rc3.org - Ruby Gems as an attack vector

Ruby Gems as an attack vector

In Commentary on 31 August 2008 tagged Ruby, security, unix with 3 comments

Tim Bray warns of the dangers of Ruby Gems as an attack vector. The risk is that basically anyone can create a Gem and make it available using the gem installer.

I’ll say that this is why real systems administrators detest the various packaging schemes that scripting languages offer. It’s generally a much better practice to manage libraries through the operating system’s centralized packaging system — Red Hat’s RPM, FreeBSD Ports, Debian/Ubuntu’s APT, and so forth. Administrators who want to go beyond the vendor-approved repositories for packages are free to do so, but packages from the vendor list can be installed with relative confidence.

Who knows what to expect from packages from CPAN, PEAR, RubyForge, and the like? (This also ties into my longer argument about why developers are the natural enemy of the systems administrator, but I’ll get into that some other time.)

3 Comments

One thing any of these packaging systems should steal from yast, yum, apt, etc. is rudimentary code signing. Even the storied CPAN doesn’t support this. (CPANPLUS does, however.) That would go a long way to stopping various real MITM attacks – and I’m including creative programmers among those in the middle.

Using the bundled modules with distribution signatures as a safety is essentially another trusting-trust problem. Where did they download it? It would be foolish to expect that distribution maintainers vet every library.

Posted by po on 3 September 2008 @ 12am

It would be foolish to expect that distribution maintainers vet every library.

I thought that was supposed to be part of their whole value-add though — because otherwise, why not just use a community-supported distro?

Rafe, I’d love to hear the “developers are the enemy of the sysadmin” post; I’m not sure I agree with you…

Posted by genehack on 3 September 2008 @ 6am

I thought that was supposed to be part of their whole value-add

I’ve only ever seen this as a feature point with security-oriented Linux distributions like Trustix and Engarde. Those distributions tend to base their security model on a framework like SELinux or AppArmor combined with a reduction in packages to reduce the attack surface.

Since many package maintainers seem to handle hundreds of packages it seems improbable that they do a security audit for each. If they do, it’s certainly not documented well.

Posted by po on 14 September 2008 @ 5pm

Leave a Comment

← On Sarah Palin and everything else The Google Browser →

About

This is the weblog of Rafe Colburn. I'm a software developer and computer book author, but this blog is really about whatever catches my interest on a day to day basis. I've been blogging since December, 1998.

Recently

Et Cetera

You can follow @rc3dotorg on Twitter here. My personal Twitter account is @rafeco. If you know what an RSS feed is, you can subscribe to the rc3.org feed here.

← Back to Home

© rc3.org. Powered by WordPress using the DePo Skinny Theme.