473,854 Members | 1,567 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Creating a capabilities-based restricted execution system

I've been playing around with Zope's RestrictedPytho n, and I think I'm
on the way to making the modifications necessary to create a
capabilities-based restricted execution system. The idea is to strip out
any part of RestrictedPytho n that's not necessary for doing capabilities
and do all security using just capabilities.

The basic idea behind capabilities is that you don't give any piece of
code you don't trust a reference to something you don't want it to have
access to. You use proxies instead (E calls them "facets").

In order to be able to allow untrusted code to create proxy objects, I
needed to be able to store a reference to the proxied object in a
private attribute.

To create private attributes, I'm using "name mangling," where names
beginning with X_ within a class definition get changed to
_<uuid>_<name> , where the UUID is the same for that class. The UUIDs
don't need to be secure because it's not actually possible to create
your own name starting with an underscore in RestrictedPytho n; they just
need to be unique across all compiler invocations.

The nice thing about using this name mangling is that it's only done at
compile time and doesn't affect runtime performance. An interesting side
effect is that code defined on a class can access private attributes on
all descendants of that class, but only ones that are defined by other
code on that class, so this isn't a security issue.

I was thinking I needed read-only attributes to be able to avoid
untrusted code's being able to sabotage the revoke method on a proxy
object, but I'm thinking that just keeping around a reference to the
revoke method in the original code may be enough.

Does anyone think I'm going in completely the wrong direction here? Am I
missing anything obvious?
Jul 18 '05 #1
30 2588
"Sean R. Lynch" <se***@chaosrin g.org> writes:
Does anyone think I'm going in completely the wrong direction here? Am
I missing anything obvious?


Well, I have a dumb question. Have you studied the security failures
of rexec/Bastion and convinced yourself that they don't happen to your
new scheme?

You might look at the PyPy architecture doc if you haven't yet.
Making a separate object space for restricted objects may fit PyPy's
design quite naturally.
Jul 18 '05 #2
Paul Rubin wrote:
Well, I have a dumb question. Have you studied the security failures
of rexec/Bastion and convinced yourself that they don't happen to your
new scheme?
If you know of a location where the known shortcomings of rexec are
documented, please let me know. So far I've only seen a couple examples
and a lot of people saying "it's not secure so let's disable it."

My current methodology is to be very careful about adding any privileges
beyond what RestrictedPytho n allows.
You might look at the PyPy architecture doc if you haven't yet.
Making a separate object space for restricted objects may fit PyPy's
design quite naturally.


I have looked at PyPy. It's very interesting, but RestrictedPytho n is
already written and in use in Zope.

I think I've figured out a way to use my name mangling scheme to make
attributes only *writable* by code defined on a class from which an
object descends: do writes through a name-mangled method, and have
RestrictedPytho n output self._mangled_s etattr(attr, val) for each
attempted attribute assignment. This will basically make it impossible
to have attributes that are writable from other classes, but I think
it's probably a prerequisite for capabilities. Most other languages
require attributes to be set via methods anyway, right?
Jul 18 '05 #3
Sean R. Lynch wrote:
If you know of a location where the known shortcomings of rexec are
documented, please let me know. So far I've only seen a couple examples
and a lot of people saying "it's not secure so let's disable it."


The biggest problem is that new-style classes are both available through
the type() builtin, and callable to create new instances.

For example, if you have managed to open a file object f, then

type(f)("/etc/passwd").read()

lets you access a different file, bypassing all machinery that may
have been designed to prevent that from happening.

Of course, for the specific case of file objects, there is additional
machinery preventing that from happening, but in the general case,
there might be more problems in that area. For example,
object.__subcla sses__() gives you access to quite a lot of stuff.

Regards,
Martin

Jul 18 '05 #4

"Sean R. Lynch" <se***@chaosrin g.org> wrote in message
news:Lm******** ************@sp eakeasy.net...

[...]
Does anyone think I'm going in completely the wrong direction here? Am I
missing anything obvious?


Yes, you're missing something really obvious. Multi-level
security is a real difficult problem if you want to solve it
in a believable (that is, bullet-proof) fashion. The only way
I know of solving it is to provide separate execution
environments for the different privilege domains.
In the current Python structure, that means different
interpreters so that the object structures don't intermix.

If you have separate domains, then the only support
needed is to remove privileged modules from the
built-ins, and virtualize import so that it won't load
modules that aren't on the approved list for that
domain.

You also, of course, need some form of gate between
the untrusted and trusted domains.

