Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

Re: How to answer "Perl is not secure" objections?

by zentara (Archbishop)
on Sep 06, 2007 at 20:17 UTC ( #637524=note: print w/replies, xml ) Need Help??

in reply to How to answer "Perl is not secure" objections?

because 'Perl has bindings into OS calls that bypass OS security'.

I would press him to prove that point. It sounds like he is on a weak OS (Windows :-) ), that uses "voluntary cooperation" to maintain security.

Maybe he is thinking of a "limited cgi runtime environment plugin" like Java has. I wish Perl could get a Browser plugin like Java's. That is about the only disadvantage that Perl has. I'm seeing alot of pages with dynamic graphing apps, using the Java Browser Plugin. Then again, a combination of a perl cgi and flash animation is about as good as Java's plugin.

I'm not really a human, but I play one on earth. Cogito ergo sum a bum
  • Comment on Re: How to answer "Perl is not secure" objections?

Replies are listed 'Best First'.
Re^2: How to answer "Perl is not secure" objections?
by mr_mischief (Monsignor) on Sep 06, 2007 at 20:56 UTC
    Java on the server side usually doesn't have the same kind of sandboxing as Java on the browser, so you have a good point but the comparison for server-side work may not hold. I've often wished I could use Perl on the user's browser rather than JavaScript, ActionScript, or HaXe. One thing that might be nice is if we could have a Perl to Flash compiler similar to what HaXe has.

    As for securing Perl more on the server, a perl with a small default @INC can be done easily enough. There are taint mode and to help with boxing in data and code. The installed modules could be kept minimal. Perl supports chroot (although only root can do that).

    It should be possible (I'm not saying 'easy') to run both Apache and perl (or Apache with mod_perl) chrooted in the first place if security is at such a high priority. That's a pretty language-independent way to help with security. Things such as ulimit and a good IDS help no matter the language, too.

    One thing to keep in mind is that the ability of the programmer to do something doesn't mean it's possible for the site's end user. Any system written in any language which does stupid things with end-user data poses a security risk, no matter the sandbox restrictions. XSS proves the server itself doesn't even have to be vulnerable to cause a security issue -- it can create a security issue for the user even if it is entirely protected.

      While we are on the subject, of a "Perl browser plugin" , like the in our browser's plugin directory; what has stopped the Perl developers from doing this? From my limited understanding, the java plugin is just a java interpreter with the functions which pose a security risk removed, leaving only simple computational and display functions, and which limits display in the parent's (browser's) allocated window.

      When I build Perl, I see the mini and micro Perl interpreters, which are limited versions. Would it be that hard to modify those to be a secure browser plugin? Then maybe add a chopped-down Tk or Gtk2 display engine to it? Now I wish I studied c in more depth. :-)

      I'm not really a human, but I play one on earth. Cogito ergo sum a bum
        Other than that very few people get paid to develop perl when compared to the JVM and Java JIT systems, I'm not sure what else would be preventing this. The P5P work very hard to improve the major targets for perl as it is, and I'm not sure that adding another target is on their radar. The Perl6 and Parrot hackers are busy doing their stuff, too. It'd likely need to be a dedicated port team tasked with building and maintaining such a beast.

        I'm not sure if Tk or Gtk2 would even be the best display technology, at least at first. That would target Flash and Silverlight pretty handily, though. What might be better at first is to interface to the JavaScript HTML and CSS DOM. Using Perl's strengths to manipulate the pages themselves could be really nice.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://637524]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (4)
As of 2018-02-19 14:57 GMT
Find Nodes?
    Voting Booth?
    When it is dark outside I am happiest to see ...

    Results (266 votes). Check out past polls.