I've been playing around with Zope's RestrictedPytho n, and I think I'm
on the way to making the modifications necessary to create a
capabilities-based restricted execution system. The idea is to strip out
any part of RestrictedPytho n that's not necessary for doing capabilities
and do all security using just capabilities.
The basic idea behind capabilities is that you don't give any piece of
code you don't trust a reference to something you don't want it to have
access to. You use proxies instead (E calls them "facets").
In order to be able to allow untrusted code to create proxy objects, I
needed to be able to store a reference to the proxied object in a
private attribute.
To create private attributes, I'm using "name mangling," where names
beginning with X_ within a class definition get changed to
_<uuid>_<name> , where the UUID is the same for that class. The UUIDs
don't need to be secure because it's not actually possible to create
your own name starting with an underscore in RestrictedPytho n; they just
need to be unique across all compiler invocations.
The nice thing about using this name mangling is that it's only done at
compile time and doesn't affect runtime performance. An interesting side
effect is that code defined on a class can access private attributes on
all descendants of that class, but only ones that are defined by other
code on that class, so this isn't a security issue.
I was thinking I needed read-only attributes to be able to avoid
untrusted code's being able to sabotage the revoke method on a proxy
object, but I'm thinking that just keeping around a reference to the
revoke method in the original code may be enough.
Does anyone think I'm going in completely the wrong direction here? Am I
missing anything obvious?
Jul 18 '05
30  2576 
"John Roth" <ne********@jhr othjr.com> wrote in message news:vv******** ****@news.super news.com...
Much of this thread has focused on "capabiliti es" and the use of
proxies to implement capabilities. AFIAC, that's not only putting
attention on mechanism before policy, but it's putting attention on
mechanism in the wrong place.
I'm not sure why it should be discussed here since Sean refered
to E in the first post (http://www.erights.org/), so I think he's
comfortable with the policy defined by E? I think he has
missed the part that implementation should help as much as
it can prevent leaking capabilities from one security domain to
another. I pointed to that already.
What I *haven't* seen in this thread is very much consideration of
what people want from a security implementation.
I think Sean is talking about his own implementation. I didn't
see anywhere he said he's going to write general implementation
for other people. He said what he wants from his implementation.
One problem I've been playing around with is: how would you
implement something functionally equivalent to the Unix/Linux
chroot() facility? The boundaries are that it should not require
coding changes to the application that is being restricted, and it
should allow any and all Python extension (not C language
extension) to operate as coded (at least as long as they don't
try to escape the jail!) Oh, yes. It has to work on Windows,
so it's not a legitimate response to say: "use chroot()."
I don't see any unsolvable problems. Could you be more specific
what is the problem? (besides time, money, need to support
alternative python implementation, etc...)
-- Serge.
"Sean R. Lynch" <se***@chaosrin g.org> wrote in message news:sr******** ************@sp eakeasy.net... Ok, I think you've pretty much convinced me here. My choices for
protected attributes were to either name them specially and only allow
those attribute accesses on the name "self" (which I treat specially),
or to make everything protected by default, pass all attribute access
through a checker function (which I was hoping to avoid), and check for
a special attribute to define which attributes are supposed to be
public. Do you think it's good enough to make all attributes protected
as opposed to private by default?
Are you talking about C++ like protected fields and methods? What if
untrusted code subclasses your proxy object? I'm not sure how to deal with str.encode too. You don't know what
kind of codecs are registered for that method for sure, one day there
could be registered an unknown codec that does something unknown.
Shouldn't you have two (or several) codecs.py modules(instanc es?)
for trusted and untrusted code? And str.encode should be transparently
redirected to the proper one?
I guess I'll just make attributes protected by default, and force the
programmer to go out of their way to make things public. Then I can use
the Zope/RestrictedPytho n technique of assuming everything is insecure
until proven otherwise, and only expose parts of the interface on
built-in types that have been audited.
Thinking about str.encode I conviced myself that global state shouldn't
be shared by different security domains so that means codecs.py and
__builtins__ must be imported into each security domain separately.
It's pretty easy to do with codecs.py since it's python code. But importing
__builtins__ more than once is pretty hard since it wasn't designed
for that.
-- Serge.
Serge Orlov wrote: "John Roth" <ne********@jhr othjr.com> wrote in message news:vv******** ****@news.super news.com...
