All geek questions in one place

Best way to implement a plugin - DLL is the only way (C / C ++ project)?

Introduction:

I am currently developing document classifier software in C / C ++, and I will use the naive Bayes class model for classification. But I wanted users to use any algorithm they want (or I want in the future), so I went to separate the part of the algorithm from the architecture as a plugin that will be attached to the main app of the @app application. Therefore, any user can write their own algorithm as a plugin and use it with my application.

Problem:

The way I am going to develop this is to have each of the algorithms that the user wants to use to be included in a DLL file and placed in a specific directory. And at the beginning, my application will look for all the DLLs in this directory and load them.

My questions:

(1) What should I do if the malicious code is created as a DLL (and it will have the same functions that are provided by the plugins) and placed in my plugins directory? In this case, my application will think that its plugin selects it and calls it functions, so malicious code can easily bring my entire application down (in the worst case, my application can be launched as malicious code !!!).

(2) Is the use of a DLL the only available for implementing a plugin design pattern? (Not only because of fear of a malicious plugin, but also because of its general question out of curiosity :))

(3) I think many software tools are written using the plugin model for extensibility, if so, how are they protected from such attacks?

(4) In general, what do you think of my decision to use the plugin model for extension (do you think I should look at any other alternatives?)

thanks

-MicroKernel :)

+4
source share
7 answers

  • Do not worry about malicious plugins. If someone managed to steal a malicious DLL into this folder, they probably also have the ability to directly execute the material.

  • As an alternative to DLLs, you can plug in a scripting language such as Python or Lua and enable script plugins. But maybe in this case you need the speed of the compiled code?

    For a Python attachment, see here . The process is not very complicated. You can link statically to the interpreter so that users do not need to install Python on their system. However, any non-built-in modules must be shipped with your application.

    However, if the language does not really matter to you, the Lua attachment is probably simpler because it is specifically designed for this task. See this section of your guide.

  • See 1. They do not.

  • Using the plugin model sounds like a great solution, provided that at the moment the problem of lack of extensibility is a problem. It may be easier to hard code the current model and add the plugin interface later if it turns out that there is actually a demand for it. It is easy to add, but difficult to remove when people started using it.

+5
source

Malicious code is not the only problem with the DLL. Even a well-designed DLL may contain an error that could lead to the failure of your entire application or a memory leak.

Downloading a module in a high-level language slightly reduces the risk. If you want to learn about the implementation of Python, for example, here .

Another approach is to run the plugin in a separate process. This requires a little more effort to implement, but it is much safer. A separate approach to the process is used by the Google Chrome web browser, and they are a document describing the architecture .

The main idea is to provide a library for plugins, which includes all the logic for communicating with the main application. Thus, the plugin author has an API that they use, just as if they were writing a DLL. Wikipedia has a good list of interprocess communication (IPC) methods .

+4
source

1) If there is a malicious dll in your plugin folder, you are probably already compromised.

2) No, you can load assembler code dynamically from a file, but it will just reinvent the wheel, just use a DLL.

3) There is no Firefox extension, even with its javascript plugins. Everything else that I know uses its own code from dynamic libraries and, therefore, it is impossible to guarantee security. Then Chrome has NaCL, which conducts an extensive analysis of the binary code and rejects it if it cannot be 100% sure that it does not violate the boundaries and what is not, although I am sure that they will have more and more vulnerabilities the passage of time.

4) Plugins are fine, just limit them to trusted people. Alternatively, you can use a secure language such as LUA, Python, Java, etc., and upload a file to that language, but limit it to only a subset of the APIs that won't harm your program or environment.

+3
source

(1) Can you use OS security features to prevent unauthorized access to the folder in which the DLL is searched or downloaded? This should be your first approach.

Otherwise: run a threat analysis - what is the risk, what are the known attack vectors, etc.

(2) Not necessarily. This is the most difficult question if you want to compile plugins, which is mainly related to performance, access to OS functions, etc. As already mentioned, consider scripting languages.

(3) Typically, by writing "to prevent malicious code from executing, restrict access to the plugin folder."

(4) There is a fairly small cost - even when using a plugin framework that you are not familiar with yet. It increases the cost:

  • main application (plugin functionality)
  • plugins (much higher degree of isolation)
  • Installation
  • debugging + diagnostics (errors that occur only with a specific plugin combinator)
  • (users need to know and manage plugins)

It only pays if

  • installing / updating core software is much more complicated than updating plugins
  • individual components must be updated individually (for example, the user can combine different versions of plugins)
  • other people develop plugins for your main application.

(There are other advantages to moving code into a DLL, but they do not apply to plugins per se)

+2
source

What to do if malicious code is created as a DLL

Generally, if you do not trust the dll, you cannot load it anyway.

This would be correct for any other language, even if it is interpreted.

Java and some languages ​​do very hard work to limit the user’s capabilities, and this only works because they run on a virtual machine.

So no. Downloaded Dll plugins can only come from a trusted source.

Does the DLL use the only way to implement the plugin design pattern?

You can also embed some interpreter in your code, for example, GIMP allows you to write plugins in python.

But keep in mind that this will be much slower, because if the nature of any interpreted language.

+1
source

We have a product very similar in that it uses modules to extend functionality.

We do two things:

  • We use BPL files, which are underneath DLLs. This is a special technology from Borland / Codegear / Embarcadero in C ++ Builder. We use some functions of the RTTI type to publish a simple API similar to the main one (argv []), so any number of parameters can be pushed onto the stack and pushed by the DLL.

  • We also embed PERL in our application for things that are more logical in nature.

Our software is an accounting / ERP suite.

+1
source

Take a look at existing plugin architectures and see if there is anything that can be reused. http://git.dronelabs.com/ethos/about/ is the one link I encountered during the glip + googling plugin. glib may perhaps be easier to develop a plugin architecture. Gstreamer uses glib and has a very nice plugin architecture that can give you some ideas.

0
source

Source: https://habr.com/ru/post/1309313/

More articles:


All Articles