Metaphysics of security provisions (was: Now that rexec is gone...)

Cameron Laird claird at lairds.com
Sun Sep 28 09:23:48 EDT 2003 

In article <Ihidb.130710$hE5.4447927 at news1.tin.it>,
Alex Martelli  <aleax at aleax.it> wrote:
			.
			.
			.
>Actually, such a "butchered" Python interpreter might be a fun and
>useful project indeed.  You would have to add programmable limits on
>resource consumptions -- e.g., memory allocatable by the script[s],
>time (CPU or maybe elapsed) usable thereby, etc.  And you should rename
Good instincts!  Yes, some of the recent work in regard to
safe interpretation that I find most interesting focuses
on precisely this:  resource management.  That's as op-
posed to the rather static causal tracing where Java's
core security theoreticians have put their attention.
I know there are people working with Java who care about
resource management; I don't *think* their results are
showing up in the libraries Sun specifies.

Apt proxies for your "time" include lots of easy ones for
an introspective interpreter, such as number-of-bytecodes
processed.  That's another reason this is likely to be
"fun and useful" for Python:  it already builds in good
introspection.

Warm-up exercise:  list resources of interest.  You've
already mentioned (memory) space and time.  Anything the
operating system has to conserve--channel handles, threads,
SysV semaphores, display contexts, color maps, physical
device references, ...--is a likely candidate.  Another
refinement:  the OS could provide higher-level support for
resources usually left in userland.  It strikes me that
this could be valuable even outside its use in a restricted
interpreter.  Pools of, for example, database connections 
are the first example that comes to my mind.
			.
			.
			.
>Not *QUITE* as good as running untrusted code in a separate "jail"'d
>process, perhaps, but probably the closest you can come to that on
>such environments as Windows.  Note that the need to add resource
>limitations is crucial (and was never addressed by rexec, making it
>pretty useless to ward against denial-of-service kinds of attacks!).
Worth repeating.  Also, note that "jail" (or sandbox) is
not the only metaphor worth considering in this area.
Another is the positive one behind operating systems (I
need to figure out a one-word label for this):  "zero-
based" provision of services for which one has been
authorized.  This builds up, rather than down.  Instead
of calculating how much is safe to put in the sandbox,
it makes the dual calculation of what building blocks
can safely be allowed the developer.
			.
			.
			.
-- 

Cameron Laird <Cameron at Lairds.com>
Business:  http://www.Phaseit.net
Personal:  http://phaseit.net/claird/home.html

More information about the Python-list mailing list