Creating a capabilities-based restricted execution system
Sean R. Lynch
seanl at chaosring.org
Sat Jan 3 13:25:40 EST 2004
John Roth wrote:
> Yes, you're missing something really obvious. Multi-level
> security is a real difficult problem if you want to solve it
> in a believable (that is, bullet-proof) fashion. The only way
> I know of solving it is to provide separate execution
> environments for the different privilege domains.
> In the current Python structure, that means different
> interpreters so that the object structures don't intermix.
Hmmm, can you give me an example of a Python application that works this
way? Zope seems to be doing fine using RestrictedPython.
RestrictedPython is, in fact, an attempt to provide different execution
environments within the same memory space, which is the whole point of
my exercise. Now, I know that the lack of an example of insecurity is
not proof of security, but can you think of a way to escape from
RestrictedPython's environment? DoS is still possible, but as I'm not
planning on using this for completely untrusted users, I'm not too
concerned about that.
More information about the Python-list
mailing list