Prolog and Vulnerabilities
An Unexpected Panic
N-Prolog has most of its functionalities in place, and I was planning to leisurely explore mathematics and Prolog. But unexpectedly, a bug report caught my eye. A vulnerability in N-Prolog had been reported on JVN (Japan Vulnerability Notes). It’s N-Prolog, a minor system in the niche world of Prolog. Could this be a mistake?
No, it was a report of a vulnerability in the N-Prolog that I developed.
The Cause
Apparently, there was a possibility of the global buffer crashing, which could potentially be exploited for a DoS attack.
Oh no! I had completely overlooked buffer overflow protection! I quickly had ChatGPT review and analyze the code, and, as expected, it was indeed a buffer overflow issue. I hadn’t implemented countermeasures because I didn’t expect such extreme usage.
So, I promptly addressed the overflow issue and rushed to release version 3.22 with the fix.
A Calm Reflection
However, after calming down, I realized that N-Prolog doesn’t have any internet-related features like TCP/IP functionality. The system I modeled it after, ARITY/PROLOG, was developed in the early 1980s, long before the internet was available to the general public. Back then, the idea that vulnerabilities could be exploited through the internet was completely unimaginable.
In keeping with ARITY/PROLOG’s simple, local execution model, N-Prolog even includes a predicate called shell/1. If you input shell(ls)., it runs the ls command in the shell. This makes it easy for a malicious actor to run harmful programs. SWI-Prolog, on the other hand, has protections against this. It doesn’t just pass commands to the shell; it ensures the safety of the command before execution. SWI-Prolog also has internet functionalities and is designed for such practical use cases.
N-Prolog, on the other hand, was created mainly for local use — like studying classical AI or controlling robots — for fun. The chances of it being attacked or misused over the internet are almost nonexistent. For now, I’m happy to keep N-Prolog true to its original ARITY/PROLOG roots, preserving the simplicity of an earlier era.