How to exchange sensitive data with ports?

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

How to exchange sensitive data with ports?

egarrulo
Hello,

I'd like to access smart cards from Erlang. Since there is not
dedicated module, I'll have to use C for that.

In this thread:

http://groups.google.com/group/erlang-programming/browse_frm/thread/f27c205eab2e8f95/2ac047fd8840cc2f?lnk=gst&q=ffi#2ac047fd8840cc2f

it is recommended that you use ports (that is: external processes) to
exchange data with native libraries.

However, the whole purpose of using smart cards is accessing sensitive
information stored into the card itself. To my limited knowledge,
opening a port (pipe) with an external process would allow sniffing.
Is that true? If not, what tools  should I use (preferably working
both on Linux and Windows)?

I apologize if the question is somewhat off-topic.

Thanks.

________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

egarrulo
Practically speaking, if both the Erlang process and the external one
are running into user level (not root), other user level process can't
sniff data. Is that true?

Thanks


2009/8/7 Hynek Vychodil <[hidden email]>:

> 1/ Can someone other read pipe? -  Yes, for example when is able trace
> precess at any end of the pipe.
> 2/ Is it security issue? - NO! If some one has those privileges you are
> already doomed. He is already able to do you much more worse. He is able
> patch your process on fly for example and so and so.
>
> On Fri, Aug 7, 2009 at 4:22 PM, Elena Garrulo <[hidden email]> wrote:
>>
>> Hello,
>>
>> I'd like to access smart cards from Erlang. Since there is not
>> dedicated module, I'll have to use C for that.
>>
>> In this thread:
>>
>>
>> http://groups.google.com/group/erlang-programming/browse_frm/thread/f27c205eab2e8f95/2ac047fd8840cc2f?lnk=gst&q=ffi#2ac047fd8840cc2f
>>
>> it is recommended that you use ports (that is: external processes) to
>> exchange data with native libraries.
>>
>> However, the whole purpose of using smart cards is accessing sensitive
>> information stored into the card itself. To my limited knowledge,
>> opening a port (pipe) with an external process would allow sniffing.
>> Is that true? If not, what tools  should I use (preferably working
>> both on Linux and Windows)?
>>
>> I apologize if the question is somewhat off-topic.
>>
>> Thanks.
>>
>> ________________________________________________________________
>> erlang-questions mailing list. See http://www.erlang.org/faq.html
>> erlang-questions (at) erlang.org
>>
>
>
>
> --
> --Hynek (Pichi) Vychodil
>
> Analyze your data in minutes. Share your insights instantly. Thrill your
> boss.  Be a data hero!
> Try Good Data now for free: www.gooddata.com
>

________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

Illo de Illis
In reply to this post by egarrulo
On Aug 7, 2009, at 4:22 PM, Elena Garrulo wrote:

> Hello,
>
> I'd like to access smart cards from Erlang. Since there is not
> dedicated module, I'll have to use C for that.
[...]
> However, the whole purpose of using smart cards is accessing sensitive
> information stored into the card itself. To my limited knowledge,
> opening a port (pipe) with an external process would allow sniffing.
> Is that true? If not, what tools  should I use (preferably working
> both on Linux and Windows)?

What follows applies to Linux only.

In your scenario, a good level of security can be obtained just by  
assuming that the following is true:

- the bad guy is not logged as root or a malicious program is not  
running with root privileges during a smartcard transaction -

should this be untrue, you would have a good deal more to worry about.

That said, I would go with a port driver, in spite it being  
discouraged by the post you're referring to, since it would limit  
eavesdropping and pipe redirection/tracing/dumping. But whatever  
choice you're going to pick, you'll have to deal with the fact that  
you cannot tell the Erlang VM where to store the data you're sending.  
So even if you'd allocate an unpageable (secured) memory buffer to  
store sensitive data in your C code, that data could be paged out when  
passed to the VM.
I would recommend storing the sensitive data in a secured memory  
buffer in the C code (accessing them by some sort of hash table keyed  
by terms) and exposing functions for  filling the dictionary by  
obtaining sensitive information from both the user (i.e. by accessing /
dev/tty) and the smartcard, managing this values and passing portions  
of the in-code dictionary from an erlang node to another (both coupled  
with your C code) securely by SSL or whatever suits your needs. This  
way you could provide a good level of overall security and  
performance, and the security issues could be limited to your context.

