Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Ruby > capability-secure Ruby?

Reply
Thread Tools

capability-secure Ruby?

 
 
Derick Eddington
Guest
Posts: n/a
 
      06-01-2004
Hi, this is my first post here. I've just started learning about Ruby (a few
days ago so forgive my ignorance) motivated by a desire to learn if it can be a
capability-secure language.

What control is possible over the namespace Ruby code executes in? Can the
ambient/default authority available to code be restricted? I want to be able
to make my own namespace for untrusted code to execute in where all default
objects (especially ones like ObjectSpace) can be selectively removed and my
own can be put in. I'm aware of eval(codestr, binding). Can I construct a
Binding object from scratch with just what I want in it? Can I permanently
delete unwanted objects from the base namespace? Very important is the ability
to prevent module importing. Can this be done? Another potential ambient
authority problem is built-in/language-syntax abilities like "" creates a new
String. Can I do things like change String class and then "" will use the new
modified class?

Just how opaque can Ruby objects be made to be? I'm aware of making private
methods and that variables require accessor methods but I've seen the name and
value of instance variables printed in objects' string representations. Can
the internals of Ruby objects be made completely invisible? Can I make an
object where having a reference to the object gives you ONLY the ability to
call its desired-to-be-exposed methods and transfer the reference, and
absolutely nothing else. Meaning tricky things like: evil = a.class.new() or
evil = a._internal_[1].namespace["secret"] can be made impossible? Can I
make a class that nullifies all public methods from base class Object? Would
this make it provably impossible to do anything other than call the public
methods I make?

I hope you get my drift. The basic principle of capability-security is
"authority with designation". How much can I restrict what is designatable to
Ruby code?

--Derick







__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/


 
Reply With Quote
 
 
 
 
Florian Gross
Guest
Posts: n/a
 
      06-01-2004
Derick Eddington wrote:

> Hi, this is my first post here.


Moin!

> Just how opaque can Ruby objects be made to be? I'm aware of making private
> methods and that variables require accessor methods but I've seen the name and
> value of instance variables printed in objects' string representations. Can
> the internals of Ruby objects be made completely invisible? Can I make an
> object where having a reference to the object gives you ONLY the ability to
> call its desired-to-be-exposed methods and transfer the reference, and
> absolutely nothing else. Meaning tricky things like: evil = a.class.new() or
> evil = a._internal_[1].namespace["secret"] can be made impossible? Can I
> make a class that nullifies all public methods from base class Object? Would
> this make it provably impossible to do anything other than call the public
> methods I make?


This is possible. It's commonly called a kernel-less Object:

See http://onestepback.org/index.cgi/Tec...lankSlate.rdoc --
however, I think, that with that Object you could still do
Object.instance_method(:instance_eval).bind(BlankS late.new).call {@foo}

I've implemented a KernellessObject that won't allow users to do that
either. It's part of the evil-ruby project. (See
http://evil.rubyforge.net). Let's demonstrate it:

irb(main):001:0> blank = KernellessObject.new
irb(main):002:0> Object.instance_method(:instance_eval).bind(blank) .call
{@foo = 5}
TypeError: bind argument must be an instance of Object

> I hope you get my drift. The basic principle of capability-security is
> "authority with designation". How much can I restrict what is designatable to
> Ruby code?


I think that most of it can't be done just yet. It would be very nice to
have an extensive layer available for all this. I've also heard that
some features of this are already being integrated into Ruby.
(Facilities for hiding constants etc.)

You might want to have a look at $SAFE -- it lets you restrict the
things that code can do. (For example it disallows any I/O operations.)

Regards,
Florian Gross
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Advertisments