[openvas-discuss] Future enhancements: plugins in perl??

oxdeadbeef <oxdeadbeef@pit-of-despair.com> oxdeadbeef at pit-of-despair.com
Wed Nov 23 06:35:20 CET 2005



On Tue, 22 Nov 2005, stripes wrote:

> On Wed, Nov 23, 2005 at 04:14:53AM +0100, Jan-Oliver Wagner wrote:
>> I saw that on http://www.openvas.org/doku.php?id=future_enhancements
>> it is listed that NASL is to be replaced by perl.
>
> Yay!
>
>> First I think that replacing NASL by a 'real' programming
>> language (hopefully stripped down for security aspects)
>> is a good idea but really far ahead.
>
> I agree, something like SecurePerl (stripped down for
> security purposes) would be very cool.

I dont see the point of actually stripping it down. That then would limit 
the use of the language. The application is testing for security 
vulnerabilities by *any* means. Sure certain places in the core *have* to 
be secure code. But limiting a language would just defeat the 
purpose of using it in the first place. NASL is limited and lacks alot of 
functionality, but yet it still can be used maliciously.

>
>> Before you don't have a proven sustainable plugin development
>> framework (where some companies earn enough money),
>> it does not make sense to switch to something else than NASL.
>> (There would be huge reimplementation and QA effords without
>> real advance for the security auditors)
>
> Point taken; I'm sure this wouldn't be a small project by one
> person.

It is not a small project. But there are good examples about embedding it. 
Take the irssi project for example.

>
>> Next, I think perl is not the best choice ;-)
>> Since it is far in the future anyway, I suggest
>> to say that "a suitable programming language" is
>> to be taken. Maybe you can find some general criteria for
>> this language.
>
> Ok, why not Perl? What would you suggest and why? You could
> probably get a religious argument over it, but if you're going
> to strip it down for security purposes anyway, what would be the
> problem with using Perl?

Yeah what she said...  Why not perl ?!?!? hehe

Sad to say I have also used spidermonkey(javascript) heavily. And it is an 
easily embedded language, fast, and secure as you make it.



 			--jason


>
> -Anne
> --
> Hacker Barbie!  Complete with laptop, tools  (\`--/') _ _______ .-r-.
> tools, and cables. Includes a free tiny       >.~.\ `` ` `,`,`. ,'_'~`.
> stack of usernames and passwords!            (v_," ; `,-\ ; : ; \/,-~) \
> stripes at tigerlair dot com                  `--'_..),-/ ' ' '_.>-' )`.`.__.')
> stripes at brickbox dot com                  ((,((,__..'~~~~~~((,__..'  `-..-'fL
> _______________________________________________
> openvas-discuss mailing list
> openvas-discuss at openvas.org
> http://www.nth-dimension.org.uk/mailman/listinfo.cgi/openvas-discuss
>



More information about the Openvas-discuss mailing list