capability security
Posted: Thu Oct 22, 2009 7:36 pmI just started looking at Cobra and find the feature set to be very appealing, especially the design-by-contract features and the Python-like syntax.
Over the years there have been a number of attempts to define a capability-secure version of Python.
GvR posted his thoughts about capabilities for Python in this post:
http://neopythonic.blogspot.com/2009/03 ... ython.html
It seems to be very difficult to implement capability security in Python due to its dynamism and reflection capabilities, and one of Guido's points is that if you remove enough from Python to finally secure it, you've basically given up so much of Python that you might as well have started fresh with another language anyway.
Some background... capability security as implemented in an object-oriented language typically comes down to ensuring that a given piece of code can only access features that were given to it by reference. This involves eliminating global variables and enforcing encapsulation so that private members of objects cannot be accessed at all by other objects. Wikipedia has some more info:
http://en.wikipedia.org/wiki/Object-capability_model
There have been some successful efforts at defining capability-secure subsets of other languages, such as Java (Joe-E) and JavaScript (Caja). In fact, Caja is now being used to help secure Yahoo's home page: http://www.eros-os.org/pipermail/cap-ta ... 13567.html
The reason I find Cobra especially interesting for trying to use capability security is its built-in support for design-by-contract and unit-testing. That's because correct code that meets its contracts is much more likely to be secure code.
Does anyone have any thoughts on these ideas? In Python, there are no truly private methods on objects. Are methods and variables marked private in Cobra really private, meaning that no other object can access them? Is there a way to prevent system libraries from being imported willy-nilly? Perhaps a source verifier could be used (as Joe-E and Caja do) to ensure that no security rules are violated by a particular program.
Over the years there have been a number of attempts to define a capability-secure version of Python.
GvR posted his thoughts about capabilities for Python in this post:
http://neopythonic.blogspot.com/2009/03 ... ython.html
It seems to be very difficult to implement capability security in Python due to its dynamism and reflection capabilities, and one of Guido's points is that if you remove enough from Python to finally secure it, you've basically given up so much of Python that you might as well have started fresh with another language anyway.
Some background... capability security as implemented in an object-oriented language typically comes down to ensuring that a given piece of code can only access features that were given to it by reference. This involves eliminating global variables and enforcing encapsulation so that private members of objects cannot be accessed at all by other objects. Wikipedia has some more info:
http://en.wikipedia.org/wiki/Object-capability_model
There have been some successful efforts at defining capability-secure subsets of other languages, such as Java (Joe-E) and JavaScript (Caja). In fact, Caja is now being used to help secure Yahoo's home page: http://www.eros-os.org/pipermail/cap-ta ... 13567.html
The reason I find Cobra especially interesting for trying to use capability security is its built-in support for design-by-contract and unit-testing. That's because correct code that meets its contracts is much more likely to be secure code.
Does anyone have any thoughts on these ideas? In Python, there are no truly private methods on objects. Are methods and variables marked private in Cobra really private, meaning that no other object can access them? Is there a way to prevent system libraries from being imported willy-nilly? Perhaps a source verifier could be used (as Joe-E and Caja do) to ensure that no security rules are violated by a particular program.