Much of this thread has focused on "capabiliti es" and the use of
proxies to implement capabilities. AFIAC, that's not only putting
attention on mechanism before policy, but it's putting attention on
mechanism in the wrong place.
I'm not sure why it should be discussed here since Sean refered
to E in the first post (http://www.erights.org/), so I think he's
comfortable with the policy defined by E? I think he has
missed the part that implementation should help as much as
it can prevent leaking capabilities from one security domain to
another. I pointed to that already.
I am comfortable (so far) with the policy defined by E. However, I've
been learning more about that policy as I go, including the necessity of
helping the programmer prevent leaks, which I've started to implement by
making objects completely opaque by default and requiring that classes
list attributes that they want to make public. I have kept my
name-mangling scheme for private attributes. I'm working on making
classes opaque while still allowing code to call methods defined on
superclasses but only on self, not on other objects that happen to
inherit from the same superclass. What I *haven't* seen in this thread is very much consideration of
what people want from a security implementation.
I think Sean is talking about his own implementation. I didn't
see anywhere he said he's going to write general implementation
for other people. He said what he wants from his implementation.
I would like my implementation to be as general as possible, but I'm
writing it for my own projects. All this talk of "breaking existing
code" and the like is not particularly relevant to me because, while I'd
like code to look as much like regular Python as possible, it's simply
not possible not to break existing code while helping the programmer
prevent leaks. Making objects opaque by default is going to break a hell
of a lot more code than not having a type() builtin, so I think people
can see why I'm not too concerned about leaving various builtins out. One problem I've been playing around with is: how would you
implement something functionally equivalent to the Unix/Linux
chroot() facility? The boundaries are that it should not require
coding changes to the application that is being restricted, and it
should allow any and all Python extension (not C language
extension) to operate as coded (at least as long as they don't
try to escape the jail!) Oh, yes. It has to work on Windows,
so it's not a legitimate response to say: "use chroot()."
This is an interesting problem, but not one I'm trying to solve here.
I'm modifying RestrictedPytho n to make it possible to use a pure
capabilities-based security model in an application server. The
application server must scale to tens of thousands of security domains,
and I see no reason why the security model can't or shouldn't be
language-based instead of OS-based. There's E for Java, why can't we
make something similar for Python? There is nothing particularly special
about Java that makes it more suitable for E than Python is. Both have
unforgeable references. I've already added object encapsulation. I'm
working on eliminating any static mutable state.
Ultimately, I'd like to have user-level threads, too. I'm considering
either using Stackless for this or doing some mangling of ASTs to make
it easier to use generators as coroutines. Unfortunately, I can't think
of a way for the compiler to tell that you're calling a coroutine from
within a coroutine and therefore needs to output "yield (locals,
resultvarname, func, args, kwargs)" instead of a regular function call
without using some special syntax. Actually, I don't even know if it's
possible to modify the locals dict of a running generator without
causing trouble.
Serge Orlov wrote: "Sean R. Lynch" <se***@chaosrin g.org> wrote in message news:sr******** ************@sp eakeasy.net...
Ok, I think you've pretty much convinced me here. My choices for
protected attributes were to either name them specially and only allow
those attribute accesses on the name "self" (which I treat specially),
or to make everything protected by default, pass all attribute access
through a checker function (which I was hoping to avoid), and check for
a special attribute to define which attributes are supposed to be
public. Do you think it's good enough to make all attributes protected
as opposed to private by default?
Are you talking about C++ like protected fields and methods? What if
untrusted code subclasses your proxy object?
Hmmm. I was thinking you'd trust those you were allowing to subclass
your classes a bit more than you'd trust people to whom you'd only give
instances, but now that you mention it, you're right. I should make all
attributes fully private by default, requiring the progammer to declare
both protected and public attributes, and I should make attributes only
writable by the class on which they're declared. I guess I also need to
make it impossible to override any attribute unless it's declared OK to
do so.
I wonder if each of these things can be done with capabilities? A
reference to a class is basically the capability to subclass it. I could
create a concept of "slots" as well. This would require a change in
syntax, however; you'd be calling setter(obj, value) and getter(obj),
and this isn't really something I could cover up in the compiler. I
think I'll forget about this for now because E just uses Java's own
object encapsulation, so I guess I should just stick with creating
Java-like object encapsulation in Python.
I need to implement a callsuper() function as well, because I don't want
to be giving programmers access to unbound methods.
