/sys/doc/ Documentation archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remote execution / application migration

forsyth@plan9.cs.york.ac.uk sez:
>unlike Plan 9, Inferno allows an application to inject Dis code into a
>remote machine.  the Limbo load operator takes an argument in the name
>space, allowing the Dis code to come from anywhere, including an arbitrary
>part of the application's name space, exported to the remote machine.

I don't think this was ever the issue; it's pretty clear that if you can
see the program, you can execute it.  It's apparent that you can mount an
application from a file server and run it locally; if you have a thread on
a remote machine, the reverse should be equally possible.

The issue is starting that thread on the remote machine....

>/appl/cmd/rcmd.b shows a simple application of this technique, but more
>elaborate schemes are certainly possible.

This is undocumented, but I took a look at the code, and the corresponding
rstyx server.  It's a rather, um, ... interesting ... security hole.

Basically, the server attaches your environment on /n/client and then runs
a command.  It doesn't authenticate the requestor in any way and pretty
much gives the requestor full access to the server's files.

That's possibly adequate for a closed system like a set-top box, but not
for an environment where the attacker can substitute his own code.

I'd like the "more elaborate scheme" to be provided in the standard
distribution so that I can depend upon its existence.  Moreover, I'd
like it to provide strong mutual security (which could be reduced as
an option, perhaps) and the ability to restrict the environment of
the remote thread.  (I don't ask for much, do I?)

>it seems attractive to provide the service in the name space, avoiding
>the need to dial.

Well, at least, the need to dial explicitly.  But I agree with the point.

On the other hand, I don't know how to do this safely and securely, with
full authentication of both ends and an environment that can be restricted
by both ends.  Do you?

-- Greg