[Python-Dev] new security doc using object-capabilities
Brett Cannon
brett at python.org
Thu Jul 20 00:35:45 CEST 2006
After various people suggesting object-capabilities, takling with Mark S.
Miller of the E programming language, and the people Mark works with at HP
Labs (who have been giving talks every week during this month here at Google
on object-capabilities), I have decided to go with object-capabilities for
securing interpreters. I have rewritten my design doc from scratch and
deleted the old one. The new doc is named securing_python.txt and can be
found through the svn web interface at
http://svn.python.org/view/python/branches/bcannon-sandboxing/securing_python.txt?rev=50717&view=log.
I have pretty much ignored any concrete API and such and gone more
with a
conceptual doc to make sure the API does not get in the way of the core
security model.
Using object-capabilities should make the implementation much cleaner.
There is much less work directly on the interpreter and more of it gets
pushed up to extension modules. I also have the okay of my supervisor to
use this approach in my dissertation so this will get done.
Two things do fall out of all of this which will make development much more
modular and easier. First, the memory cap work just becomes a special build
on its own; no need to tie into the security work. So I will be cleaning up
the bcannon-sandboxing branch code as it stands, and then either create a
separate branch for the object-capabilities work, or create another branch
for the memory cap stuff and shift the changes over there. I will most
likely do the former so as to not lose the history on the checkins.
I also plan to rewrite the import machinery in pure Python. This will make
the code much more maintainable and make creating proxies for the import
machinery much easier. I will be doing that in a directory in the sandbox
initially since it needs to work from what Python has now (and possibly some
new extension module code) before it can be integrated into the interpreter
directly. Anyone who wants to help with that can. I already have some
perliminary notes on the whole thing and I think it will be reasonably
doable.
Anyway, there you go. Here is to hoping I have thought this all through
properly. =)
-Brett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/python-dev/attachments/20060719/09a113fc/attachment.html
More information about the Python-Dev
mailing list