Thinking about str.encode I conviced myself that global state shouldn't
be shared by different security domains so that means codecs.py and
__builtins__ must be imported into each security domain separately.
It's pretty easy to do with codecs.py since it's python code. But importing
__builtins__ more than once is pretty hard since it wasn't designed
for that.
Global *mutable* state shouldn't be shared, AFAICT. I believing making
sure no mutable state is reachable through __builtins__ and having a new
globals dict for each security domain should be enough. Any modules that
are imported would need to be imported separately for each domain, which
should be possible with a modified __import__ builtin. I don't have any
intention of allowing import of unaudited C modules.
"Serge Orlov" <so********@pob ox.ru> wrote in message
news:bt******** ***@nadya.doma. ..
"John Roth" <ne********@jhr othjr.com> wrote in message
news:vv******** ****@news.super news.com...
What I *haven't* seen in this thread is very much consideration of
what people want from a security implementation.
I think Sean is talking about his own implementation. I didn't
see anywhere he said he's going to write general implementation
for other people. He said what he wants from his implementation.
I see that point, and now that it's been made explicit (I missed
it the first time around, sorry,) I'm ok with it.
One problem I've been playing around with is: how would you
implement something functionally equivalent to the Unix/Linux
chroot() facility? The boundaries are that it should not require
coding changes to the application that is being restricted, and it
should allow any and all Python extension (not C language
extension) to operate as coded (at least as long as they don't
try to escape the jail!) Oh, yes. It has to work on Windows,
so it's not a legitimate response to say: "use chroot()."
I don't see any unsolvable problems. Could you be more specific
what is the problem? (besides time, money, need to support
alternative python implementation, etc...)
Well, I don't see any unsolvable problems either. The biggest
sticking point is that the Unices use hard links to create
a directory tree that has the necessary programs availible.
Windows does not have this capability, so an implementation
would have to build a virtual directory structure, intercept all
paths and map them to the virtual structure backwards and
forwards.
The reason I find it an interesting problem is that I can't see
any way to do it with the kind of "generic" facility that was
in the Python Restricted execution facility, at least without a
complete redesign of the file and directory functions and
classes in the os module. Without that, it would
require code in the C language implementation modules.
Right now the file and directory management modules are a
real mess.
John Roth
-- Serge.
"Sean R. Lynch" <se***@chaosrin g.org> wrote in message news:mv******** ************@sp eakeasy.net... Serge Orlov wrote: "Sean R. Lynch" <se***@chaosrin g.org> wrote in message news:sr******** ************@sp eakeasy.net...
Thinking about str.encode I conviced myself that global state shouldn't
be shared by different security domains so that means codecs.py and
__builtins__ must be imported into each security domain separately.
It's pretty easy to do with codecs.py since it's python code. But importing
__builtins__ more than once is pretty hard since it wasn't designed
for that.
Global *mutable* state shouldn't be shared, AFAICT.
Right, I missed this simple rule. My mind is still confined by my recent
attempt to add security by only translating bytecode without any changes
to the interpreter.
I believing making
sure no mutable state is reachable through __builtins__
Are you going to create multiple __builtins__ or you're just going
to get rid of any global objects in __builtins__? The first lets you
handle str.encode the right way.
and having a new
globals dict for each security domain should be enough. Any modules that
are imported would need to be imported separately for each domain,
Can C modules be imported more than once in CPython?
which
should be possible with a modified __import__ builtin. I don't have any
intention of allowing import of unaudited C modules.
Agreed.
-- Serge.
"John Roth" <ne********@jhr othjr.com> wrote in message news:vv******** ****@news.super news.com...
"Serge Orlov" <so********@pob ox.ru> wrote in message
news:bt******** ***@nadya.doma. ..
"John Roth" <ne********@jhr othjr.com> wrote in message
news:vv******** ****@news.super news.com...
One problem I've been playing around with is: how would you
implement something functionally equivalent to the Unix/Linux
chroot() facility? The boundaries are that it should not require
coding changes to the application that is being restricted, and it
should allow any and all Python extension (not C language
extension) to operate as coded (at least as long as they don't
try to escape the jail!) Oh, yes. It has to work on Windows,
so it's not a legitimate response to say: "use chroot()."
I don't see any unsolvable problems. Could you be more specific
what is the problem? (besides time, money, need to support
alternative python implementation, etc...)
