No registered users in community xowiki
in last 10 minutes
in last 10 minutes
Re: [Xotcl] Re: Safe interp for xotcl
From: Ben Thomasson <ben.thomasson_at_gmail.com>
Date: Mon, 4 Apr 2005 13:31:57 -0400
Jeff,
Considering there is a safe interp in Tcl, there should be extensive
unit testing
that can be run in regression to make sure any new functionality like this
does not break the security model. Does Tcl have regression tests
(tcltest or other) that exercise the ability of safe interp to stop
dangerous code? If there is,
then these tests could be run in at least Object eval to whether this simple
approach would work. If not, there should be. Or is the security model based
on proving the safety of an interp by analysis of the code? If you take this
second approach them much more work must be done before xotcl includes
this code for the safe interp.
Ben
ps ( In open source projects, is it the person who comes up with the
idea who is the person to implement it? Dang. )
On Apr 4, 2005 1:13 PM, Jeff Hobbs <jeffh_at_activestate.com> wrote:
> Gustaf Neumann wrote:
> > Since xotcl uses ordinary tcl interps, i would assume, it
> > inherits the safetiness of save tcl interps. Since xotcl does
> > not do any socket handling, file-i/o, exec's, etc., i would
> > think, this is a good start. If you see commands that we
> > should deactivate in safe interps, please let me know.
>
> You have to be careful with anything you add at the C level for
> safe interps. Whatever you create in Tcl in safe interps is by
> definition safe (if you aren't aliasing into the master), because
> of the model. However, in C you can expose anything. While you
> might not directly expose exec, IO, etc., you have to consider
> how you might indirectly expose that functionality and how a user
> might exploit that. I'm not saying that xotcl does, but you
> should just consider the implications of each C-based command
> individually. You also have the Tcl_IsSafeInterp C API for
> variant behavior in safe interps.
>
> Jeff Hobbs, The Tcl Guy
> http://www.ActiveState.com/, a division of Sophos
>
>
Date: Mon, 4 Apr 2005 13:31:57 -0400
Jeff,
Considering there is a safe interp in Tcl, there should be extensive
unit testing
that can be run in regression to make sure any new functionality like this
does not break the security model. Does Tcl have regression tests
(tcltest or other) that exercise the ability of safe interp to stop
dangerous code? If there is,
then these tests could be run in at least Object eval to whether this simple
approach would work. If not, there should be. Or is the security model based
on proving the safety of an interp by analysis of the code? If you take this
second approach them much more work must be done before xotcl includes
this code for the safe interp.
Ben
ps ( In open source projects, is it the person who comes up with the
idea who is the person to implement it? Dang. )
On Apr 4, 2005 1:13 PM, Jeff Hobbs <jeffh_at_activestate.com> wrote:
> Gustaf Neumann wrote:
> > Since xotcl uses ordinary tcl interps, i would assume, it
> > inherits the safetiness of save tcl interps. Since xotcl does
> > not do any socket handling, file-i/o, exec's, etc., i would
> > think, this is a good start. If you see commands that we
> > should deactivate in safe interps, please let me know.
>
> You have to be careful with anything you add at the C level for
> safe interps. Whatever you create in Tcl in safe interps is by
> definition safe (if you aren't aliasing into the master), because
> of the model. However, in C you can expose anything. While you
> might not directly expose exec, IO, etc., you have to consider
> how you might indirectly expose that functionality and how a user
> might exploit that. I'm not saying that xotcl does, but you
> should just consider the implications of each C-based command
> individually. You also have the Tcl_IsSafeInterp C API for
> variant behavior in safe interps.
>
> Jeff Hobbs, The Tcl Guy
> http://www.ActiveState.com/, a division of Sophos
>
>