Ciao,
Illo.
________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

Illo de Illis
On Aug 7, 2009, at 6:07 PM, Hynek Vychodil wrote:

> No, no, no, you must be sure that bad guy has not ever been logged  
> as root or a malicious program has not been running with root  
> privileges in any time in past. You can't trust your kernel! It  
> could been patched! You must be sure that bad guy has not been  
> logged at your user level or a malicious program has not been  
> running in same time as any your still running process. It can be  
> new malicious program patched on fly. You must be sure that when you  
> start your Erlang VM or any other program you don't execute any code  
> which could be modified when bad guy has been logged or malicious  
> program has been running. Etc.

I was talking about a _good_ level of security, not a _I'm freaking  
paranoid_ level of security. As it has been memed all over internet  
since ages, a secure system is a system which is switched off, not  
connected to internet, and locked up in a safe.
And speaking of that, since the original poster is dealing with a  
smartcard, every transaction should be encrypted by the smartcard  
private and unaccessible key by using a lcoked-out computer in a  
vacuum chamber.

Ciao,
Illo.


________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

Illo de Illis
I doubt your advices would be useful to the scenery the original  
poster is working with. Since she was afraid of a pipe I guess she is  
already dealing with an public/untrusted system, and I reckon locked  
memory (which I frankly wouldn't call "security by obscurity") and /
dev/TTY access for user input to be a good starting point.

Ciao,
Illo.

________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

Illo de Illis
On 07/ago/2009, at 20.35, Hynek Vychodil <[hidden email]>  
wrote:

> On Fri, Aug 7, 2009 at 6:57 PM, Illo de' Illis <[hidden email]>  
> wrote:
> I doubt your advices would be useful to the scenery the original  
> poster is working with. Since she was afraid of a pipe I guess she  
> is already dealing with an public/untrusted system, and I reckon  
> locked memory (which I frankly wouldn't call "security by  
> obscurity") and /dev/TTY access for user input to be a good starting  
> point.
>
> If you are dealing with untrusted system there all effort just  
> Potemkin's village. It is worthless. One can make some masquerade  
> for dumb people but anyone who understand real security will laugh  
> at you.

It is all a matter of perspective.  I'd bet you would call a  
"masquerade for dumb people" locking someone's home door up to avoid  
thieves as well...

Well, let's hope both our opinions will be of some use to Elena! Good  
luck for your smartcard project.

Ciao,
Illo.
Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

egarrulo
An enlightening reading indeed... Thanks for your detailed replies.

I didn't state it, but I was looking for a "reasonable" level of
security, assuming that nobody had tampered with the system
previously. Kind of what you do when you enter your credit card number
into a web page: you trust your system to be clean of spyware...

BTW, I've realized that I was tackling the problem at a low level,
that is: wrapping calls to the smart card layer by means of an
external process. A better solution is to make the external process
have its own logic, make it deal with the sensitive data on its own
(safely handling memory), and send back to the erlang process the data
it needs.

