[pypy-dev] Security ideas

holger krekel hpk at trillke.net
Thu Jul 13 08:02:29 CEST 2006

Hi Armin, 

On Wed, May 24, 2006 at 13:47 +0200, Armin Rigo wrote:
> On Monday I was at an inspiring seminar about (a specific form of)
> language-level security.  I've collected the PyPy-ification of these
> ideas there:
> http://codespeak.net/svn/pypy/dist/pypy/doc/discussion/security-ideas.txt

IIUC, in this discussion you argue against an "Proxy-Object space" solution
because a code block may depend on a condition involving secret values. 

In your alternative "annotator" suggestion, you give the following example: 

    def enter_bid(n):
        if n > highest_bid.value:
            highest_bid.value = n 
    enter_bid = secure(enter_bid)

Here the annotator analysis is supposed to prevent a leak of information
from the secret value.  But if the if-branch additionally contains:

            num_bids += 1

don't you run into a branching/code-dependent-on-secret-condition 
problem again?  Would the annotator prevent the manipulation of 
the global 'num_bids'?  Would it need to be a public value? 

Moreover, i have practical concerns: your proposed
scheme requires RPython annotator analysis which implies to
have the PyPy tool chain available and accessible at programming 
time.  Not impossible but also not a use case that we went for 
so far.  Also it is not clear to which target "secure" would compile 
functions to, C or bytecode or ...?



More information about the Pypy-dev mailing list