Differences between revisions 7 and 8
Revision 7 as of 2008-12-05 15:07:58
Size: 2018
Editor: hachoir
Comment:
Revision 8 as of 2008-12-23 21:29:50
Size: 2256
Editor: i-195-137-57-77
Comment: Add reference to CapPython
Deletions are marked like this. Additions are marked like this.
Line 30: Line 30:
See PyPy project: [[http://codespeak.net/pypy/dist/pypy/doc/sandbox.html|PyPy's sandboxing features]].  * PyPy project: [[http://codespeak.net/pypy/dist/pypy/doc/sandbox.html|PyPy's sandboxing features]].
 * [[http://mail.python.org/pipermail/python-dev/2008-September/082475.html|CapPython]] is an object-capability subset of Python, inspired by Joe-E and Caja/Cajita, which are object-capability subsets of Java and Javascript respectively.

Notes about Python Security.

Taint mode

Nicole King (cats-muvva.net) wrote a taint mode for CPython 3.0: Python Taint Management.

Problems:

  • amaury: The patch is indeed huge!

  • fijall: it seems that every function that returns a PyObject must be modified

  • fijall: need to patch (...) all places that might modify anything. (All side effects)

=> ncoghlan: PyPy is still a *much* better platform for that kind of experimentation than CPython

See also the presentation: Securing Python: Controling the abilities of the interpreter, PyCon US 2007, Brett Cannon and Eric Wohlstadter

Python Security Response Team

Some members:

  • Brett Cannon

Email: security AT python.org

Controlling Access to Resources Within The Python Interpreter

Sandboxing

  • PyPy project: PyPy's sandboxing features.

  • CapPython is an object-capability subset of Python, inspired by Joe-E and Caja/Cajita, which are object-capability subsets of Java and Javascript respectively.

Unsafe modules

Fuzzing

Victor Stinner wrote a fuzzer called Fusil to test Python. It already helped to fix many bugs. fusil-python works on Python 2.4 .. 3.0.

Fusil was also used on PyPy (Finding Bugs in PyPy with a Fuzzer).

Security (last edited 2009-09-14 09:54:15 by PaulBoddie)

Unable to edit the page? See the FrontPage for instructions.