[pypy-dev] security prototype & workshop plans/ideas

Rodrigo Dias Arruda Senra rodsenra at gpr.com.br
Tue Apr 25 17:53:16 CEST 2006 

Some *very* late shameless comments ;o)

[ hpk at trillke.net (holger krekel) ]:
----------------------------------------
|
|  Hi folks, 
|  
|  from the EU side of things there is the plan to organize a
|  security workshop and implement security features within PyPy.
#cut
|  
|  - data tagging or "label control", or more generally attaching 
|    (security) metainformations to a python object and having those 
|    propagate through the program automatically.  See e.g. 
|  
#cut
|  Label control could be used for tagging e.g. user-level input
|  with the "untrusted" label and then protecting certain
|  functions to require trusted input (e.g. database/file
| modifications). Then, there could be explicit untrusted_to_trusted()
|  conversions, turning an untrusted input into a trusted
|  output.  This would allow to concisely localise how 
|  user-supplied/untrusted input is parsed and checked. 
|  
# cut
|  
|  The challenge is to find an interesting mechanism that
|  elegantly enables such approaches - which should be the 
|  topic of our upcoming security prototype and workshop. 
# cut
|  I am posting here on pypy-dev (rather than just to selected pypy
|  developers) because others may be interested, have comments, 
|  suggestions or might think about contributing.  Security is 
|  certainly not the central topic of PyPy but our design should 
|  make it considerably easier to implement strong security features.
|  Hum, and i guess that it's not impossible that the project
|  might for contributors come up with funding for travels at
|  least.  
|  

The Guarana MOP [1] might provide some inspiration, since
Guarana was a reflective meta-object protocol meant to be 
secure.

The core idea was to provide a VM-level hook where every access
to an object would test for the presence of a meta-object, using
a pointer in the underlying object representation structure.

If the meta-object was present, access would be intercepted 
and delivered to the meta-object instead.
An image [2, 3] worth a thousand words would show it faster.
 
The key points were:
 - changing the meta-object bound to some object was
   a negotiation process, where the consent of the installed
   meta-object was required
 - the meta-object controlled all access to the underlying object
 - the meta-object could be a composer delegating decisions to
   a hierarchy of other meta-objects.

I do not know if any of these ideas could/should be used
in Pypy for the challenge proposed by Holger.
Nevertheless, it is harmless to suggest ;o) 

[1] http://citeseer.ist.psu.edu/oliva98reflexive.html
[2]
http://www.students.ic.unicamp.br/~921234/dissert/images/basic_interaction.jpg
[3] 
http://www.students.ic.unicamp.br/~921234/dissert/images/reflective_hook.jpg


best regards,
Rod Senra
http://rodrigo.senra.nom.br

More information about the Pypy-dev mailing list