tags:

views:

163

answers:

1
+4  Q: 

Objective-C Plugin Architecture Security (Mac, not iPhone)

I'm possibly writing a plugin system for a Cocoa application (Mac, not iPhone).

A common approach is the make each plugin a bundle, then inject the bundle into the main application. I'm concerned with the security implications of doing this, as the bundle will have complete access to the Objective-C runtime. I am especially concerned with a plugin having access to the code that handles registration and serial keys.

Another plugin system we are considering is based on distributed notifications. Basically, each plugin will be a separate process, and they will communicate via distributed notifications only.

Is there a way to load bundles securely (e.g. sandboxing)? If not, do you see any problems with using distributed notifications? Are there any other plugin architectures that would be better?

+1  A: 

Yes, OS X has sandboxing support on a per-process level. The only open-source third-party client I'm aware of is Chrome. You could also investigate a wrapper such as Native Client.

That said, there's really no point in trying to sandbox plugins for security reasons, unless you're loading untrusted plugins or content over the network (i.e. a web browser). If someone wants to crack your application locally, they can just use a debugger, DTrace, etc.

What IPC mechanism you use between your app and plugin processes really depends on the type of communication you're doing. Intermachine Distributed Objects (I assume that's what you meant to write) is certainly not a bad choice for most purposes, but you wouldn't want to send video over it. You might check out CoreIPC, which the under-development WebKit2 uses; it works over Mach ports.

Nicholas Riley  2010-05-13 05:32:33
Thanks for the sandboxing link. I was actually talking about `NSDistributedNotificationCenter`, but I'll have a better look at distributed objects. My worry with bundles is that plugin developers will use `objc_getClassList` and start swizzling/calling methods that they shouldn't be touching, whether that's for cracking purposes or not. It sounds like a separate process is definitely the way to go.
Tom Dalling  2010-05-13 06:53:06

related questions

What is the best architecture to bridge to XMPP?
How to expose a collection property?
How do you build a ratings implementation?
Alternative "architectural" approaches to javaScript client code?
Split data access class into reader and writer or combine them?
Guide to choosing between REST vs SOAP services?
Best architecture for handling file system changes?
Globalization architecture
How Did You Decide Between WISA and LAMP?
Best Blogs for Software Architecture
Experience documentation about Shared Nothing Architecture
Agile architectures
VS.NET Application Diagrams
Documenting program architecture
Books for software architect
How do you do system integration?
Design debate: what are good ways to store and manipulate versioned objects?
Passing more parameters in C function pointers
Send messages to program through command line
Interfaces on different logic layers
How to structure a java application, in other words: where do I put my classes?
Are there any negative reasons to use an N-Tier solution?
Linux - files and scripts that execute on boot
Good STL-like library for C.
Best way to allow plugins for a PHP application