[Twisted-Python] random security thoughts

Glyph Lefkowitz glyph at twistedmatrix.com
Sun Sep 1 05:45:08 EDT 2002 

Hi Twistedistanians,

Here is some internal rambling I've been doing about fixing up PB to be more
bulletproof.  Apologies if it's not coherent to anyone else but I figured I'd
better mention the idea on the list and see of someone smarter than me can fill
in a gap or two :).

So, I think I understand what the potential security problem is with PB --
specifically, it's in Jelly, because the way that types are registered with the
serializer is a very primitive ACL.

This violates POLA for all PB method calls in a subtle (and usually harmless)
way -- the Broker object, which deserializes Jelly types, can effectively
receive arbitrary messages from any object on the other end of the connection.
pb.Broker is the deputy which can become confused.

The trouble is that this is so damn *handy*.  If we want to enforce correct
authority boundaries here, some form of IDL is necessary, since a method can
only (return values, pass arguments) of appropriately declared types, because
those types are methods sent to the serializer.

Is there some middle ground?  Currently there's quite a bit of room for
malicious confusion of networked code, since arbitrary types may be passed to
arbitrary methods, and there is only one serialization/deserialization
registry.  However, full IDL would make publishing remote methods and new
copyable types rather tedious (and more fragile across different versions of
network interface for a given program).  You'd also need a full replication of
the server-side class hierarchy on the client in order to allow any kind of
polymorphism at all.  So I would view IDL as correct and complete for POLA
purposes, but too tedious to be practical.  I figure there's got to be some
equivalent here that would be more like UNIX's half-hearted ACLs and less like
a superuser bit for various serializeable types.

This wouldn't be perfect, but given how little deserialization methods
typically do it's probably OK.  Unfortunately I can't think of what form such a
compromise would take.  Easy enough to understand, but still possible to ensure
against obvious abuses.  Any suggestions?

-- 
 |    <`'>    |  Glyph Lefkowitz: Travelling Sorcerer  |
 |   < _/ >   |  Lead Developer,  the Twisted project  |
 |  < ___/ >  |      http://www.twistedmatrix.com      |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://twistedmatrix.com/pipermail/twisted-python/attachments/20020901/a6ef99f7/attachment.pgp

More information about the Twisted-Python mailing list