[Twisted-Python] Security of PB

Glyph Lefkowitz glyph at twistedmatrix.com
Thu Aug 16 18:33:24 EDT 2001

On Thu, 16 Aug 2001, Chris Armstrong wrote:

> I'd like to ask for someone to just give me a general overview of the
> security in twisted.spread.

Everything is an object, and you can only get references to other objects
through calling methods on them.  To get a loose idea of why this is an
adequate security solution, take a look at http://www.cap-lore.com.

Of course, the initial objects you're allowed to request have to do with
the presentation of certain credentials.  In the upcoming 'passport'
system, you provide a challenge/response authentication as your
credentials, but the notion of 'credentials' is somewhat pluggable.  

Hopefully by the time pb is reaching its final iteration we'll have public
key exchange rather than shared secret.  Of course, for compatibility with
old protocols, we may have to provide other authentication techniques.  
Maybe even (bleh) htpasswd files or somesuch.  Those will probably only
let you have access to a particular service.  For example, plaintext
password authentication is done with the IRC service, in CVS.

The general idea is that you go through some process where you provide
credentials; how secure the server is directly corresponds to what
credentials it will allow users to present for the services they access.

> Could a PB application be attacked on a low-level?

Of course.  And so can eBay and amazon.com, as DDOSs in recent years have
shown.  PB is a *high* level infrastructure :)

There are certain buffer size maximums in Banana which make it slightly
resistant to random cracking; I don't know if these are sufficient for
real DOS though.

As far as illegally gaining access to objects you're not supposed to have
access to, or executing arbitrary code, I don't think that it's possible
with the current implementation of PB.  I may be wrong, of course, and I'd
love for a security expert to audit my code -- but twisted walks a fine
line between security and convenience.  If they say "Don't use passwords,
they're insecure" or "don't support regular HTTP, it's insecure", there's
nothing I can do about that right now.

I think that it might be nice to increase or decrease the 'security
rating' of a particular Application instance depending on some statistics
of its Authorizer.  I'm not sure what would ever _increase_ it though :)

                      ______      __   __  _____  _     _
                     |  ____ |      \_/   |_____] |_____|
                     |_____| |_____  |    |       |     |
                     @ t w i s t e d m a t r i x  . c o m

More information about the Twisted-Python mailing list