capability-secure Ruby?

Discussion in 'Ruby' started by Derick Eddington, Jun 1, 2004.

  1. Hi, this is my first post here. I've just started learning about Ruby (a few
    days ago so forgive my ignorance) motivated by a desire to learn if it can be a
    capability-secure language.

    What control is possible over the namespace Ruby code executes in? Can the
    ambient/default authority available to code be restricted? I want to be able
    to make my own namespace for untrusted code to execute in where all default
    objects (especially ones like ObjectSpace) can be selectively removed and my
    own can be put in. I'm aware of eval(codestr, binding). Can I construct a
    Binding object from scratch with just what I want in it? Can I permanently
    delete unwanted objects from the base namespace? Very important is the ability
    to prevent module importing. Can this be done? Another potential ambient
    authority problem is built-in/language-syntax abilities like "" creates a new
    String. Can I do things like change String class and then "" will use the new
    modified class?

    Just how opaque can Ruby objects be made to be? I'm aware of making private
    methods and that variables require accessor methods but I've seen the name and
    value of instance variables printed in objects' string representations. Can
    the internals of Ruby objects be made completely invisible? Can I make an
    object where having a reference to the object gives you ONLY the ability to
    call its desired-to-be-exposed methods and transfer the reference, and
    absolutely nothing else. Meaning tricky things like: evil = a.class.new() or
    evil = a._internal_[1].namespace["secret"] can be made impossible? Can I
    make a class that nullifies all public methods from base class Object? Would
    this make it provably impossible to do anything other than call the public
    methods I make?

    I hope you get my drift. The basic principle of capability-security is
    "authority with designation". How much can I restrict what is designatable to
    Ruby code?

    --Derick







    __________________________________
    Do you Yahoo!?
    Friends. Fun. Try the all-new Yahoo! Messenger.
    http://messenger.yahoo.com/
    Derick Eddington, Jun 1, 2004
    #1
    1. Advertising

  2. Derick Eddington wrote:

    > Hi, this is my first post here.


    Moin!

    > Just how opaque can Ruby objects be made to be? I'm aware of making private
    > methods and that variables require accessor methods but I've seen the name and
    > value of instance variables printed in objects' string representations. Can
    > the internals of Ruby objects be made completely invisible? Can I make an
    > object where having a reference to the object gives you ONLY the ability to
    > call its desired-to-be-exposed methods and transfer the reference, and
    > absolutely nothing else. Meaning tricky things like: evil = a.class.new() or
    > evil = a._internal_[1].namespace["secret"] can be made impossible? Can I
    > make a class that nullifies all public methods from base class Object? Would
    > this make it provably impossible to do anything other than call the public
    > methods I make?


    This is possible. It's commonly called a kernel-less Object:

    See http://onestepback.org/index.cgi/Tech/Ruby/BlankSlate.rdoc --
    however, I think, that with that Object you could still do
    Object.instance_method:)instance_eval).bind(BlankSlate.new).call {@foo}

    I've implemented a KernellessObject that won't allow users to do that
    either. It's part of the evil-ruby project. (See
    http://evil.rubyforge.net). Let's demonstrate it:

    irb(main):001:0> blank = KernellessObject.new
    irb(main):002:0> Object.instance_method:)instance_eval).bind(blank).call
    {@foo = 5}
    TypeError: bind argument must be an instance of Object

    > I hope you get my drift. The basic principle of capability-security is
    > "authority with designation". How much can I restrict what is designatable to
    > Ruby code?


    I think that most of it can't be done just yet. It would be very nice to
    have an extensive layer available for all this. I've also heard that
    some features of this are already being integrated into Ruby.
    (Facilities for hiding constants etc.)

    You might want to have a look at $SAFE -- it lets you restrict the
    things that code can do. (For example it disallows any I/O operations.)

    Regards,
    Florian Gross
    Florian Gross, Jun 1, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    5
    Views:
    5,436
    Teemu Keiski
    Jun 8, 2004
  2. Daniel Malcolm
    Replies:
    0
    Views:
    553
    Daniel Malcolm
    Jan 24, 2005
  3. zdrakec
    Replies:
    1
    Views:
    434
    zdrakec
    Jul 25, 2005
  4. Joe
    Replies:
    5
    Views:
    957
    Steven Cheng[MSFT]
    Dec 13, 2005
  5. zuzu
    Replies:
    0
    Views:
    122
Loading...

Share This Page