Preskoči na glavno vsebino

Digitally signed Rye scripts and live code/data

Code signing was on my mind for a long time. Any security related question is no panacea, but with careful consideration I think this can bring some benefits for multiple scenarios.

Scripting languages basically run whatever code you point them to. In server scenario there is an obvious vector of attack where attacker uploads a malicious script and calls it or injects malicious code into your script files.

Programs on the client could have a need for this too. When an update comes, it helps if the code won't run if it was not signed by the same developer.

This doesn't work just for scripts. With Rye's "code is data" we also have live code. Live code (sometimes of a specific limited dialect or in specific limited context) can come over the wire or data can come over the vire and it could benefit from being digitally signed. You can see example of this in my blogpost about mobile code.

Storing/retrieving data could also benefit, for example to prevent manual change, to verify you can trust the origin of data.

Team of developers cooperating could maybe benefit ...?

The main question is what prevents the attacker to change the public keys that the runtime trusts, or the runtime altogether. I believe this will need to be thought about very carefully on per scenario basis, but there are some options.

Anyway ... this is the first step in this direction ...

Rye is on github.

Komentarji

Objavite komentar

Priljubljene objave iz tega spletnega dnevnika

Ryelang - controlled file serving example and comparison to Python

This is as anecdotal as it gets, but basic HTTP serving functions in Rye seem to be working quite OK. They do directly use the extremely solid Go 's HTTP functions, so that should be somewhat expected. I made a ryelang.org web-server with few lines of Rye code 3 months ago and the process was running ever since and served more than 30.000 pages. If not else, it  seems there are no inherent memory leaks in Rye interpreter. Those would probably show up in a 3 month long running process? And now I got another simple project. I needed to make a HTTP API for some mobile app. API should accept a key, and return / download a binary file in response if the key is correct. Otherwise it should return a HTTP error. So I strapped in and created Rye code below. I think I only needed to add generic methods stat and size? , all other were already implemented, which is a good sign. Of course, we are in an age of ChatGPT, so I used it to generate the equivalent  Python code. It used the ele...
Objavite komentar
Preberite več

Receiving emails with Go's smtpd and Rye

This goes a while back. At some project for user support, we needed to receive emails and save them to appropriate databases. The best option back in the day seemed project Lamson . And it worked well ever since. It was written in Python by then quite known programmer Zed Shaw. It worked like a Python based SMTP server, that called your handlers when emails arrived. It was sort of Ruby on Rails for email. We were using this ever since. Now our system needs to be improved, there are still some emails or attachments that don't get parsed correctly. That isn't the problem of Lamson, but of our code that parses the emails. But Lamson development has been passive for more than 10 years. And I am already moving smaller utilities to Rye.  Rye uses Go, and Go has this nice library smtpd , which seems like made for this task. I integrated it and parsemail into Rye and tested it in the Rye console first. Interesting function here is enter-console , that can put you into Rye console any...
Objavite komentar
Preberite več

Go's concurrency in a dynamic language Rye

  The Rye programming language is a dynamic scripting language based on REBOL’s ideas, taking inspiration from the Factor language and Unix shell. Rye is written in Go and inherits Go’s concurrency capabilities, including goroutines and channels. Recently, Rye gained support for Go’s select and waitgroups. Building blocks Goroutines Goroutines are lightweight threads of execution that are managed by the Go/Rye runtime. They operate independently, allowing multiple tasks to run concurrently without blocking each other. Creating a Goroutine in Rye is straightforward. The go keyword is used to launch a new Goroutine, followed by the Rye function to be executed concurrently. For instance, the following code snippet creates and starts a Goroutine that prints a message after a delay: ; # Hello Goroutine print "Starting Goroutine" go does { ; does creates a function without arguments sleep 1000 print "Hello from Goroutine!" } print "Sleepi...
Objavite komentar
Preberite več