My suggestion was silly, I think -- it allows you to do crazy things

like computing ill-defined values and forcing them to commit to a
single value.  But you're doing aligned loads of words -- isn't this
exactly what atomic::load(std::memory_order_relaxed) is for?

For the sake of completeness, I'd like to propose a third way to protect a receiver from post-hoc shared memory tampering, as an alternative to wholesale copying or enforcing a read-once constraint. After the sender is finished writing the message to shared memory, the receiver encrypts regions it considers sensitive with, for example, a 128-bit AES cipher*.

Further reads and writes, which may target the same memory locations repeatedly, then incur an extra encryption/decryption step (in blocks of two words). This protects against chosen-plaintext attacks; though the sender may still attempt to crash the receiver by overwriting the sensitive memory regions with garbage data (since it cannot predict how the receiver will decrypt it), the success of this strategy is unlikely, since it relies upon known possible exploits that CnP implementations should already be robust against (infinite pointer recursion, etc).

This approach seems most attractive in situations where memory pressure is already high, or where the data structures that need to be validated are impractical to duplicate, either because they are too large or there are too many simultaneous readers (e.g. in a pub/sub messaging system), each of which would need to make their own copy.

In fact, encryption may be preferable to copying even in CPU-bound programs, as some very rough, but encouraging, benchmarks on my own system show an order-of-magnitude difference in bandwidth between the two strategies (although I'd like to emphasize just how rough and non-representative these benchmarks are).

* Achieving random access at the block level for both encryption and decryption would require a cipher mode similar to CTR, but rather than encrypting the counter with a certain key and XORing the result with the plaintext to get the ciphertext, the counter is instead XORed with a secret integer, and the result used as the key to encrypt the plaintext. This adjustment is made necessary by the fact that the sender, by knowing the plaintext beforehand, would be able to XOR it with the encrypted data, and then XOR the result with new plaintext of their choosing to generate valid ciphertext. The method described thus derives a non-ECB stream cipher that is nevertheless parallelizable.

Sadly "Note that this requires platform-specific runtime support that

does not exist everywhere." (from the gcc docs page)

I think you can with ftruncate.  You can handle that by catching

SIGBUS, but AFAIK nothing other than Windows actually has frame-based
exception handling for things like this.

I think you can with ftruncate.  You can handle that by catching

SIGBUS, but AFAIK nothing other than Windows actually has frame-based
exception handling for things like this.

How careful is careful, though?  For general use, the compiler is free
to determine that capnp accessors are pure functions and, if alias
detection says it's okay, it can translate:

int foo = reader.getFoo();
a = foo;
b = foo;

to:

a = reader.getFoo();
b = reader.getFoo();

So, for safe shared memory usage, some kind of volatile qualifier
might be important.  (gcc, at least, would let you launder values with
a construct like:

int x = (read it);
asm volatile("" : "+rm (x)");
return x;

)

On Wed, May 1, 2013 at 8:07 AM, Kenton Varda <temporal-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:

On Wed, May 1, 2013 at 7:42 AM, Ben Laurie <benl-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> wrote:

Interesting that you mention this: message passing over shared memory

has been a subject of some discussion in the group I work with at
Cambridge (http://www.cl.cam.ac.uk/research/security/ctsrd/). In
short, its not a great idea when the two ends of the conversation
don't trust each other - this is mostly because its really hard to
write code that behaves well on data that might change between reads.

I have thought about this, but concluded that it is not very hard at all.  One way to be safe is to make sure you read each field at most once, which is what performant code should be striving to do anyway.  If a particular field needs to be validated before use, then you need to make a copy to validate, yes.  But, it is often the case that no further validation is needed beyond what Cap'n Proto does internally.

Promoting a performance optimization to a security requirement seems like too much of a burden on clients (and one that's quite easy to get wrong).

Copying a composite will certainly ensure a malicious endpoint won't mutate it, but would be costly for large binary blobs. It would be nice if CnP provided a way to optimistically detect tampering by hashing a composite's contents before and after processing, and throwing an error if they compare unequal. To save the receiver the trouble, the sender could write the initial hash itself.

Alek

But maybe I've missed something.  Can you give examples of the kind of vulnerabilities you have in mind?

This is why OSes tend to copy syscall arguments before processing them... 

As an example, write(2) needs to validate the buffer pointer and size, so it needs to copy those, but it doesn't need to validate the buffer content, so there's no need to make an upfront copy of it.

With Cap'n Proto, when you call the getter for a pointer, the implementation validates that pointer and effectively returns a copy.

We've been wondering, btw, whether Cap'n Proto would be useful for our
stuff - apparently there's no C/C++ implementation currently?

On the contrary, there is *only* a C++ implementation currently.  :)  (Maybe you were confused by the schema parser / code generator, which is written in Haskell?)

I'd love to chat more about your use case.

--

You received this message because you are subscribed to the Google Groups "Cap'n Proto" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capnproto+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org.
Visit this group at http://groups.google.com/group/capnproto?hl=en-US.