[Python-Dev] Capabilities

Paul Prescod paul@prescod.net
Mon, 31 Mar 2003 16:52:06 -0800

Ka-Ping Yee wrote:
> Hmm, i'm not sure you understood what i meant.  The code example i posted
> is a solution to the design challenge: "provide read-only access to a
> directory and its subdirectories, but no access to the rest of the filesystem".
> I'm looking for other security design challenges to tackle in Python.
> Once enough of them have been tried, we'll have a better understanding of
> what Python would need to do to make secure programming easier.

Okay, how about allowing a piece of untrusted code to import modules 
from a selected subset of all modules. For instance you probably want to 
allow untrusted code to get access to regular expressions and codecs 
(after taming!) but not os or socket.

Speaking of sockets, web browsers often allow connections to sockets 
only at a particular domain. In a capabilities world, I guess the domain 
would be an object that you could request sockets from.

Are DOS issues in scope? How do we prevent untrusted code from just 
bringing the interpreter to a halt? A smart enough attacker could even 
block all threads in the current process by finding a task that is 
usually not time-sliced and making it go on for a very long time. 
without looking at the Python implementation, I can't remember an 
example off of the top of my head, but perhaps a large multiplication or 
search-and-replace in a string.

  Paul Prescod