Once that's done, there's no reason to layer additional
complexity on top, and there is no reason to restrict
any introspection facilities.

John Roth
Jul 18 '05 #5
John Roth wrote:
Yes, you're missing something really obvious. Multi-level
security is a real difficult problem if you want to solve it
in a believable (that is, bullet-proof) fashion. The only way
I know of solving it is to provide separate execution
environments for the different privilege domains.
In the current Python structure, that means different
interpreters so that the object structures don't intermix.


Hmmm, can you give me an example of a Python application that works this
way? Zope seems to be doing fine using RestrictedPytho n.
RestrictedPytho n is, in fact, an attempt to provide different execution
environments within the same memory space, which is the whole point of
my exercise. Now, I know that the lack of an example of insecurity is
not proof of security, but can you think of a way to escape from
RestrictedPytho n's environment? DoS is still possible, but as I'm not
planning on using this for completely untrusted users, I'm not too
concerned about that.
Jul 18 '05 #6
Martin v. Loewis wrote:

The biggest problem is that new-style classes are both available through
the type() builtin, and callable to create new instances.

For example, if you have managed to open a file object f, then

type(f)("/etc/passwd").read()

lets you access a different file, bypassing all machinery that may
have been designed to prevent that from happening.

Of course, for the specific case of file objects, there is additional
machinery preventing that from happening, but in the general case,
there might be more problems in that area. For example,
object.__subcla sses__() gives you access to quite a lot of stuff.


RestrictedPytho n avoids this by removing the type() builtin from the
restricted __builtins__, and it doesn't allow untrusted code to create
names that start with _. Zope3 has a type() builtin, but it returns a
proxy (written in C) to the type object to prevent access.

Right now I'm providing a same_type function instead to compare types.
Later I'll probably start playing around with C proxies.

I think the main thing that's liable to introduce new security problems
(beyond what RestrictedPytho n may already have) is the fact that
RestrictedPytho n is mostly designed to protect the trusted environment
from the untrusted environment, and what I'd really like to do is give
programmers in the untrusted environment a way to create objects and
pass them around to one another; for example, in the original setup,
class statements are allowed but not very useful in the restricted
environment, because objects created from those classes would be
read-only due to the fact that you can't create any special attributes
to tell the system how to handle security from within the restricted
environment, which is why I'm adding private attributes to the system
and figuring out a way to allow methods defined on a class to assign to
attributes on instances of that class without allowing all code to do so.
Jul 18 '05 #7

"Sean R. Lynch" <se***@chaosrin g.org> wrote in message news:Lm******** ************@sp eakeasy.net...
I've been playing around with Zope's RestrictedPytho n, and I think I'm
on the way to making the modifications necessary to create a
capabilities-based restricted execution system. The idea is to strip out
any part of RestrictedPytho n that's not necessary for doing capabilities
and do all security using just capabilities.

The basic idea behind capabilities is that you don't give any piece of
code you don't trust a reference to something you don't want it to have
access to. You use proxies instead (E calls them "facets").
"Don't give" sounds good in theory but fails in practice. You can't prevent
leakage 100%, so any security system _must_ help programmer to keep
trusted data away from untrusted code. Do you know that rexec failed
exactly because it didn't help to prevent leakage?

In order to be able to allow untrusted code to create proxy objects, I
needed to be able to store a reference to the proxied object in a
private attribute.

To create private attributes, I'm using "name mangling," where names
beginning with X_ within a class definition get changed to
_<uuid>_<name> , where the UUID is the same for that class. The UUIDs
don't need to be secure because it's not actually possible to create
your own name starting with an underscore in RestrictedPytho n; they just
need to be unique across all compiler invocations.
This is a problem: you declare private attributes whereas you should be
declaring public attributes and consider all other attributes private. Otherwise
you don't help prevent leakage. What about doing it this way:

obj.attr means xgetattr(obj,ac c_tuple) where acc_tuple = ('attr',UUID)
and xgetattr is
def xgetattr(obj,ac c_tuple):
if not has_key(obj.__a ccdict__,acc_tu ple):
raise AccessException
return getattr(obj,acc _tuple[0])

__accdict__ is populated at the time class or its subclasses are created.
If an object without __accdict__ is passed to untrusted code it will
just fail. If new attributes are introduced but not declared in __accdict__
they are also unreachable by default.

The nice thing about using this name mangling is that it's only done at
compile time and doesn't affect runtime performance. An interesting side
effect is that code defined on a class can access private attributes on
all descendants of that class, but only ones that are defined by other
code on that class, so this isn't a security issue.

