On Sat, 9 Apr 2005 00:13:40 -0500 (CDT), Ka-Ping Yee <[EMAIL PROTECTED]> wrote:
>On Fri, 8 Apr 2005, Eyal Lotem wrote:
> > I would like to experiment with security based on Python references as
> > security capabilities.
>
> This is an interesting and worthwhile thought. Several people
> (including myself) have talked about the possibility of doing
> this in the past. I believe the two problems you mention can be
> addressed without modifying the Python core.
>
> > * There is no way to create secure proxies because there are no
> > private attributes.
>
> Attributes are not private, but local variables are. If you use
> lexical scoping to restrict variable access (as one would in
> Scheme, E, etc.) you can create secure proxies. See below.
>
> > * Lots of Python objects are reachable unnecessarily breaking the
> > principle of least privelege (i.e: object.__subclasses__() etc.)
>
> True. However, Python's restricted execution mode prevents access
> to these attributes, allowing you to enforce encapsulation. (At
> least, that is part of the intent of restricted execution mode,
> though currently we do not make official guarantees about it.)
> Replacing __builtins__ activates restricted execution mode.
>
> Here is a simple facet function.
>
> def facet(target, allowed_attrs):
> class Facet:
> def __repr__(self):
> return '<Facet %r on %r>' % (allowed_attrs, target)
> def __getattr__(self, name):
> if name in allowed_attrs:
> return getattr(target, name)
> raise NameError(name)
> return Facet()
>
> def restrict():
> global __builtins__
> __builtins__ = __builtins__.__dict__.copy()
>
> # Here's an example.
>
> list = [1, 2, 3]
> immutable_facet = facet(list, ['__getitem__', '__len__', '__iter__'])
>
> # Here's another example.
>
> class Counter:
> def __init__(self):
> self.n = 0
>
> def increment(self):
> self.n += 1
>
> def value(self):
> return self.n
>
> counter = Counter()
> readonly_facet = facet(counter, ['value'])
>
> If i've done this correctly, it should be impossible to alter the
> contents of the list or the counter, given only the immutable_facet
> or the readonly_facet, after restrict() has been called.
>
> (Try it out and let me know if you can poke holes in it...)
>
> The upshot of all this is that i think you can do secure programming
> in Python if you just use a different style. Unfortunately, this
> style is incompatible with the way classes are usually written in
> Python, which means you can't safely use much of the standard library,
> but i believe the language itself is not fatally flawed.
>
Does using the gc module to bypass this security count? If so:
[EMAIL PROTECTED]:~$ python -i facet.py
>>> import gc
>>> c = readonly_facet.__getattr__.func_closure[1]
>>> r = gc.get_referents(c)[0]
>>> r.n = 'hax0r3d'
>>> readonly_facet.value()
'hax0r3d'
>>>
This is the easiest way of which I know to bypass the use of cells as a
security mechanism. I believe there are other more involved (and fragile,
probably) ways, though.
Jp
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
