[Python-Dev] Re: Whither rexec?
"Martin v. Löwis"
martin@v.loewis.de
Wed, 08 Jan 2003 16:06:12 +0100
Kevin Jacobs wrote:
> It has been said that the previous rexec functionality was ad hoc and
> brittle, and many better solutions are possible. What better alternatives
> exist in terms of features offered, overall runtime performance, ease of
> maintenance, and validation?
I disagree with that statement. The approach taken by rexec is very
straight forward, and, in principle, allows to impose arbitrary
functional restrictions on untrusted code. Non-functional restrictions
(code has to observe limitations in resource usage, such as computing
time, memory consumption, or number of open files) are not easily
implemented with rexec. I believe that any extension to provide such
restrictions also would be orthogonal to rexec.
So anybody working on this should see how rexec could be enhanced. IMO,
of course.
> Proxy objects -- making unsafe objects safe(r)
I think the really tricky part today is usage of the type() builtin
(i.e. access to an object's __class__ attribute). The new problem is
that types are now callable.
On one hand, you cannot hand out the true type objects to untrusted
code, since they could use them to overcome the limitations. On the
other hand, if the untrusted code merely uses the type objects for
testing type membership, such code should continue to work.
So you either need a way to disable calls to type objects, or you need
proxy type objects around the builtin types. For proxy types, some types
could be considered safe (e.g. int, str, unicode); others would need
proxies (the file type in particular).
> Restricted introspection -- limiting the amount of information
> obtainable from exposed objects and
> environment
Can somebody please explain how this is different from restricted
environments? I.e. why would one restrict introspection in general, as
long as you can't obtain information about the system?
> Tainting -- tracking trusted status of objects
This is clearly out of scope of rexec, and, IMO, not relevant for
untrusted code. Tainting is about processing untrusted data by trusted code.
> Security policy management -- Configuration of how security mechanisms are
> applied
I think rexec is quite flexible here, giving or denying access on a
per-function basis (and allowing to provide wrappers for functions which
must be restricted depending on the set of arguments).
Regards,
Martin