Parrot Team,
Good afternoon members of Parrot. I have attached a second rough draft
of my proposal if anyone would like to view and I welcome any
suggestions and ideas you may have to help improve my proposal. Thank
you and have a nice day.
--
Justin L. Harper
Electrical Engineering
Peer Partner Mentor
IEEE
Society of Automotive Engineers
Temple Taekwondo
Email: [email protected]
Cell: 215-866-6003
Project Summary
Security is quickly becoming a number one priority among web designers
and programmers in the digital age. Protecting vital bits of code from being
tampered with has become a key to continued success in all fields of study and
is no different for the Parrot Foundation. You want Parrot to run executions
from the outside without users being able to come in and alter files, which is
where The Security Sandboxing project comes into play. The sandbox will be
modular in design to allow for future development as Parrot grows and becomes
more versatile. In the design it will set permission flags and have an
interface that will ask “Do I have permission” making this a high priority as
Parrot becomes more modern in design.
Project Description
Design will be based off of a Security Context Structure where a
component can ask “Do I have permission”. I will create an interface where a
“parent” can set permissions on the child, but the child cannot alter its own
permissions. This security feature will be modular by design which will allow
future implementations to be added on. This will give Parrot security in
dealing with its growing versatility of communication with HLL’s. The Security
Sandbox has two main restrictions/permissions that I want to implement. First
is the ability to limit IO access such as limiting sockets and paths where file
handles can access resources and secondly to limit certain capabilities such as
loading dynamic libraries. The Security Context Structure will be able to
attach to the Parrot_interp_new and allow you to set the context without
allowing that interp to modify the context. Creating a set of rules for Parrot
to follow and attaching limitations to those rules so Parrot will have a simple
structure on which it runs.
Relation to Parrot
Development of the security sandbox for Parrot will reverse its largely
implicit contract nature by permitting a small set of allowed activities and
making anything outside that set impossible. As Parrot progresses in its
development added security is needed. Rather than building a completely new
security sandbox each time a new version of Parrot is released, new modules can
be created and implemented into the design of the core security sandbox. For
this project I will be working on the core of the sandbox which will mostly be
dependent on itself. Any interaction with Parrot will be the
permissions/restrictions.
Tools and Technologies Used
The tools for this project will include the normal parrot build system
and test suite. For this project I will not need to be create any specific
tools.
Delivered Results
The overall result we wish to achieve is a working security core
module. Deliverance includes core module and test for correct implementation
into parrot. Separate modules being implemented into core module for increased
security along with debugging test and documented design process.
Project Timeline
Before actual work on the project shall begin, I will find sources
resources related to ptrace, security context structures and example codes of
security sandboxing systems as a basis for my design.
May (Constructing the core)
Week 1 (5/21 – 5/27)
* Begin work on core design (interface)
o A structure to hold permission flags (maybe similar to
ptrace)
Week 2 (5/28 – 6/3)
* Work on interface. Communicating with Parrot.
o Continued construction of core. Begin implementation of
conditions and permissions flags.
June
Week 3 (6/4 – 6/10)
* Conditions and more permission flags that the structure will hold.
Week 4 (6/11 – 6/17) (Adding permissions/restrictions)
* Whitelist/blacklist file system restrictions for I/O operations
Week 5 (6/18 – 6/24)
* whitelist/blacklist paths for loading bytecode
o Sets framework for placing restrictions on other operations
Week 6 (6/25 – 7/1)
* Restrictions on bytecode libraries, language libraries
July
Week 7 (7/2 – 7/8)
* limiting access to parent interp data
Week 8 (7/9 – 7/15)
* Revisions and preparation of submission for mid-term evaluations of
project.
o (Have at least shell done with limitations started for
mid-term evaluations)
Week 9 (7/16 – 7/22)
* limited ability to modify environmental variable
Week 10 (7/23 – 7/29)
* limited ability to turn on debug and trace modes
Week 11 (7/30 – 8/5) (Implementation)
* limiting certain OS interactions
August
Week 12 (8/6 – 8/12)
* Begin work on sandbox call to feature from future privilege system.
Week 13 (8/13 – 8/19)
* Revision of project and related materials for preparation of
submission.
Week 14(8/20 – 8/24)
* Final submission of project and all related documents and test.
If at any time I am ahead of schedule I will begin work on the next phase
of the project at once. That way if there is time left over then we can begin
work on additional ideas.
Your Personal Schedule
This summer I will be working as a student worker for Temple
University. Most work days have a lot of down time which will be perfect for
reading and working on code. I do not work a lot of hours so work will not get
in the way of the project. I am taking a summer course during summer session I
which last up until the beginning of July, afterwards I will just be working
with the occasional trips to the beach for a day or so. No big vacation trips
have been planned for my summer, but if something comes up I will check and
modify my timeline accordingly to compensate for possible overnight vacation
time.
Allowances
Above all else the security sandbox shell will be created so future
features can be added. Making sure it correctly communicates with Parrot is
also part of the shell design. Highest priority is the construction of the
whitelist/blacklist for I/O operations and paths for bytecode (restrictions on
bytecode libraries and language libraries, etc…). The objective is to let
Parrot know what it can and cannot do to prevent errors. Limitations placed on
certain OS operations, debug and traces modes and modified environmental
variables can be omitted because the system ideally would only produce warnings
about those instantiations. Having parrot slowly transition from allowing all
operations to a strict set of rules followed by creation of limits on those
rules is the best course of action for such a short project.
Additional Ideas
Once the main objectives are complete we want to implement more
security modules into the core. Additional security features that can be
implemented are security modules design for the PL/Parrot project and
subclassing NameSpace. Limiting classes that can be instantiated is a big
aspect I want to add if possible. This will limit the effect of changes an
object would have on the rest of the system and allow the program to be less
responsible for other parts of the system. Limiting memory consumed if time
allows would work help parrot run more smoothly and would provide a challenge.
Student Information
My name is Justin Harper and I am a junior in the Electrical
Engineering Department at Temple University. Aside from programming classes
taken towards my degree, my coding experience is minimal. However, everyone has
to start somewhere and Google’s Summer of Code 2012 program is a great way to
start. The opportunity to learn techniques programmers use to solve challenging
problems and develop useful skills will allow me to further develop as both a
student and a future employee at a company. Being able to identify the
problem, developing a method to solve a particular problem and refining that
same method is the process I follow to achieve a particular goal. I preform
research on the topic at hand and often change my approach to gain a better
understanding of what needs to be done. Often I seek advice and the opinions of
those around me in case there is something I miss. Most of all I communicate
what needs to be done and what I plan on doing to those involved with whatever
I am working on.
_______________________________________________
http://lists.parrot.org/mailman/listinfo/parrot-dev
