capability-secure Ruby?

  • Thread starter Derick Eddington
  • Start date
D

Derick Eddington

Hi, this is my first post here. I've just started learning about Ruby (a few
days ago so forgive my ignorance) motivated by a desire to learn if it can be a
capability-secure language.

What control is possible over the namespace Ruby code executes in? Can the
ambient/default authority available to code be restricted? I want to be able
to make my own namespace for untrusted code to execute in where all default
objects (especially ones like ObjectSpace) can be selectively removed and my
own can be put in. I'm aware of eval(codestr, binding). Can I construct a
Binding object from scratch with just what I want in it? Can I permanently
delete unwanted objects from the base namespace? Very important is the ability
to prevent module importing. Can this be done? Another potential ambient
authority problem is built-in/language-syntax abilities like "" creates a new
String. Can I do things like change String class and then "" will use the new
modified class?

Just how opaque can Ruby objects be made to be? I'm aware of making private
methods and that variables require accessor methods but I've seen the name and
value of instance variables printed in objects' string representations. Can
the internals of Ruby objects be made completely invisible? Can I make an
object where having a reference to the object gives you ONLY the ability to
call its desired-to-be-exposed methods and transfer the reference, and
absolutely nothing else. Meaning tricky things like: evil = a.class.new() or
evil = a._internal_[1].namespace["secret"] can be made impossible? Can I
make a class that nullifies all public methods from base class Object? Would
this make it provably impossible to do anything other than call the public
methods I make?

I hope you get my drift. The basic principle of capability-security is
"authority with designation". How much can I restrict what is designatable to
Ruby code?

--Derick







__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
 
F

Florian Gross

Derick said:
Hi, this is my first post here.
Moin!

Just how opaque can Ruby objects be made to be? I'm aware of making private
methods and that variables require accessor methods but I've seen the name and
value of instance variables printed in objects' string representations. Can
the internals of Ruby objects be made completely invisible? Can I make an
object where having a reference to the object gives you ONLY the ability to
call its desired-to-be-exposed methods and transfer the reference, and
absolutely nothing else. Meaning tricky things like: evil = a.class.new() or
evil = a._internal_[1].namespace["secret"] can be made impossible? Can I
make a class that nullifies all public methods from base class Object? Would
this make it provably impossible to do anything other than call the public
methods I make?

This is possible. It's commonly called a kernel-less Object:

See http://onestepback.org/index.cgi/Tech/Ruby/BlankSlate.rdoc --
however, I think, that with that Object you could still do
Object.instance_method:)instance_eval).bind(BlankSlate.new).call {@foo}

I've implemented a KernellessObject that won't allow users to do that
either. It's part of the evil-ruby project. (See
http://evil.rubyforge.net). Let's demonstrate it:

irb(main):001:0> blank = KernellessObject.new
irb(main):002:0> Object.instance_method:)instance_eval).bind(blank).call
{@foo = 5}
TypeError: bind argument must be an instance of Object
I hope you get my drift. The basic principle of capability-security is
"authority with designation". How much can I restrict what is designatable to
Ruby code?

I think that most of it can't be done just yet. It would be very nice to
have an extensive layer available for all this. I've also heard that
some features of this are already being integrated into Ruby.
(Facilities for hiding constants etc.)

You might want to have a look at $SAFE -- it lets you restrict the
things that code can do. (For example it disallows any I/O operations.)

Regards,
Florian Gross
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top