I was thinking I needed read-only attributes to be able to avoid
untrusted code's being able to sabotage the revoke method on a proxy
object, but I'm thinking that just keeping around a reference to the
revoke method in the original code may be enough.

Does anyone think I'm going in completely the wrong direction here? Am I
missing anything obvious?


It depends on what type of security do you want. Did you think about DOS
and covert channels? If you don't care about that, yeah, you don't miss
anything obvious. <wink> you should worry whether you miss something
non-obvious.

By the way, did you think about str.encode? Or you are not worried about
bugs in zlib too?

-- Serge.
Jul 18 '05 #8
I hate replying to myself, but I've written some more code. I hope to
have something posted soon so people can rip it apart without needing to
resort to conjecture :)

I had been considering using a name-mangled setattr for doing attribute
assignment to only allow assignment to attributes on descendants of the
class one was writing methods on, but it occurred to me that I could
probably treat "self" as a special name using only compiler
modifications, so I could eliminate RestrictedPytho n's need to turn all
Getattrs and AssAttrs (shouldn't it be GetAttr) into method calls. Now,
of course, I'm limited to static checks on names to control access, but
Python already disallows, for example, access to f.func_globals, and
RestrictedPytho n disallows names that begin with underscore.

Now I need to write a bunch of code that uses this system and attempts
to break it :)
Jul 18 '05 #9
Serge Orlov wrote:
"Sean R. Lynch" <se***@chaosrin g.org> wrote in message news:Lm******** ************@sp eakeasy.net...
I've been playing around with Zope's RestrictedPytho n, and I think I'm
on the way to making the modifications necessary to create a
capabilitie s-based restricted execution system. The idea is to strip out
any part of RestrictedPytho n that's not necessary for doing capabilities
and do all security using just capabilities.

The basic idea behind capabilities is that you don't give any piece of
code you don't trust a reference to something you don't want it to have
access to. You use proxies instead (E calls them "facets").

"Don't give" sounds good in theory but fails in practice. You can't prevent
leakage 100%, so any security system _must_ help programmer to keep
trusted data away from untrusted code. Do you know that rexec failed
exactly because it didn't help to prevent leakage?


Hmm, this is good information. I think it will probably change the way
I've been looking at this.
In order to be able to allow untrusted code to create proxy objects, I
needed to be able to store a reference to the proxied object in a
private attribute.

To create private attributes, I'm using "name mangling," where names
beginning with X_ within a class definition get changed to
_<uuid>_<name >, where the UUID is the same for that class. The UUIDs
don't need to be secure because it's not actually possible to create
your own name starting with an underscore in RestrictedPytho n; they just
need to be unique across all compiler invocations.

This is a problem: you declare private attributes whereas you should be
declaring public attributes and consider all other attributes private. Otherwise
you don't help prevent leakage. What about doing it this way:

obj.attr means xgetattr(obj,ac c_tuple) where acc_tuple = ('attr',UUID)
and xgetattr is
def xgetattr(obj,ac c_tuple):
if not has_key(obj.__a ccdict__,acc_tu ple):
raise AccessException
return getattr(obj,acc _tuple[0])

__accdict__ is populated at the time class or its subclasses are created.
If an object without __accdict__ is passed to untrusted code it will
just fail. If new attributes are introduced but not declared in __accdict__
they are also unreachable by default.


This is very interesting, and you may convince me to use something
similar, but I don't think you're quite correct in saying that the
name-mangling scheme declares private attributes; what is the difference
between saying "not having X_ in front of the attribute makes it public"
and "having X_ in front of the attribute makes it private?"
The nice thing about using this name mangling is that it's only done at
compile time and doesn't affect runtime performance. An interesting side
effect is that code defined on a class can access private attributes on
all descendants of that class, but only ones that are defined by other
code on that class, so this isn't a security issue.

I was thinking I needed read-only attributes to be able to avoid
untrusted code's being able to sabotage the revoke method on a proxy
object, but I'm thinking that just keeping around a reference to the
revoke method in the original code may be enough.

Does anyone think I'm going in completely the wrong direction here? Am I
missing anything obvious?

It depends on what type of security do you want. Did you think about DOS
and covert channels? If you don't care about that, yeah, you don't miss
anything obvious. <wink> you should worry whether you miss something
non-obvious.


I am not (particularly) concerned about DoS because I don't plan to be
running anonymous code and having to restart the server isn't that big
of a deal. I do plan to make it hard to accidentally DoS the server, but
I'm not going to sacrifice a bunch of performance for that purpose. As
for covert channels, can you give me an example of what to look for?

