverify.
- Roundtripping an assembly
- A custom Cecil/RAIL roundtripper could ensure that there are no missing references. RAIL is used to inject microthreading, so invalid metadata that renders the assembly unreadable by Mono.PEToolkit will be caught here.
- Run mono --aot assembly on the assembly, and check for the error code
If metadata verification can be done at compile time or upload time then, then the verifier need only support a subset of metadata initially and reject all assemblies containing unsupported metadata.
Code Access Security
Jim's current plan is to use a white-list of functions that developers can use, so support for CAS is not mandatory at this point.
In Silverlight a new system which seems to be very similar to Jim's white/black listing approach has been implemented.
Audit of the codebase
Both the C runtime and the relevant C# assemblies must be audited for security issues. This includes also auditing the JIT code generation.
Using Microsoft PEVerify
The quickest route to a secure Mono sandbox may be to rely on Microsoft's PEVerify tool for CIL and metadata verification. Although a Windows machine would be needed to verify the code once, any number of copies of the verified code could then be run in Mono on any number of Linux machines any number of times. If PEVerify was used to verify assemblies, and a white list was used to check all method calls were safe, what modifications would be needed to Mono to make this set up secure?
