
Armin Rigo wrote:
Hi all,
On Monday I was at an inspiring seminar about (a specific form of) language-level security. I've collected the PyPy-ification of these ideas there:
http://codespeak.net/svn/pypy/dist/pypy/doc/discussion/security-ideas.txt
Although the focus is different, it makes me think that we could also use similar ideas to implement a form of 'rexec' (restricted execution), with functions compiled by secure() as in the draft above, but running at a priviledge level which is lower than the default ambiant level instead of higher.
As a general note it might be useful to talk to Jim Fulton for real-world experience concerning language-level security in Python. I'll cc him so he at least is aware of your security ideas document. In Zope 2, there is a precompiler for untrusted Python code, offering, as far as I understand, true language-level security. In Zope 3 this approach has been dropped as hard to maintain and replaced with object level security (attribute access is controlled with a permission system). Regards, Martijn