Ted Leung on the air
Ted Leung on the air: Open Source, Java, Python, and ...
Sun, 27 Nov 2005
Capabilities in Perl

[via Links ]:

Earlier this year at CodeCon, Ben Laurie showed me the work that he had done on adding capabilties to Perl. Now he's put up a post with a pointer to the code and a little bit of documentation. He originally got interested in the problem because he was interested in adding capabilities to Python, but that turned out to be harder than he thought. Along the way, he formed some conclusions about Python and security:

Also, it seems the Python devlopers aren’t really interested in capabilities (nor all that interested in security, it seems, since the restricted execution mode is not maintained).

I don't think it's quite as a bad as Ben thinks, since he and I had some conversations with some Python developers and those folks were definitely interested in capability support. Of course, quite a few of them were a bit Twisted.

CaPerl is an alternative approach to adding capabilities which involves compiling a capability enhanced version of the language into the regular language. As to the rationale for doing this in Perl:

So, I did this for Perl, on the basis that if you can secure Perl you can surely secure anything.

I'm curious to see whether making the code available has any impact on the uptake of these ideas. Perhaps there will be some impetus in the Perl or Python communities to pick up on these ideas. When I saw Ben at Mind Camp, I suggested to him that perhaps the most profitable place to seed these ideas is the Ruby community, given the momentum hype of Rails, and the relative openness of the Ruby community to non-mainstream ideas.

I'd love to be proven wrong.

[23:57] | [computers/security] | # | TB | F | G | 32 Comments | Other blogs commenting on this post
Ted Leung suggests that I should try adding capabilities to Ruby. H1kari suggested Javascript. I believe both of these are possible. I even think I could do it for C! But should I? Does anyone care? ...
Posted by Trackback from Links at Mon Nov 28 01:39:52 2005

I'm sorry, but Ben's full of crap on this one, and altogether too enamored of his quick-fix for Perl.  The paper of his that I read in March describes a system roughly comparable to what Zope had in 1998 or so; it's certainly not state-of-the-art for Python capability sandboxing.

For what is an up-to-date security system for untrusted execution in Python, see:

http://svn.zope.org/Zope3/trunk/src/zope/security/untrustedinterpreter.txt?view=auto

Capabilities are essentially a subset of the above model.  (Specifically, the subset where anybody who has a reference to a particular proxy has access to some fixed set of the proxied object's attributes/methods.)  So, there's effectively already a nice capability system for running untrusted code in Python, and it doesn't need 'rexec' or anything like that to work.

Frankly, since I pointed Ben to that link eight months ago, I'm rather disappointed to hear that he's still spreading such shameful FUD.
Posted by Phillip J. Eby at Mon Nov 28 10:28:00 2005

I think the lesson is that someone really should extract Zope's security into a separate, easy-to-use package.  Well, as easy to use as something like that can be, which isn't actually that easy.  It seems like a very useful thing that no one uses (outside of Zope users).
Posted by Ian Bicking at Mon Nov 28 13:00:51 2005

Incidentally, I'm reading the slides  about CaPerl, and he does mention proxies as a possible implementation for capabilities in Python, but doesn't imply he ever tried that.  It also seems to imply he wrote a separate (CaPerl->Perl?) compiler for CaPerl... which seems like radically more work than he suggests for Python.  That said, maybe the AST branch would make his technique more feasible (from my rather uneducated experience with Zope's security, what he describes seems very reminiscent except with some syntax extensions).
Posted by Ian Bicking at Mon Nov 28 13:32:50 2005

I have not read about CaPerl. I'll look at that.

One issue bigger than getting capabilities into a language (could be as easy as a lambda), is getting the libraries to follow good designs (i.e. POLA).

Backward compatibility and capability-based design are often at odds.
Posted by Patrick Logan at Mon Nov 28 15:19:08 2005

I think that Ian is right about yanking the Zope stuff apart into pieces (eggs).  Several times now I've been informed that thus and such functionality exists in Zope.  The problem is that not every person interested in Python has the time or need to go through the Zope stuff.  Looking for Interfaces?  Well of course I'd start by looking at Zope rather than the docs for Python.  The same is true for security stuff.  Having all this stuff inside of Zope is a weird form of security by obscurity.  It might be fine for all the Python old hands, but for people who are new to Python, it doesn't help at all.
Posted by Ted Leung at Mon Nov 28 23:18:05 2005

Patrick,

You're right, but it has to start somewhere.  It's not even that easy to get people to consider the idea of capability based security.
Posted by Ted Leung at Mon Nov 28 23:20:22 2005

You can subscribe to an RSS feed of the comments for this blog: RSS Feed for comments

Add a comment here:

You can use some HTML tags in the comment text:
To insert a URI, just type it -- no need to write an anchor tag.
Allowable html tags are: <a href>, <em>, <i>, <b>, <blockquote>, <br/>, <p>, <code>, <pre>, <cite>, <sub> and <sup>.

You can also use some Wiki style:
URI => [uri title]
<em> => _emphasized text_
<b> => *bold text*
Ordered list => consecutive lines starting spaces and an asterisk

Name:


E-mail:


URL:


Comment:


Remember my info?


twl JPG

About

Ted Leung FOAF Explorer

I work at the Open Source Applications Foundation (OSAF).
The opinions expressed here are entirely my own, not those of my employer.

Creative Commons License
This work is licensed under a Creative Commons License.

Now available!
Professional XML Development with Apache Tools : Xerces, Xalan, FOP, Cocoon, Axis, Xindice
Technorati Profile
PGP Key Fingerprint
My del.icio.us Bookmarks
My Flickr Photos


Syndicate
RSS 2.0 xml GIF
Comments (RSS 2.0) xml GIF
Atom 0.3 feed
Feedburner'ed RSS feed

< November 2005 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
27282930   

Archives
2006
2005
2004
2003

Articles
Macintosh Tips and Tricks

Search
Lucene
Blogs nearby
geourl PNG

Categories
/ (1567)
  books/ (33)
  computers/ (62)
    hardware/ (15)
    internet/ (58)
      mail/ (11)
      microcontent/ (58)
      weblogs/ (174)
        pyblosxom/ (36)
      www/ (25)
    open_source/ (145)
      asf/ (53)
      osaf/ (32)
        chandler/ (35)
        cosmo/ (1)
    operating_systems/ (16)
      linux/ (9)
        debian/ (15)
        ubuntu/ (2)
      macosx/ (101)
        tips/ (25)
      windows_xp/ (4)
    programming/ (156)
      clr/ (1)
      dotnet/ (13)
      java/ (71)
        eclipse/ (22)
      lisp/ (34)
      python/ (86)
      smalltalk/ (4)
      xml/ (18)
    research/ (1)
    security/ (4)
    wireless/ (1)
  culture/ (10)
    film/ (8)
    music/ (6)
  education/ (13)
  family/ (17)
  gadgets/ (24)
  misc/ (47)
  people/ (18)
  photography/ (25)
    pictures/ (12)
  places/ (3)
    us/ (0)
      wa/ (2)
        bainbridge_island/ (17)
        seattle/ (13)
  skating/ (6)
  society/ (20)



[Valid RSS]

del.icio.us linkblog

www.flickr.com

Blogroll

java.blogs
Listed on BlogShares

Locations of visitors to this page
Where are visitors to this page?

pyblosxom GIF