Re: security of the emacs package system, elpa, melpa and marmalade

[Ted Zlatanov]

On Thu, 26 Sep 2013 12:25:32 -0400 Richard Stallman <address@hidden> wrote: 

RS> The basic question is, what sorts of things do we want security against?

RS> So far, we have put effort into security against

RS> * Attacks through files you might examine.

RS> * Surreptitious substitution of the wrong code
RS>   instead of what you think you are downloading.

RS> If the existence of package repositories introduces new ways to do
RS> those things, we should do what is needed to make them safe.

We need to question whether relying on GPG is the right thing here, or
if we need an Emacs Lisp-based or C-based solution to authenticate
content signatures.  I am leaning towards the latter after years of
experience with GPG and epg.el (without questioning the quality of
epg.el, which is very good).  At the very least, spawning an external
process to verify a signature for every package download seems wasteful.

In addition, I think we need reviews of package updates before they are
rolled out on the GNU ELPA.  It's a lot of work.

RS> Does anyone think we should start worrying about some other attack?

"Just because you're paranoid doesn't mean they're not after you."

Here is a quick list of other attacks.  I am not posing conspiracy
theories; the below are all based on real-life compromises I have seen
in other software or in GNU Emacs.

(note that the GNU ELPA can be used by many versions of Emacs, some with
bugs that are fixed later but could be exploitable at that version)

- injection of binary blobs, even if well-intended

- injection of external resources, e.g. a URL which suddenly starts
  generating an image that can exploit a libgif bug to compromise a
  system (note that this can be easily targeted to a single IP)

- DDoS of a target website or service by using their resources (this
  could be intentional or accidental)

- injection of code that is not GPLed or is otherwise legally
  questionable

- targeted attacks, e.g. compromises that work on only one user's
  machine but behave well otherwise

- exploits of the Emacs Lisp parser, e.g. imagine a bug in the hashtable
  reader or a specially-formatted comment that breaks the symbol table
  (I'm not aware of such bugs, this is just an example)

- exploits of file-local variables

- advice-based attacks (package X advises function F in a non-obvious
  way to compromise security)

I hope this is useful.

Ted