dertown wrote:
Hi Charles
What is exactly wrong with SAFE and Taint.
and would it be even possible to get it working properly? I know you said
below it was not possible.
I am just trying to understand why.
Politically and theoretically, safe and taint are insufficient to really
give you any reliable measure of security. There's just way too many
edge cases and possible ways to sneak by. Of course, that's just my
belief...but I know of no real-world systems using those sorts of
mechanisms for security and actually trusting them.
Practically, safe and taint add overhead to a massive number of
operations, ranging from class and method definition to every string or
array mutation. Poke around the JRuby code a bit and you'll see a whole
bunch of code, sprinkled liberally around the system, for checking
whether the current safe level is compatible with the current operation
and the current object's taint. It's not really a scalable way to do
security.
I'd be interested in hearing about your use cases for safe levels, to
better understand what requirements we actually need to fill. I'd wager
we can get the same things out of Java security levels or out of a more
limited safe approach for operations you might actually want to limit
(like eval) rather than operations that would only rarely be restricted
(like string mutation).
- Charlie
---------------------------------------------------------------------
To unsubscribe from this list please visit:
http://xircles.codehaus.org/manage_email
