Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!gem.mps.ohio-state.edu!uakari.primate.wisc.edu!uwm.edu!uwvax!tank!eecae!netnews.upenn.edu!grad1.cis.upenn.edu!ranjit From: ranjit@grad1.cis.upenn.edu (Ranjit Bhatnagar) Newsgroups: comp.sys.amiga.tech Subject: Another 1.4 Request: Secure AREXX Message-ID: <15071@netnews.upenn.edu> Date: 4 Oct 89 03:32:06 GMT Sender: news@netnews.upenn.edu Reply-To: ranjit@grad1.cis.upenn.edu.UUCP (Ranjit Bhatnagar) Organization: University of Pennsylvania Lines: 61 So, Commodore, you're gonna put AREXX in 1.4, eh? Soon the place will be crawling with scripts, and some of them will be simple viruses or booby traps. That was one of the objections that I brought up to my idea of symbolic links to REXX scripts. Therefore I strongly suggest that you implement a SECURE mode for AREXX, in which, for any given script, 1) writing to files and "peek/poke" can be disabled 2) ADDRESS can be limited to an arbitrary list of hosts 3) external commands can be filtered to limit them to harmless ones If a script attempted to violate its probation, so to speak, it would be suspended, and a requester would pop up: AREXX script "calculator" attempted to talk to SIGNUSSPELL. [[KILL IT!]] [Well, OK, just this once] [remove all protection] A good use for this facility would be in multimedia/hypertext applications like I suggested in c.s.amiga. Most scripts would not be allowed to talk to anybody except the multimedia host which invoked them. There's a lot of kinks to be worked out-- what should the default permissions for symbolic link scripts be? What if your multimedia document wants to talk to The Director or MicroFiche Filer or some such program which is mostly harmless but could be tricked into causing damage? Note that this facility is as useful for protecting against accidental problems as it is against deliberate booby traps. Similarly, perhaps developers who create applications with AREXX ports should give them 'safe' modes, in which any external request for a destructive operation would require a confirmation by the user. Even without Secure AREXX, the situation is no different from that of public domain software. Unless you have the source code and are willing and able to read it, you just have to trust that the program is not booby trapped. With AREXX you always have access to the source, at least. It's slightly more dangerous with AREXX than ordinary software, though, because a naive user may be invoking scripts all the time much more casually than he or she would invoke unknown programs - for instance, in reading multimedia mail (voicemail) or trying out the latest macro package for emacs. A Hypercard script on the Mac could easily be programmed to wipe out your hard disk; it would be nice to have a little bit of extra safety on the Amiga. I hope the Commodore folks will consider this. -ranjit "Trespassers w" ranjit@eniac.seas.upenn.edu mailrus!eecae!netnews!eniac!... "Such a brute that even his shadow breaks things." (Lorca)