[Bf-committers] "Security" gets in the way

Benjamin Tolputt btolputt at internode.on.net
Thu Apr 29 08:23:11 CEST 2010


Harley Acheson wrote:
> I am a Blender noob, a long-time developer (25 years but very little with C), 
> but I spend my days as a network administrator for a large-ish network (650 
> users, 700 computers). So you would naturally think that I would be in the 
> “theoretical IT types” in favor of high security in Blender.
> ...
> At my very secure network my uses cannot do anything (with python or anything else) 
> that could wreck the computer they are using because they don’t run with the privileges 
> necessary to do such damage. They are also unable to damage any files but their own, 
> and if they manage that they can just restore them themselves from a snapshot from a few 
> hours earlier. Or they can have me restore their files from a backup. 
>   

Actually, from that I would think you'd be one of those calling for
Blender to have an option on installation to ignore security. After all,
you are in a network situation someone with knowledge of security has
put time & effort into locking down machines & their capabilities.
You've obviously got a decent backup system in place and would be
knowledgeable in the risks / exploits you'd need to guard the network
against.

In fact, aside from the fact I am a developer (HelpDesk & network admin
was not my thing), you are very similar to myself in what I know & how I
would go about securing my own computing resources. The environment you
describe sounds like a well regulated production studio network too:
highly networked, strict & frequent backups, and with user accounts
designed to be as fool proof as the sys-admin guy can make them.

This is the PERFECT environment for allowing unfettered control over
Python as damage will be restricted and the worst that can happen is
files the user has access to will be sent out into the Internet to be
picked up by whoever compromised their system.

Unfortunately, most people downloading and playing with Blender will NOT
be in such an environment. They'll be user tinkering around with Blender
in an unsecured network, without backups, with a file system fully
accessible to a compromised Blender installation, and (most importantly)
without the knowledge there might be a danger in opening scene file they
downloaded from the web.

> Yes, it is easy to make a python script that steals passwords or deletes your files, just 
> as it is easy to do so in any programming language. The danger potentially lurking in 
> an evil blend file is the same as in any program you could download from the internet. 
>   

While stealing your passwords and deleting your files is bad, the most
common use of malware at the moment is in the creation of nodes in a
bot-net. These are usually just outlets for spam and participants in
DDOS attacks. You might also lose passwords and/or have your files
deleted, but the commercial success of hacking machines for this purpose
is limited,.

Bot-nets on the other hand are profitable for the criminal organisations
that "sponsor" such malware development. A bot-net can send out millions
of emails from Nigerian Royalty, phallic herbal pharmacies, and banks
seeking verification of your username & password. These ARE profitable
enterprises, as is the use of bot-nets to blackmail gambiling sites &
the like with the threat if DDOS attacks (backed up by taking them
offline for an hour or so first).

Also, in the minds of most end-users "opening" a document (or .blend)
they got off the web is very different to "running" a program they
downloaded. This is reinforced by the fact that one is asked whether
they want to open a file or save it (in Chrome & FireFox) for documents
and only given the choice of saving the file if it has a recognised
application extension. And, for the most part, applications that allow
opening files that might give unauthorised access to the users computer
tend to pop-up a warning of such ("This files has macros which may do X,
Y, & Z. Do you wish to enable them when loading? Yes. No"). Leading me
into...

> There isn’t any comparison to Word and Excel macro viruses or other types of threat. 
> Blend files just don’t have the same audience, or the ability to quickly propagate. You 
> either need fast self-replication or very fast and wide direct distributions in order keep 
> it from self-limiting and to isolate the writer of the threat from getting caught. 
>
> Seriously… try to imagine a scenario where you could cause mischief in some way with 
> an autoexecuting Blend that would be long-lasting and leaves you anonymous, and 
> therefore out of jail. Blend file just aren’t traded and shared the way the Word files are. 
> We’ve had the ability to run scripts on load for years and this threat has yet to surface.
>   

Yes, Word & Excel documents are more popular. No debating that... but
claiming that because someone hasn't exploited a security hole yet means
it is not likely to happen is something I find VERY surprising coming
from a network admin. Security holes can exist for years (when
unpatched) before someone finds a way to use them in a leap-frog attack.
This particular security hole allows for completely unhindered access to
whatever the Blender application has access to, from the file system  to
the network. Python tells you what operating system you are on and it is
relatively trivial to include a Base64 encoded application or three in
text blocks of the blend file. One could easily leap-frog an attack
based on knowing what OS is running, extracting the appropriate program,
and running it. Or I could just look for important files on the machine
and start uploading them to the distributed bot-net.

Can anyone from the Durian team honestly tell me they locked down the
machine they tested the results of the recent sprint on? I mean, the
rigs already had script in them - who is to say no-one changed that and
added in some malicious code? These are developers and people intimately
familiar with the problems that this might cause and hiding one's
identity behind a hotmail/yahoo address is not difficult. And that is
something thought up in the last five minutes. Someone with actual
experience in compromising systems and a reason to spend some time
thinking about it I am POSITIVE would find a way to use an unrestricted
remote execution exploit.

> So for me this isn’t a “security hole”, but just what any program can potentially do. You 
> have the weigh the risks and deal with all the possibilities. My users are much more likely 
> to accidentally delete files themselves than have something else do it for them.
>   

For you, it might be. For someone not in your well-protected set of
users, there is more to consider. Most people do NOT expect opening a
document or scene file to execute arbitrary code. While I know it is
POSSIBLE, I would think such behaviour in any application other than one
*dedicated* to running arbitrary scripts a bug that should be fixed.

We need to stop looking at what we, as educated & experienced
developers, admins, and studio artists, are used to and start looking at
what the average person downloading Blender off of the website would
expect. I highly doubt a poll of said end-users would answer the
question "Would you accept opening a downloaded file in Blender to open
the contents of your computer to someone on the Internet?" in the positive.




More information about the Bf-committers mailing list