Well, I don't see any unsolvable problems either. The biggest
sticking point is that the Unices use hard links to create
a directory tree that has the necessary programs availible.
Windows does not have this capability, so an implementation
would have to build a virtual directory structure, intercept all
paths and map them to the virtual structure backwards and
forwards.
The reason I find it an interesting problem is that I can't see
any way to do it with the kind of "generic" facility that was
in the Python Restricted execution facility, at least without a
complete redesign of the file and directory functions and
classes in the os module. Without that, it would
require code in the C language implementation modules.
Right now the file and directory management modules are a
real mess.
Right, you can do it with a custom importer and wrapper
functions over all file and directory functions. But that's
a mess over a mess and any mess is *bad* for security.
The way out the mess is probably filepath object that
should consolidate all access to files and directories.
If you wanted to make a point that std library should
be designed with security in mind I agree with you.
One step in that direction is to design everything OO.
OO design plays nice with capabilities.
-- Serge.
"Serge Orlov" <so********@pob ox.ru> wrote in message
news:bt******** ***@nadya.doma. ..
"John Roth" <ne********@jhr othjr.com> wrote in message
news:vv******** ****@news.super news.com...
"Serge Orlov" <so********@pob ox.ru> wrote in message
news:bt******** ***@nadya.doma. ..
"John Roth" <ne********@jhr othjr.com> wrote in message
news:vv******** ****@news.super news.com... >
> One problem I've been playing around with is: how would you
> implement something functionally equivalent to the Unix/Linux
> chroot() facility? The boundaries are that it should not require
> coding changes to the application that is being restricted, and it
> should allow any and all Python extension (not C language
> extension) to operate as coded (at least as long as they don't
> try to escape the jail!) Oh, yes. It has to work on Windows,
> so it's not a legitimate response to say: "use chroot()."
I don't see any unsolvable problems. Could you be more specific
what is the problem? (besides time, money, need to support
alternative python implementation, etc...)
Well, I don't see any unsolvable problems either. The biggest
sticking point is that the Unices use hard links to create
a directory tree that has the necessary programs availible.
Windows does not have this capability, so an implementation
would have to build a virtual directory structure, intercept all
paths and map them to the virtual structure backwards and
forwards.
The reason I find it an interesting problem is that I can't see
any way to do it with the kind of "generic" facility that was
in the Python Restricted execution facility, at least without a
complete redesign of the file and directory functions and
classes in the os module. Without that, it would
require code in the C language implementation modules.
Right now the file and directory management modules are a
real mess.
Right, you can do it with a custom importer and wrapper
functions over all file and directory functions. But that's
a mess over a mess and any mess is *bad* for security.
The way out the mess is probably filepath object that
should consolidate all access to files and directories.
If you wanted to make a point that std library should
be designed with security in mind I agree with you.
One step in that direction is to design everything OO.
OO design plays nice with capabilities.
-- Serge.
Sean Ross took a pass at this idea in the thread
"Finding File Size" starting on 1/1. That got renamed
to "Filename Type" somewhere fairly quick.
There's now a pre-pep http://tinyurl.com/2578q
for the notion, thanks to Gerrit Holl.
John Roth
Serge Orlov wrote: "Sean R. Lynch" <se***@chaosrin g.org> wrote in message news:mv******** ************@sp eakeasy.net...
Global *mutable* state shouldn't be shared, AFAICT.
Right, I missed this simple rule. My mind is still confined by my recent
attempt to add security by only translating bytecode without any changes
to the interpreter.
You were translating bytecode rather than working with ASTs? That would
be hard to maintain, considering that Zope found it too difficult to
maintain even manipulating concrete syntax trees. Also, I don't really
consider that I'm modifying the interpreter, I'm just giving the
interpreter a different globals dict. I believing making
sure no mutable state is reachable through __builtins__
Are you going to create multiple __builtins__ or you're just going
to get rid of any global objects in __builtins__? The first lets you
handle str.encode the right way.
I'm not sure what you mean by this. I'm creating a dict for
__builtins__, but AFAIK it's not possible for code to modify the
__builtins__ dict other than through the name __builtins__, which starts
with an underscore and so is invalid. All of the objects I have in
__builtins__ right now are immutable within the restricted environment
because they're either functions or classes.