Ciao a tutti (= cheers to everyone)


2009/8/7 Illo de' Illis <[hidden email]>:

> On 07/ago/2009, at 20.35, Hynek Vychodil <[hidden email]> wrote:
>
>> On Fri, Aug 7, 2009 at 6:57 PM, Illo de' Illis <[hidden email]> wrote:
>> I doubt your advices would be useful to the scenery the original poster is
>> working with. Since she was afraid of a pipe I guess she is already dealing
>> with an public/untrusted system, and I reckon locked memory (which I frankly
>> wouldn't call "security by obscurity") and /dev/TTY access for user input to
>> be a good starting point.
>>
>> If you are dealing with untrusted system there all effort just Potemkin's
>> village. It is worthless. One can make some masquerade for dumb people but
>> anyone who understand real security will laugh at you.
>
> It is all a matter of perspective.  I'd bet you would call a "masquerade for
> dumb people" locking someone's home door up to avoid thieves as well...
>
> Well, let's hope both our opinions will be of some use to Elena! Good luck
> for your smartcard project.
>
> Ciao,
> Illo.
>

________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

Richard Andrews-5
In reply to this post by egarrulo
On Sat, Aug 8, 2009 at 12:22 AM, Elena Garrulo<[hidden email]> wrote:

> Hello,
>
> I'd like to access smart cards from Erlang. Since there is not
> dedicated module, I'll have to use C for that.
>
> In this thread:
>
> http://groups.google.com/group/erlang-programming/browse_frm/thread/f27c205eab2e8f95/2ac047fd8840cc2f?lnk=gst&q=ffi#2ac047fd8840cc2f
>
> it is recommended that you use ports (that is: external processes) to
> exchange data with native libraries.
>
> However, the whole purpose of using smart cards is accessing sensitive
> information stored into the card itself. To my limited knowledge,
> opening a port (pipe) with an external process would allow sniffing.
> Is that true? If not, what tools  should I use (preferably working
> both on Linux and Windows)?

Sheesh what a thread.

You can use a linked-in driver. Write the driver in C and load it as a
.so or .dll into the erlang node that needs to access the smart card
libs. The data doesn't leave the process space - but it must get there
somehow.

Of course root can watch usually any data in any process (SELinux
might prevent that).

________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

egarrulo
2009/8/8 Richard Andrews <[hidden email]>:
> You can use a linked-in driver. Write the driver in C and load it as a
> .so or .dll into the erlang node that needs to access the smart card
> libs. The data doesn't leave the process space - but it must get there
> somehow.

What if C calls are time consuming? Does whole Erlang VM stop until
the C procedure returns?

>
> Of course root can watch usually any data in any process (SELinux
> might prevent that).
>

And user? Can a user process watch another (same) user process?

Thanks

________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

Illo de Illis
In reply to this post by Richard Andrews-5
On 08/ago/2009, at 13.09, Richard Andrews <[hidden email]> wrote:

> On Sat, Aug 8, 2009 at 12:22 AM, Elena Garrulo<[hidden email]>  
> wrote:
>> Hello,
>>
>> I'd like to access smart cards from Erlang. Since there is not
>> dedicated module, I'll have to use C for that.
[...]
>>
> Sheesh what a thread.
>
> You can use a linked-in driver.

Isn't it the very same "port driver" I suggested? That is:

http://erlang.org/doc/tutorial/c_portdriver.html

Or, if not, in what differs? Would it be possible to share buffer  
pointers with your approach without breaking up erlang's garbage  
collector?

Ciao,
Illo.

________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

egarrulo
2009/8/8 Illo de' Illis <[hidden email]>:
> Isn't it the very same "port driver" I suggested? That is:
>
> http://erlang.org/doc/tutorial/c_portdriver.html

Thank you for the link.

Indeed, it seems that a blocking C procedure will block the Erlang
process: in the given example, "example_drv_output" is synchronous. Or
are the call to the linked-in driver managed on a different OS thread?

Thanks

________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

Richard Andrews-5
In reply to this post by egarrulo
On Sat, Aug 8, 2009 at 9:35 PM, Elena Garrulo<[hidden email]> wrote:
> 2009/8/8 Richard Andrews <[hidden email]>:
>> You can use a linked-in driver. Write the driver in C and load it as a
>> .so or .dll into the erlang node that needs to access the smart card
>> libs. The data doesn't leave the process space - but it must get there
>> somehow.
>
> What if C calls are time consuming? Does whole Erlang VM stop until
> the C procedure returns?

