[Python-checkins] r51818 - python/branches/bcannon-objcap/securing_python.txt

brett.cannon python-checkins at python.org
Thu Sep 7 20:27:22 CEST 2006 

Author: brett.cannon
Date: Thu Sep  7 20:27:20 2006
New Revision: 51818

Modified:
   python/branches/bcannon-objcap/securing_python.txt
Log:
Changes based on Ka-Ping Yee's comments.


Modified: python/branches/bcannon-objcap/securing_python.txt
==============================================================================
--- python/branches/bcannon-objcap/securing_python.txt	(original)
+++ python/branches/bcannon-objcap/securing_python.txt	Thu Sep  7 20:27:20 2006
@@ -231,15 +231,17 @@
 provide a private namespace for the class and instances that are not
 accessible by other objects.
 
-The Python language has no such thing as a private namespace.  The
-language has the philosophy that if exposing something to the
-programmer could provide some use, then it is exposed.  This has led
-to Python having a wonderful amount of introspection abilities.
-Unfortunately this makes the possibility of a private namespace
-non-existent.  This poses an issue for providing proxies for resources
-since there is no way in Python code to hide the reference to a
-resource.  It also makes providing security at the object level using
-object-capabilities non-existent in pure Python code.
+The Python language has no such thing as a persistent, private
+namespace.  The language has the philosophy that if exposing something
+to the programmer could provide some use, then it is exposed.  This
+has led to Python having a wonderful amount of introspection
+abilities.  Unfortunately this makes the possibility of a private
+namespace non-existent.  This poses an issue for providing proxies for
+resources since there is no way in Python code to hide the reference
+to a resource.  It also makes providing security at the object level
+using object-capabilities non-existent in pure Python code without
+changing the language (e.g., protecting nested scoped variables from
+external introspection).
 
 Luckily, the Python virtual machine *does* provide a private namespace,
 albeit not for pure Python source code.  If you use the Python/C
@@ -281,8 +283,8 @@
 * An interpreter cannot gain abilties the Python process possesses
   without explicitly being given those abilities.
     + With the Python process being the powerbox, if an interpreter
-    could gain whatever abilities it wanted to then the security
-    domain would be completely breached.
+      could gain whatever abilities it wanted to then the security
+      domain would be completely breached.
 * An interpreter cannot influence another interpreter directly at the
   Python level without explicitly allowing it.
     + This includes preventing communicating with another interpreter.
@@ -312,20 +314,20 @@
 * Python bytecode is always distrusted.
     + Malicious bytecode can bring down an interpreter.
 * Pure Python source code is always safe on its own.
-    + Malicious abilities are derived from C extension modules,
-      built-in modules, and unsafe types implemented in C, not from
-      pure Python source.
+    + Python source code is not able to violate the restrictions
+      placed upon the interpreter it is running in.
+    + Possibly malicious abilities are derived from C extension
+      modules, built-in modules, and unsafe types implemented in C,
+      not from pure Python source.
 * A sub-interpreter started by another interpreter does not inherit
   any state.
     + The sub-interpreter starts out with a fresh global namespace and
       whatever built-ins it was initially given.
 
 
-Implementation
-///////////////////////////////////////
 
 Guiding Principles
-========================
+///////////////////////////////////////
 
 To begin, the Python process garners all power as the powerbox.  It is
 up to the process to initially hand out access to resources and
@@ -359,8 +361,8 @@
 Backwards-compatibility will not be a hindrance upon the design or
 implementation of the security model.  Because the security model will
 inherently remove resources and abilities that existing code expects,
-it is not reasonable to expect existing code to work in a sandboxed
-interpreter.
+it is not reasonable to expect all existing code to work in a
+sandboxed interpreter.
 
 Keeping Python "pythonic" is required for all design decisions.  
 In general, being pythonic means that something fits the general
@@ -374,6 +376,10 @@
 is a price that must be paid in order for Python to continue to be the
 language that it is.
 
+
+Implementation
+///////////////////////////////////////
+
 Restricting what is in the built-in namespace and the safe-guarding
 the interpreter (which includes safe-guarding the built-in types) is
 where the majority of security will come from.  Imports and the
@@ -579,7 +585,7 @@
 * ``__del__`` created in sandboxed interpreter but object is cleaned
   up in unprotected interpreter.
 * Using frames to walk the frame stack back to another interpreter.
-* XXX
+* XXX A generator's execution frame?
 
 
 Making the ``sys`` Module Safe

More information about the Python-checkins mailing list