I am getting this message from SCC but am unsure what to tell the dev team on how to resolve it. What is the way that Google has in mind for this?
And is there maybe a way to "whitelist" some libraries and binaries but monitor for others? Because in general, the message makes sense.
In SCC the message is the following:
Added library loaded
A library that was not part of the original container image was loaded. If an added library is loaded, this is a possible sign that an attacker has control of the workload and they are executing arbitrary code.
Related
I am exploring the option of using Octoperf as a hosted solution.
One thing that I need is the ability to call some custom libraries (either Java or Javascript / Node.js).
In the SCRIPT PRE and SCRIPT POST examples in the Octoperf documentation I see calls being made to import com.google.common.base.Stopwatch. However, it is not clear to me how Octoperf knows where to pull this dependency from.
Does anyone know if there is a way to specify this and how?
this dependency in your example is already included in every JVM. If you need to add other dependencies in OctoPerf, just place them in the files menu of your project and they will be copied to lib/ext when the test is started:
https://doc.octoperf.com/design/edit-virtual-user/configuration/files/
I need to write a program that uses some COM objects, accessed from the python comtypes package. I use the clsid and/or progid to create and use them. These objects are provided by a third party, and normally they are installed with a normal installer (setup.exe or MSI file).
Let's suppose that these DLL files have a license that allows me to ship them together with my program. Is it possible to load these DLL files into memory, and use them from a portable app without actually registering them? Or alternatively, can I register them from my program?
A related question is this: how to determine the chain of DLL files that are needed to create a given COM object? (Other than trial and error.)
Background: in reality, there are multiple libs and the main problem is that I do not want the users to run 4 different installers before they can start the actual program. That would be too difficult for an average user.
You're asking a lot of questions here. There are a lot of ways to accomplish what you're trying to accomplish, and it's hard to answer such a broad set of questions. If you have specific questions on how to do a specific thing, please start new posts for those.
That said, I will try to give you some information to help you figure out what you need/want to do.
Can you use a COM DLL without registering it?
Yes. There are several ways, depending on the needs of the COM DLL and the platform you're using. However, some options won't always work, and other options are very challenging.
DllGetClassObject - In some cases, depending on the COM object you're trying to load, you can just load the DLL, call the DllGetClassObject function directly, and use the returned IClassFactory to create your object. This is the easiest way -- if it works. If the class you create requires that the DLL be registered (maybe it does a CoCreateInstance internally, or maybe it needs proxy support), this won't work for you. To determine if this will work, it's either trial-and-error, or you have to ask the developer of the COM DLL.
Registration-free COM - This is how it's done in .NET. I'm not sure if you can do anything like this easily in Python.
CoRegisterClassObject - If you are going to create your own registration-free COM implementation, this function is going to be critical. I believe this is a fundamental implementation detail for Microsoft's registration-free COM. However, be aware that this would be a very challenging thing to do, and it would require a very good understanding of COM.
Can you register a COM DLL from your program?
Yes. There are a few ways. However, you are likely to run into security issues here -- typically, COM components register themselves in HKEY_LOCAL_MACHINE, and you typically need admin rights to write here. Some COM components/installers are designed to register themselves in HKEY_CURRENT_USER, which would get around the security thing. However, you may have no control over where a component registers itself, and even if you do, registering in HKEY_CURRENT_USER isn't a perfect solution.
regsvr32.exe - One option is to programmatically invoke regsvr32.exe on the DLL.
DllRegisterServer or DllInstall - If a COM DLL can be registered with regsvr32.exe, then it has at least one of these functions exported. You can load the DLL manually and call these functions just like regsvr32.exe does. DllInstall is less common than DllRegisterServer. If DllInstall is present, it may give you the option of installing in HKEY_CURRENT_USER. If not, you have to just do whatever DllRegisterServer does, since there are no options you can provide to that function.
Write the registry values yourself -- If you can figure out all the registry settings that are needed, there's nothing stopping you from putting them into the registry manually. This would get around the HKEY_LOCAL_MACHINE/HKEY_CURRENT_USER issue -- you can write them wherever you like (but HKEY_LOCAL_MACHINE still probably requires admin rights).
regedit.exe - Another way to write the registry values yourself is to store them in a .reg file and call regedit.exe to merge them.
How do you determine dependencies of a DLL?
Ideally, the developer of that DLL knows and can tell you. That's the only way that's truly fool-proof.
For COM dependencies, it may be impossible to figure this out any other way than asking the developer or trial-and-error. This is because a COM dependency may exist simply because some code in the DLL just calls CoCreateInstance to create some third-party COM object, and since this is something that is only expressed in source code, there is no metadata on the DLL that will help you find these dependencies.
The above is also true for any dynamically-loaded dependencies. For example, if some code just calls LoadLibrary directly, there is no way for you to determine the dependency from the outside.
For statically-loaded dependencies, you can use tools like Dependency Walker. Note that a lot of the dependencies you will see are system dependencies -- you don't want to include, for example, user32.dll and kernel32.dll because these are installed with Windows.
How do you install third-party dependencies?
If you know exactly what files to write, where to write them and what registry settings (etc) need to be applied, you can do all of that yourself. For some dependencies, it can be easier to just include the third-party installer in your installer and just execute it silently. Many installers support a silent mode for just this reason. A good example of this is the Visual C++ runtime (msvcrt*.dll) -- many applications need this dependency, and many installers just include Microsoft's installer as a part of their distribution, and the primary installer just calls the secondary installers silently.
In traditional model, when program does dynamic linking of shared library, than - as one of side effects - it, usually does not have to care about updates, as when new version (let's say with security or performance fix) comes, it's updated (by some kind of package manager on some Uhix or sth equivalent on Windows), and application can benefit on next run from new version.
In such process, application maintainer does not have to perform any steps, in order for his/her users to benefit from new , fixed library.
How does it work in Native Client?
Are those libraries packed in package, so developer has to repackage every time new version of library comes,
or is there some mechanism, either to benefit from some way or sharing libraries, or getting this package repacked automatically (for example by Chrome Web Store) ?
I've eye-balled:
Distributing Your Application
Building
Application Structure
and couldn't find answer. (It does not mean it's not there, I could miss sth).
Based on my experience with NaCl, your app is responsible for updating any libraries it depends on, as those libraries are necessarily distributed with your NaCl application. The exception would be any libraries/APIs that the browser provides to the application, which would be updated along with the browser.
It turns out, there night be a way of structuring application, so app can download new shared libraries via some bootstrap executable and than run, desired one with freshly downloaded shared libraries:
http://developer.chrome.com/native-client/devguide/devcycle/dynamic-loading (please note
that it's different page than this one earlier mentioned )
search for "libreverse.so" example.
Anyhow, if you have better structured answer and/or more detailed, please let know.
I'm a complete Node noob, so I apologize if this question has an obvious answer.
I'm looking to create a web app that will run plugins from untrusted sources (i.e. community submissions). So I need to lock down those plugins into a sandbox where only certain access is allowed (can't write to disk, etc.). Ideally, the plugin would only be able to use certain approved node packages and APIs.
Is this possible in Node? If so, can you point me toward a package or documentation that will get me started?
Here is a small list of projects that can help you:
https://github.com/gf3/sandbox
https://github.com/hflw/node-sandbox
https://github.com/bcoe/sandcastle
https://github.com/wearefractal/boxy
I suggest the first one (sandbox) since it's more mature.
I would also contribute to the list with my library: https://github.com/asvd/jailed. In addition to the sandboxing of the untrusted code (in a restricted subprocess), it gives an opportunity to export any set of functions inside the sandbox thus defining a custom API for the sandboxed code.
I'm writing a small tool to do some checks on the data from one Oracle database and on LDAP.
Thinking of performance I've decided to go with C/C++, therefore I'm using the open ldap library and the oracle occi library. Now putting together the wrappers for each library I noticed that functions from the ldap library fail if I link my program with the oracle library. Going further I see there are functions defined in the oracle library with the same name as they're defined in the openldap library.
Now I did not find much on web on this issue, some advise to link first with the ldap library but that doesn't do it, it doesn't fail on init() anymore but it doesn't go past connect().
I'm doing the developing on Linux (Ubuntu), and the libraries I use are all C.
Does anyone have any advice on this? There must be someone else that have had this issue.
Any thoughts are most welcomed.
Many thanks
Unless these functions are also API entry points you should be able to make it work by linking to both as shared libraries. Then each library will use its own version of the function and you don't get to see either version unless you call it yourself.
If the functions concerned are API entry points, i.e. LDAP APIs, there is something pretty odd going on.
You can resolve this issue by specifying "-lldap -llber" in linking stage.
Ensure that you have specified oracle libray at the end in the linking stage. ldap has dependency with liblber.