Python modules that are imported in the restricted environment will be
read-only and each domain will get its own copy. This should prevent
leaks caused by two domains importing the same module and then
performing operations that affect the state of the module. Modules will
need to explicitly specify what names they want to export the same way
classes do in order to prevent inadvertent leaks. and having a new
globals dict for each security domain should be enough. Any modules that
are imported would need to be imported separately for each domain,
Can C modules be imported more than once in CPython?
Not that I'm aware of, which is why they will need to be audited for
mutable state and other sources of leaks and excess privilege. C modules
that we need that have problems will get proxies the same way E has
proxies for Swing.
I put up a page on my Wiki with what I can remember off the top of my
head of what we've discussed so far and some of what I've implemented so
far (though my implementation is in flux). It's at
<http://wiki.literati.o rg/CapablePython>. Feel free to add comments.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Mark L |
last post by:
I am trying to create a graphics engine using OpenGL and PHP. I am
currently trying to create a completly white texture to test out the
texturing capabilities.
My idea is to create an array 256x256x3 of the value 255 to create a
completely white texture. When I do this in C it works fine but in PHP I
get a array of red, blue, green and black lines texturing the cube.
I have built a webpage detailing this problem:...
|
by: Guenther Schmidt |
last post by:
Hi,
does anyone know a good PHP IDE with refactoring capabilities?
Refactoring meaning things like moving methods around from a subclass into the superclass, renaming methods and local variables and such things.
This is basically only of interest to people who attempt to code PHP in an OOish manner.
I don't really care all that much for debugging capabilities, but refactoring would be great.
|
by: Roy G. Vervoort |
last post by:
Is it possible (and how) to create a acrobat file with Visual Basic.
(without having acrobat installed on your computer)
thanks
roy
The Netherlands
|
by: billym |
last post by:
Is there any information on building BLL middle tier
applications to run in an MSCS configuration? IOW, I am
not just interested in scalability but fault tolerence as
well but am unsure if there are design issues that must be
baked in from the beginning in order for this to work?
|
by: IC |
last post by:
Hi,
I'm building a website and I want to include a mailing list. I just
want a form where a user could enter their email address, so I could
send them more information. I assume that the best way to do this is
with ASP. Right now, I'm learning ASP by testing pages using Abyss
web sever with Active HTML. I have XP Home, so I can't use IIS. Here
are my questions:
1. Is ASP the best way to create a mailing list
| | |
by: Craig Jurney |
last post by:
Am having difficulty creating a dynamic <select> element using direct
assignment to the element's option array (ie. someElement.option=new
Option(someText, someValue);)
that will work on Palm devices runing Blazer 3.0 or Web Browser 2.0.
The browsers SEEM to be JavaScript1.1+ capable and the script that I
have works on every desktop-based browser, but not the PDA ones....
Any advice? Or is this a known deficiency?
|
by: Greg Strong |
last post by:
Hello All,
Is it better to create a query in DAO where a report has 4 sub-reports
each of whose record source is a query created at runtime and
everything is in 1 MDB file?
From what I've read and experienced it appears DAO is the way to go in
this situation, so when is it good to use ADOX to create queries?
Why do I ask the question? I've created a MDB file which uses DAO, but
|
by: code |
last post by:
Hi Grp
http://www.books-download.com/?Book=1493-PHP+Hacks+%3a+Tips+%26+Tools+For+Creating+Dynamic+Websites+(Hacks)
Description
Programmers love its flexibility and speed; designers love its
accessibility and convenience. When it comes to creating web sites, the
PHP scripting language is truly a red-hot property. In fact, PHP is
currently used on more than 19 million web sites, surpassing
|
by: BK |
last post by:
A little rant first...
I have 15+ years experience with developing software. Why is it that
everything related to creating reports in .NET seems so convoluted to
me? I don't want to use Crystal. I've worked with SQL Reporting
Services and I'm not impressed. I've spent time looking at the new
ReportViewer control and I'm not impressed. The ReportViewer seemed
promising, but it is just so counterintuitive to me. What am I missing...
|
by: =?Utf-8?B?TmFkYXYgUG9wcGxld2VsbA==?= |
last post by:
Hi everybody,
I've got an ASP.NET 1.1 application and I need to add to it new Browser
Capabilities information for 3 new cellular phones.
I used to use http://www.asp.net/mobile/profile/MyDevices.aspx to detect the
Browser Capabilities for my devices, but now I can't get to that page.
When I try to get there I get a login page.
When I try to login it shows the same login page WITHOUT any error.
I've got an account in www.asp.net (when...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
