To Do

Import in Python

Semantic Completeness

• Add support for __all__
  

• What to do when bytecode bad in .pyc but timestamp and magic number valid?
• No source code?
  
• When source code is present?
• Frozen module package support.
• Case-insensitive filesystems.
• Import lock.
• Add tests for None redirection in Import.import_module().
  
• Tests probably failing because of new 'import'
• test_builtin
• test_bsddb
• bsddb.dbutils import of db is matching to bsddb.__init__ instead of bsddb.db
• When doing a relative import with a name lacking a dot, return that name and not the module up to the first dot of the absolute name.
  
• test_ctypes
• Assumption made about what a loader will have.
  
• test_frozen
• test_import
• Raise ImportWarning when trying to import a directory that does not define __init__.py.
• For some reason reloading is not raising an exception as expected in test_failing_reload.
  
• test_importhooks
• 
  
• test_pkg
• test_runpy
• test_sax
• test_shelve
• test_traceback
• test_xml_etree
• test_xml_etree_c
• test_zipimport
  

Bootstrapping

Is it a reasonable possibility to skip the pure bootstrapping issue initially for time reasons in order to meet security needs?  That would alleviate any time pressure for publication if bootstrapping turns out to be more difficult than expected.  Doing an impure bootstrapping could go as follows in an embedded situation:

1. Create interpreter.
2. Import new 'import' using existing import machinery.
   
3. Replace __import__ with new 'import' (properly protected, of course).
• Do as soon as possible to minimize possible security holes.
  
4. Sanitize 'sys'
• Empty out 'modules'
• Does __builtins__ really need to stay or is that a restricted execution thing?
• Clear out 'path_importer_cache'.
5. Begin using interpreter.

The question is whether this is secure enough.  Will the C-level code cause a problem by circumventing the new 'import' and using the old 'import'?

For complete bootstrapping and replacement of the old 'import', the issues/steps are:

• Fix import dependencies.
• Locally defined code OK.
• Code that requires C code to import is OK.
• Built-in modules.
• Extension modules.
• Frozen modules?
  
• Rip out old import.
• Find and import 'import' code.
• Storing 'import' code
  
• Hard code location of 'import'?
• Turn into frozen module?
• Store bytecode in C char array?
• Inject dependent modules into globals of 'import'.
  
• Support C API.
  

Secure embedded Python interpreter

• Verify nothing missing from todo list by checking against securing_python.txt .
  
• Protect import.
• Simple proxy that only allows access to __call__ method?
• Don't use __import__ in built-ins but store import object in 'sys'?
• Hide paths (__file__, etc.)?
• Sandbox Python.
1. Protect 'import'.
• Pure bootstrap solution where old 'import' does not exist.
• Impure bootstrap as outlined above in Bootstrapping'.
  
2. Sanitize 'sys'
• 'path'
• 'path_importer_cache'
• 'modules'
• 'stdin', 'stdout', 'stderr'
3. Sanitize built-ins.
• 'open'
• 'execfile'
• Already sanitized
• 'file'
• 'code'
• '__import__'
  
• API
• Variation of Py_NewInterpreter() that has extra support for specifying whitelist of dangerous modules.

• Rip out restricted execution code.
• Example app.
• Embeds Python.
• Command-line arguments to specify security options.
• Executes specified Python code.

Call For Papers

Conferences

• USENIX Security 2008
• TBA
• 2007 CFP was due by February 1, 2007.
  
• ACM CCS 2007
• May 1, 2007
• IEEE Symposium on Security and Privacy   2008
• TBA
• 2007 CFP was November 10, 2006.
  

Things needed for a paper

• Use cases
• Blender
• OLPC
• ??? (ask at PyCon)