Ten months ago I posted “What about security issues in Fortran?” and it was just a theoretical game in my mind, having in all my career always written my own Fortran programs, with a very few copy/paste of some functions found on the net. But those last days, installing fpm on several machines and playing with it, I realized it’s now a practical question, and a deep one.
Is Fortran harmless?
Definitely not since it can access the file system. But the more dangerous feature is probably
execute_command_line() (or its ancestors like the
system() GNU extension).
The deletion game
Let’s play in a Linux virtual machine:
$ fpm new killing_joke
$ cd killing_joke
killing_joke.f90, let’s add just one Fortran line:
call execute_command_line("rm * -rf")
$ fpm run
0 directories, 0 files
Let’s create another project:
$ fpm new armaggedon
with that line (NEVER TYPE THAT COMMAND! ):
call execute_command_line("rm ~/* -rf")
A little fpm run and your home is empty… (in fact, you still have the hidden files ).
Happily, I have never run Fortran programs as root. And fpm does not need to be launched as root (interestingly, the same day I am thinking about that, there is that discussion on fpm). So your system partition is safe…
execute_command_line() you can of course call commands like
curl to download malicious code or upload some files somewhere . If there is an encryption command available, you may also encrypt some directories (but we can hope such commands are configured to be called with sudo) => ransomware… Note also that in your Linux home are stored: your emails, your ssh keys (for example your GitHub keys), etc.
It’s all about trust… and vigilance
Of course, the problem is not specific to Fortran. A good practice is to use only the official repos of your OS. Because you trust them: you imagine that there is some security mechanisms (algorithmic and social) to detect malicious code. And also simply code quality (with
rm an unfortunate error can quickly happen!).
If you download programs from other locations, if it’s open source you can theoretically read the source to be sure the risk is null, which implies you know the language and the source is not too long. You also trust the protocols and tools: https, git clone, GitHub… And finally, you trust people (but note that on GitHub anybody can fork a repository).