Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2005-June/054354.html below:

[Python-Dev] Question about PEP 330 -- Python Bytecode Verification

• Previous message: [Python-Dev] Propose to reject PEP 294 -- Type Names in the types Module
• Next message: [Python-Dev] Propose to close PEP 254 -- Making Classes Look More Like Types
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Do we have *any* known use cases where we would actually run bytecode
that was suspicious enough to warrant running a well-formedness check?

In assessing security risks, the PEP notes, "Practically, it would be
difficult for a malicious user to 'inject' invalid bytecode into a PVM
for the purposes of exploitation, but not impossible."

Can that ever occur without there being a far greater risk of malicious,
but well-formed bytecode?

If you download a file, foo.pyc, from an untrusted source and run it in
a susceptible environment, does its well-formedness give you *any*
feeling of security.  I think not.

There isn't anything wrong with having a verifier module, but I can't
think of any benefit that would warrant changing the bytecode semantics
just to facilitate one of the static stack checks.



Raymond

• Previous message: [Python-Dev] Propose to reject PEP 294 -- Type Names in the types Module
• Next message: [Python-Dev] Propose to close PEP 254 -- Making Classes Look More Like Types
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4