Securing mobile Python code

Mads Kristensen madsk at _SPAM_ME_.daimi.au.dk
Wed Jul 16 15:35:03 CEST 2008


Hi guys and girls.

I am currently developing an execution environment for mobile Python 
code. To that end I have developed a system called Scavenger based on 
Stackless Python. The biggest problem when working with mobile code is 
of course security - especially when working with a language such as 
Python that has no security modes. I have therefore used a 
validation/blacklisting approach towards code security, i.e., before the 
mobile code is executed it is validated and if it uses illegal 
operations it is rejected (apart from that I have also monkey-patched 
some functionality so that my own versions of built-in functions are 
invoked). Using such a blacklist approach is of course problematic 
because one has to know about every possible way to circumvent the 
system to be sure of its validity... This is where you come in: To test 
the security of my system I have placed a Scavenger host on the Internet 
that will perform any Python code you throw at it. I would like to 
invite anybody with an interest in Python and security to participate in 
this "Hack-Attack" on my Scavenger host :-)

For more information see: http://www.daimi.au.dk/~madsk/?cat=15

Thanks for your time!

Best regards,
Mads Kristensen



More information about the Python-list mailing list