Links

Ben Laurie blathering


Capabilities in Perl

A long time ago, I tried to extend Python to support capabilities. It didn’t work out well – it turns out that the Python interpreter isn’t well suited – by the time Python has been compiled it has lost too much information to enforce the confinement required by capabilities. Also, it seems the Python developers aren’t really interested in capabilities (nor all that interested in security, it seems, since the restricted execution mode is not maintained).

Anyway, much later I realised that modifying the interpreter wasn’t the way to go – what’s much better is to compile a modified version of the language into the standard language – that way proves to be much easier.

So, I did this for Perl, on the basis that if you can secure Perl you can surely secure anything. I’ve given a couple of talks about it, but so far haven’t released any code. I finally got off my arse and did the first release. Very poorly documented, I’m afraid, but there is at least a mailing list!

You can find CaPerl here.

5 Comments

  1. […] ideas. I’d love to be proven wrong. [23:57] | [computers/security] | # | TB | F | G | 0 Comments | You can subscribe to an RSS feed of the comments for thisblog: […]

    Pingback by Ted Leung on the air : Capabilities in Perl — 28 Nov 2005 @ 8:57

  2. The link on http://caperl.links.org/ is a 404, it should be http://caperl.links.org/caperl-0.0.tar.gz

    Comment by Leon Brocard — 28 Nov 2005 @ 10:10

  3. Thanks, I’ve fixed that now.

    Comment by ben — 28 Nov 2005 @ 10:29

  4. You might be interested to hear that Solaris 10 has perl support for the Least Privilege framework integrated into S10, see the following links:

    http://docs.sun.com/app/docs/doc/816-4557/6maosrjfj?a=view
    http://docs.sun.com/app/docs/doc/816-4863/6mb20lvf9?a=view
    http://docs.sun.com/app/docs/doc/816-5175/6mbba7f39?a=view
    http://docs.sun.com/app/docs/doc/816-5172/6mbb7buhd?a=view
    http://docs.sun.com/app/docs/doc/816-5172/6mbb7buvr?a=view

    Comment by Alan Burlison — 28 Nov 2005 @ 14:43

  5. “on the basis that if you can secure Perl you can surely secure anything”

    Wrong. There is PHP.

    Comment by Sasha Chorny — 15 Dec 2005 @ 13:05

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress