#software security

On the one hand, I like that Tumblr seems to never expire its OAuth tokens. This is convenient for me.

On the other hand, I don't see any UI to revoke tokens that have been issued to an instance of an "app". Like, you create a new set of tokens in the "console", and then those keys seemingly work for years.

Can I list them somewhere? Does OAuth have a standard way to do client-initiated revocation?

If not, this becomes a gaping security risk.

Long-lived unrevocable keys are far more valuable to attackers, precisely because you might as well steal them and then hold them until you think of some attack, or find a buyer who has one in mind.

Long-lived keys also enable ransomware, long cons, and entirely new forms of targetted attacks (like editing the victim's old posts as part of gaslighting, or ruining their reputation and trying to rile up a mob). But if you can revoke them, that's at least a decent middle ground of security and convenience -- you make a new key for each new device, and revoke keys per-device as-needed.

I guess the workaround would be to register a new app for each device, and then you can go to your app list and... oh. oh god. you can't delete apps either.

Okay, I know this isn't a general purpose security topic, but hey, I've seen a lot of Tumblr users admit to being in software dev over the years ;) Adam Shostack, well known in the security space on a variety of topics, particularly threat modeling, has a new book out. The twist? Looking at the concept of threats to software through the lens of Star Wars.

Remember that? Remember how nice that was?

You just typed/pasted the URL, typed/piped any other content, and then it just prompted you to type your password. Done. That's it.

Now you need to log in with a browser, find some obscure settings page with API keys and generate a key. Paternalism demands that since some people insecurely store their password for automatic reuse, no one can ever API with a password.

Fine-grained permissions for the key? Hope you got it right the first time. You don't mind having a blocking decision point sprung on you, do ya? Of course not, you're a champ. Here's some docs to comb through.

That is, if the service actually offers API keys. If it requires OAuth, then haha, did you really think you can just make a key and use it? you fool, you unwashed barbarian simpleton.

No, first you'll need to file this form to register an App, and that will give you two keys, okay, and then you're going to take those keys, and - no, stop, stop trying to use the keys, imbecile - now you're going to write a tiny little program, nothing much, just spin up a web server and open a browser and make several API calls to handle the OAuth flow.

Okay, got all that? Excellent, now just run that program with the two keys you have, switch back to the browser, approve the authorization, and now you have two more keys, ain't that just great? You can tell it's more secure because the number of keys and manual steps is bigger.

I haven't looked deeply enough to opine on design specifics, but from a birds-eye view: finally!

If you think about software security much, you know how frustrating it is that unprivileged processes have so few options for reducing their privileges even further.

And of course, only from inside the program can you get the most precise idea of how much you can limit your capabilities - just how little your logic needs.

a rant that ended up flowing into "structured privileges"

Thinking about the execve(2) interface of UNIX, particularly with elevated privileges - especially in combination with the UNIX philosophy of little tools that do small jobs well.

This generalizes, actually - the same ideas of privilege segregation could apply within a process if languages and runtimes took advantage of modern kernels' support for it - at least in Linux, where processes and threads are basically the same kernel primitive, with just a few configuration differences.

Anyway, it bothers me that the default behavior is that if I start a root program, everything it executes is also root. In some sense, the ideal default for a program with a privileged effective UID and an unprivileged real ID is that the execve system call drops privileges - and if you want to keep privileges, that should be an explicit flag.

Even more ideally, this wouldn't be a flag that you, as the program with privileged effective UID or effective capability set or whatever, get to just set however you want - this should be some sort of object, like a file descriptor or a 128-bit random key or a pointer into read-only mapped memory, which is given to you by the caller who gave you elevated privileges. So your options are either "drop privileges" or "keep any privileges that your caller allowed you to keep" - notably absent from your options is an unconditional "keep privileges".

Of course, one problem here is that at some levels of abstraction, forking another process should be an implementation detail - when I call a program as root, I shouldn't have to know "this program wants to fork a child", let alone details like which child programs, how many, how deep the process tree goes, and so on.

So execve isn't exactly the right boundary here, at least not always. But here are a couple examples where the execve boundary is user-facing and explicit, and is the right boundary:

Suppose I want to run a privileged `find` program - because it needs to look inside directories that only root can read, and then I want to run some un-privileged command per file path - the most secure thing, especially if I don't have time to audit the command's source and build and binary for problems, is to prefix my exec arguments for find with something like sudo -iu "$USER" so that the child process of find drops privileges back down to my user before running the command.

For another example, suppose I want to run something like fzf on a list of paths, and then I want fzf to use `bat` to preview those files. bat could need read-only root privileges if some of those files are only root-readable, but there's no great way to give those privileges to just bat instead of fzf - at best, I run sudo once before running fzf, sudo caches my credentials, and then I set the preview argument of fzf to include a sudo call. But this isn't friendly to building larger programs: if the fzf call is inside some larger script, that script now has to either unconditionally include that sudo call, or include it or not based on either a flag that is passed in or if it already has special privileges.

Going back to how this generalizes, this same problem happens with libraries - instead of calling into another program, you call into some library, but either way, you probably don't have time to audit the whole thing, and it often doesn't need all the elevated privileges that you have - if I've got code to parse YAML inside my process, those instructions don't need any privileges besides access to the input bytes and enough memory to return the parsed result, and yet I have to go out of my way to isolate them and drop privileges if I want to be safe from some exploitable parser bug.

Ideally, code should have to go out of its way to explicitly take privileges that it either needs or can optionally use, as a kind of parameter. The whole system, from the ground up, would be built with APIs which have a bias towards dropping privileges and which require every privilege to be passed in from higher up in the call tree. Then the path of least resistance aligns with security: if you're writing code which doesn't need privileges, you don't go out of your way to take them from the caller - if you need privileges to do something, you have no choice but to reveal it in the API.

The only wrinkle here is that people should be able to write middleware which doesn't know or care about privileges, but is transparent to them. The simplest solution is to do what Go did with its context type - force middleware to take that parameter, and pass it through just in case the thing it calls needs it. This is... better than privilege use being invisible, but it's still pretty bad, especially when we generalize it to a granular "permissions" object, since middleware would need an arbitrarily permissive type: instead of knowing if we're calling something that requires privileges, we are back to calling something that might use any of the privileges we fed into it, and we can't know without inspecting the middleware.

In languages with templates, the permissions could be expressed as a template parameter, and then it's at least clear that the middleware takes whatever permissions its callee requires - and someone higher up in the call stack is defining the callee, so they have the responsibility and knowledge of those permissions. But this still isn't really enough, that's just a nice way to make the type system transparently propagate information about elevated privileges to the places where a developer is most served by knowing it.

But at runtime, we need a distinction between a usable privilege, and an unusable "sealed" privilege which is just being passed through code from a higher caller to a transitive callee which has what they need to unseal it.

This has been on my mind for a couple years now, at least. The overarching theme here is that ideally software has a reified representation of all interesting privileges, which ideally is both visible in the type system and actually enforced at runtime, and that code should be forced to be explicit whenever it uses or passes privileges to do anything.

A critical security vulnerability in Gogs, the self-hosted Git service, went publicly disclosed after repeated attempts to contact the project's maintainers reportedly received no response. The flaw could allow remote code execution on default installations, creating a serious risk for organizations running exposed Gogs instances.

The situation has drawn attention not only because of the vulnerability itself, but because it highlights a broader issue in open-source software. Many widely used projects depend on a very small number of maintainers, and when development slows down or communication breaks down, security fixes can stall even if the software remains in active use. Researchers noted that other reported vulnerabilities had also remained unresolved due to a lack of maintainer engagement.

Security experts have recommended that Gogs users restrict public access, disable open registration where possible, strengthen authentication, and consider migrating to more actively maintained alternatives. The episode has also renewed discussion around how companies and organizations rely on open-source infrastructure without always contributing resources back to the projects they depend on.

My Feedback:

"In France, civil servants will ditch Zoom and Teams for a homegrown video conference system. Soldiers in Austria are using open source office software to write reports after the military dropped Microsoft Office. Bureaucrats in a German state have also turned to free software for their administrative work.

...

The French city of Lyon said last year that it’s deploying free office software to replace Microsoft. Denmark’s government and the cities of Copenhagen and Aarhus have also been trying out open-source software.

...