Securing mobile Python code
Mads Kristensen
madsk at _SPAM_ME_.daimi.au.dk
Wed Jul 16 09:35:03 EDT 2008
Hi guys and girls.
I am currently developing an execution environment for mobile Python
code. To that end I have developed a system called Scavenger based on
Stackless Python. The biggest problem when working with mobile code is
of course security - especially when working with a language such as
Python that has no security modes. I have therefore used a
validation/blacklisting approach towards code security, i.e., before the
mobile code is executed it is validated and if it uses illegal
operations it is rejected (apart from that I have also monkey-patched
some functionality so that my own versions of built-in functions are
invoked). Using such a blacklist approach is of course problematic
because one has to know about every possible way to circumvent the
system to be sure of its validity... This is where you come in: To test
the security of my system I have placed a Scavenger host on the Internet
that will perform any Python code you throw at it. I would like to
invite anybody with an interest in Python and security to participate in
this "Hack-Attack" on my Scavenger host :-)
For more information see: http://www.daimi.au.dk/~madsk/?cat=15
Thanks for your time!
Best regards,
Mads Kristensen
More information about the Python-list
mailing list