IIRC the "control" style driver would block but the IO style driver
model would not. I think this requires that there is another thread
somewhere which can issue a callback into erlang with a result. I've
never implemented one of these.

>> Of course root can watch usually any data in any process (SELinux
>> might prevent that).
>>
>
> And user? Can a user process watch another (same) user process?

I don't think this is possible.

________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

egarrulo
2009/8/8 Richard Andrews <[hidden email]>:
> On Sat, Aug 8, 2009 at 9:35 PM, Elena Garrulo<[hidden email]> wrote:
>> What if C calls are time consuming? Does whole Erlang VM stop until
>> the C procedure returns?
>
> IIRC the "control" style driver would block but the IO style driver
> model would not. I think this requires that there is another thread
> somewhere which can issue a callback into erlang with a result. I've
> never implemented one of these.

That's what I was thinking about: making a worker thread handle the
requests asynchronously, sending back the results when done. From your
answer, I understand that is feasible, it's just not sketched into
simpler (synchronous) examples.

>> And user? Can a user process watch another (same) user process?
>
> I don't think this is possible.
>

Well, that's what I did know about Windows, and wondered whether
things were different under Linux.

OK, here is my roadmap: first make the (simpler) ports solution work,
then implementing it as linked-in driver.

Thanks.

________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

Reply | Threaded
Open this post in threaded view
|

Re: How to exchange sensitive data with ports?

Michael Truog
The port driver can be made to make async function calls however there
are some problems with doing this:
1) the port driver can not be unloaded to do a code swap (after the
first async port driver call), since it is safer to keep the code loaded
in case there is still a thread busy on an async request
2) the async thread pool takes a single thread count for all async
requests used by the erlang VM, so your async requests are competing
with file, crypto, and anything else that might choose to use the async
thread pool.  the async thread pool is implemented without a shared job
queue, so you are at the mercy of any jobs that got to the thread's
queue before your jobs.  However, by limiting your usage of the async
thread pool and setting the integer async thread pool limit high enough,
you should avoid any contention for threads.  Last time I looked, there
was an environment variable to limit the file module usage of async
calls, but I am not sure about the crypto usage of async calls... crypto
may not be doing async requests.

I did some code to automatically generate a port driver or port with
preprocessor expansion that might help.  To make a call async you can
change a 0 to a 1 in the header file that defines the function calls:
http://forum.trapexit.org/viewtopic.php?t=15118&sid=4174d776f9abc2b65ed145333e24886e
http://github.com/okeuday/generic-erlang-port--driver-/tree/master

Elena Garrulo wrote:

> 2009/8/8 Richard Andrews <[hidden email]>:
>  
>> On Sat, Aug 8, 2009 at 9:35 PM, Elena Garrulo<[hidden email]> wrote:
>>    
>>> What if C calls are time consuming? Does whole Erlang VM stop until
>>> the C procedure returns?
>>>      
>> IIRC the "control" style driver would block but the IO style driver
>> model would not. I think this requires that there is another thread
>> somewhere which can issue a callback into erlang with a result. I've
>> never implemented one of these.
>>    
>
> That's what I was thinking about: making a worker thread handle the
> requests asynchronously, sending back the results when done. From your
> answer, I understand that is feasible, it's just not sketched into
> simpler (synchronous) examples.
>
>  
>>> And user? Can a user process watch another (same) user process?
>>>      
>> I don't think this is possible.
>>
>>    
>
> Well, that's what I did know about Windows, and wondered whether
> things were different under Linux.
>
> OK, here is my roadmap: first make the (simpler) ports solution work,
> then implementing it as linked-in driver.
>
> Thanks.
>
> ________________________________________________________________
> erlang-questions mailing list. See http://www.erlang.org/faq.html
> erlang-questions (at) erlang.org
>
>
>  


________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org