Safe Tcl

Safe-Tcl is a mechanism that initializes a Tcl interpreter to a safe subset of Tcl commands so that Tcl scripts cannot harm their hosting machine or application. There are also mechanisms to grant privileges to a safe interpreter so the script can do non-trivial things. The set of privileges granted to an untrusted script (i.e., a safe interpreter) is called a security policy.

At one extreme, a security policy can be so limited that an untrusted script can only compute a string. (Even still, an untrusted script might compute a very large string, or take a very long time to compute it. These attacks are considered later.) We are interested in granting non-trivial capabilities to untrusted scripts, such as the ability to display windows on the users screen, fetch URLs from a limited set, send email with limited content to a limited set of addresses, and so on.

The primary mechanism provided by Safe-Tcl to grant privileges is command aliases. An alias is a command in the untrusted interpreter that is really implemented by a different, fully trusted interpreter. This is much like the user-mode and kernel-modes in multiuser operating systems. In Safe-Tcl, an untrusted script is isolated in its interpreter context, and given a few extra commands that are carefully implemented by another Tcl intpreter to ensure safety.

Security Principles

When creating a security policy, there are a number of high-level principles to keep in mind.

1. Safe-Tcl supports multiple policies. We expect there to be a family of security policies used with Safe-Tcl. There will be a "base policy" that you get by default. Additional policies provide non-trivial functionality to applets that is still safe, to some degree. System designers will appreciate a choice among security policies; one size does not fit all.
2. Lean towards security and away from features. The mechanisms of Safe-Tcl let us construct any policy. It is better to proceed cautiously and implement policies that tend to be more restrictive as opposed to dumping in features. The more features that are added, the more difficult it is to maintain security. Or, the easier it is to break security.
3. Whatever your policy, document it well. Each security policy should carefully document the capabilities that it provides. Known weaknesses are especially important to document. All this information is important to applet designers, and to system administrators. The former want to work around problems. The later need to judge the safety of using your policy.
4. Implement policies in Tcl, not C. The preferred method to providing security is to completely remove unsafe commands and replace them with aliases implemented in Tcl. It is also possible to provide two versions of the C implementation of a command (e.g., the open or file commands), or to put one or more special case checks in the C code to take different actions if the current interpreter is untrusted. However, the C-level approach scatters the implementation of a particular security policy throughout the C code. This is error-prone and difficult to analyze. In contrast, moving the policy into a set of Tcl aliases, the security policy will be concentrated into one place. It will be easier to analyze, fix errors, and distribute.
5. The Tk plugin security policy is implemented in the safe.tcl script. Please examine this for flaws and report them to us.

Example

Consider the Tcl file command. This has two sorts of operations. The first sort poke around in the file system. The second set of operations just manipulate file names. It can be argued that the ability to look around the file system is not safe, but it is safe to manipulate file names is safe. (e.g., get the extension of a file name). The basic approach to ensuring safety is to first completely remove the file command from safe interpreters (priniciple 2). It is replaced with a command alias (priniciple 4). The alias restricts what operations it will allow, implements the ones that are ok, and returns the results to the child. The implementation looks like this:

proc Interp_File {operation args} {
 switch -- $operation {
	 extension -
	 dirname -
	 rootname -
	 tail {
	 return [file $operation [lindex $args 0]]
	 }
	 default {
	 error "Unsupported file operation: $operation"
	 }
 }
}
# Now create a safe interpreter and install the alias
interp create -safe untrusted
interp alias untrusted file {} Interp_File

The Interp_File command is executed in a trusted interpreter. It can use the regular file command to do its work, once it has determined that the untrusted has asked for a safe operation. This is easy because there is no state hidden inside the untrusted interpreter that is needed to implement the functionality.

Tcl Plug In Security Policy

The Netscape Tcl plugin supports Tcl/Tk applets, also called Tclets. The Tcl plugin implements the standard Safe-Tcl subset, plus a limited version of Tk. The following Tcl commands are removed from the Safe-Tcl interpreter used to run Tcl applets.

• bell - ring terminal bell
• cd - change directory
• clipboard - access CLIPBOARD selection
• exec - run programs
• exit - terminate the process
• glob - match file names in a directory
• grab - grab the cursor
• menu - display a menu
• load - dynamically load shared libraries that implement new Tcl commands in C.
• open - open a file. Actually a restricted version of this command is available that lets you open files in the Tcl script library for reading only.
• pwd - query current directory
• send - send Tcl commands to other Tk applications
• socket - open a network socket
• source - load script files.
• tk - set/query Tk application name
• tkwait - block on events. You can use vwait to wait for variables to change.
• toplevel - create toplevel windows.
• wm - window manager control
• Tk images cannot be created from files. Instead, the image create photo command now takes a base64 encoded gif as a string instead of reading from a file.

Additional features

The safe.tcl file in the tcl script library initializes the safe interpreter. It creates several aliases that add features on top of the base policy described above. These are manifest as command aliases.

• exit - this deletes the Tcl applet and cleans up any resources it uses.
• source - this is limited to load files from the Tcl and Tk script libraries.
• load - load shared libraries that are found in the Tcl script library.
• open - open files for reading that are found in the Tcl script library. Only a small number of files can be open at once.
• close - a special version that does additional record keeping.
• maketmp - open a read/write scratch file that will be deleted when the Tcl applet terminates.
• puts - limit output to files to 100 Kbytes.
• fconfigure - a query only version of this command. The Tcl applet cannot change I/O channel attributes.
• file - a subset of the Tcl file command that only does pathname manipulation and does not do any querying of the file system contents.
• bgerror - the default version of this command terminates the Tcl applet after a small number of background errors.

Potential problems:

• focus -force can be used to screw around with the keyboard focus.
• No CPU limit.
• No Memory allocation limit.
• Some color specifications crash Tk.
• Non-monotonic lsort commands crash Tcl on Solaris and some other UNIX's.

This is the main Tcl Developer Xchange site, www.tcl-lang.org . About this Site | [email protected]
Home | About Tcl/Tk | Software | Core Development | Community | Documentation