[Python-Dev] Challenge: Please break this! [Now with blog post] (original) (raw)
Greg Ewing greg.ewing at canterbury.ac.nz
Tue Feb 24 01:16:17 CET 2009
- Previous message: [Python-Dev] Challenge: Please break this! [Now with blog post]
- Next message: [Python-Dev] Challenge: Please break this! [Now with blog post]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
tav wrote:
But that doesn't invalidate the model or the possibility of using it in Python.
However, there's also the matter of whether it's practical to use the model in Python.
The custom-string exploit illustrates that you have to be extremely careful what you do with, and what you assume about, anything given to you by untrusted code.
How confident is the user of the capability model going to be that there isn't some other obscure exploit that he hasn't thought of?
To be able to have confidence in it, a capability model needs to start with objects having no capabilities at all, and you deliberately add the capabilities you want it to have.
But Python objects come by default with a huge number of capabilities, designed to allow the programmer to do just about anything he wants short of wrecking the internals of the interpreter (wrecking the rest of his computer is fine, though:-).
And you not only have to think about the capabilities of the objects that you give to others, but the capabilities of objects that others give to you -- and be careful not to use any of them in a way that could fool you.
So while the model may be theoretically sound, applying it to Python is not easy to do in a way that one can have confidence in.
-- Greg
- Previous message: [Python-Dev] Challenge: Please break this! [Now with blog post]
- Next message: [Python-Dev] Challenge: Please break this! [Now with blog post]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]