[openvas-discuss] