On 10/10/05, aurelianito <aurelianocalvo / yahoo.com.ar> wrote:
> > Setting up a list of "unsafe" methods (blacklisting) is likely to
> > break when more methods are added. Instead, I'd set up a list of
> > *safe* methods (whitelisting).
>
> I agree. But my idea is to leave security configuration to the
> administrator. I want to give him/her the tools necessary to disable
> unwanted behaviour.

Same goes for the sysadmin, really.  Security researchers tend to list
the use of blacklisting instead of whitelisting as one of the top five
reasons for the amounts of security problems we have.

One thing that I've personally been thinking a bit about for possible
use in FreeBSD is the ability to restrict a process to a completely
specified set of capabilities, throwing away the rest.  Then, we'd
only need to trust the code that throw away the privs, not the rest. 
If done conveniently, this could be used by all programs, for internal
compartmentization.  This might be a different use for your code that
you've not yet thought of?

> > For the unsafe code part, I'd use safemode and proxy over the classes
> > you want to allow by overriding the MyClass constant with a pure
> > method_missing based proxy.  The proxyied calls can be filtered for
> > security on the "outside", where only your code runs.
>
> I'm interested with this option. How do you avoid the unsafe code to
> bypass the proxy? can you show me some ruby (pseudo)code?

If you've wiped everything, there's no bypass possibilities (Ruby
object refs work as capabilities.)  I'd probably implement this with
$SAFE = 4 for extra safety, though.  Unfortunately, I lack the time to
play around with this and try to give you any decent form of code
right now.

Eivind.