medo-bear 18 hours ago

It is (should be) well known that macros, lisp ones and even less capables ones from other languages, are problematic for security. I think a good temporary mitigation to this in Emacs is scanning 3rd party .el files for macros. If there is a macro present give trust warning and offer decreased functionality if untrusted

2
VyseofArcadia 18 hours ago

Macros are pretty ubiquitous in lisp. This would result in a trust warning for pretty much every .el file. I think this would go about as well as Windows Vista UAC pop ups or State of California cancer warnings. If everything is dangerous, nothing is.

2 replies
deng 17 hours ago

If I understand this correctly, this exploit only works with macros that evaluate at least one of their arguments, otherwise no code is actually run. These kind of macros are not that common. I guess one possible fix would be to mark these kind of macros as potentially dangerous and do not expand them automatically for things like code completion and such.

medo-bear 17 hours ago

The qualifying term is 'trusted'. If you are running an application like emacs you damn sure better trust it. It's like running Windows and saying you don't trust it.

AS for macros in lisp, they are not as ubiquitous as it might seem to an outsider. I write lisp professionally. I write one macro a month, if that, and often I rewrite it as a function afterwards. Saying that macros are ubiquitous in lisp is a meme. To most lispers macros are last resort

SoftTalker 17 hours ago

This is what Word and Excel (used to?) do when opening (or was it previewing?) .doc and .xls files in email. Macros, if present, were disabled.

1 reply
kazinator 5 hours ago

Microsoft office macros are not Lisp macros.

When you load a Lisp source code file, each of the forms and that file is read and executed.

You know like pretty much any scripting language.

You don't need a macro to perpetrate damage.

Bash doesn't have macros. yet it's a very bad idea to do this:

  wget https://url | bash
Lisp macros execute even when a file is not being executed but only compiled. What that means is that you have to trust a file in order to compile it because by doing so you're running it.

Besides compiling any other tooling which expands macros is vulnerable to execution. As we can see in this article, there our situations when if you're working with list code inside Emacs, it will expand the macros.

If you were going to blindly run the code anyway, that makes no difference. But developers often look at untrusted source code with no intention to run it and not expecting to do anything harmful just by sitting in their editor.

In principle Lisp macros could be sandboxed. The vast majority of macros do not need to do any system access. They just look at their argument code pieces and calculate a new piece of code, without any side effects or accessing anything in the system.