Mon, 31 Mar 2003 16:52:06 -0800
Ka-Ping Yee wrote:
> Hmm, i'm not sure you understood what i meant. The code example i posted
> is a solution to the design challenge: "provide read-only access to a
> directory and its subdirectories, but no access to the rest of the filesystem".
> I'm looking for other security design challenges to tackle in Python.
> Once enough of them have been tried, we'll have a better understanding of
> what Python would need to do to make secure programming easier.
Okay, how about allowing a piece of untrusted code to import modules
from a selected subset of all modules. For instance you probably want to
allow untrusted code to get access to regular expressions and codecs
(after taming!) but not os or socket.
Speaking of sockets, web browsers often allow connections to sockets
only at a particular domain. In a capabilities world, I guess the domain
would be an object that you could request sockets from.
Are DOS issues in scope? How do we prevent untrusted code from just
bringing the interpreter to a halt? A smart enough attacker could even
block all threads in the current process by finding a task that is
usually not time-sliced and making it go on for a very long time.
without looking at the Python implementation, I can't remember an
example off of the top of my head, but perhaps a large multiplication or
search-and-replace in a string.