I am certainly worried about non-obvious things, but my intent wasn't to
put up a straw man, because if I ask if I'm missing non-obvious things,
the only possible answer is "of course."
By the way, did you think about str.encode? Or you are not worried about
bugs in zlib too?


Well, it'll only take *one* problem of that nature to force me to go
back to converting all attribute accesses to function calls. On the
other hand, as long as any problem that allows a user to access
protected data is actually a in (zlib, etc), I think I'm not going to
worry about it too much yet. If there is some method somewhere that will
allow a user access to protected data that is not considered a bug in
that particular subsystem, then I have to fix it in my scheme, which
would probably require going back to converting attribute access to
method calls.
Jul 18 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
5041
by: Mark L | last post by:
I am trying to create a graphics engine using OpenGL and PHP. I am currently trying to create a completly white texture to test out the texturing capabilities. My idea is to create an array 256x256x3 of the value 255 to create a completely white texture. When I do this in C it works fine but in PHP I get a array of red, blue, green and black lines texturing the cube. I have built a webpage detailing this problem:...
1
2240
by: Guenther Schmidt | last post by:
Hi, does anyone know a good PHP IDE with refactoring capabilities? Refactoring meaning things like moving methods around from a subclass into the superclass, renaming methods and local variables and such things. This is basically only of interest to people who attempt to code PHP in an OOish manner. I don't really care all that much for debugging capabilities, but refactoring would be great.
4
3443
by: Roy G. Vervoort | last post by:
Is it possible (and how) to create a acrobat file with Visual Basic. (without having acrobat installed on your computer) thanks roy The Netherlands
1
1622
by: billym | last post by:
Is there any information on building BLL middle tier applications to run in an MSCS configuration? IOW, I am not just interested in scalability but fault tolerence as well but am unsure if there are design issues that must be baked in from the beginning in order for this to work?
6
1811
by: IC | last post by:
Hi, I'm building a website and I want to include a mailing list. I just want a form where a user could enter their email address, so I could send them more information. I assume that the best way to do this is with ASP. Right now, I'm learning ASP by testing pages using Abyss web sever with Active HTML. I have XP Home, so I can't use IIS. Here are my questions: 1. Is ASP the best way to create a mailing list
3
1615
by: Craig Jurney | last post by:
Am having difficulty creating a dynamic <select> element using direct assignment to the element's option array (ie. someElement.option=new Option(someText, someValue);) that will work on Palm devices runing Blazer 3.0 or Web Browser 2.0. The browsers SEEM to be JavaScript1.1+ capable and the script that I have works on every desktop-based browser, but not the PDA ones.... Any advice? Or is this a known deficiency?
44
4598
by: Greg Strong | last post by:
Hello All, Is it better to create a query in DAO where a report has 4 sub-reports each of whose record source is a query created at runtime and everything is in 1 MDB file? From what I've read and experienced it appears DAO is the way to go in this situation, so when is it good to use ADOX to create queries? Why do I ask the question? I've created a MDB file which uses DAO, but
1
2056
by: code | last post by:
Hi Grp http://www.books-download.com/?Book=1493-PHP+Hacks+%3a+Tips+%26+Tools+For+Creating+Dynamic+Websites+(Hacks) Description Programmers love its flexibility and speed; designers love its accessibility and convenience. When it comes to creating web sites, the PHP scripting language is truly a red-hot property. In fact, PHP is currently used on more than 19 million web sites, surpassing
1
1578
by: BK | last post by:
A little rant first... I have 15+ years experience with developing software. Why is it that everything related to creating reports in .NET seems so convoluted to me? I don't want to use Crystal. I've worked with SQL Reporting Services and I'm not impressed. I've spent time looking at the new ReportViewer control and I'm not impressed. The ReportViewer seemed promising, but it is just so counterintuitive to me. What am I missing...
4
1623
by: =?Utf-8?B?TmFkYXYgUG9wcGxld2VsbA==?= | last post by:
Hi everybody, I've got an ASP.NET 1.1 application and I need to add to it new Browser Capabilities information for 3 new cellular phones. I used to use http://www.asp.net/mobile/profile/MyDevices.aspx to detect the Browser Capabilities for my devices, but now I can't get to that page. When I try to get there I get a login page. When I try to login it shows the same login page WITHOUT any error. I've got an account in www.asp.net (when...
0
9751
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
1
10751
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10367
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9512
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
7079
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5740
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
5940
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
2
4153
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3185
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.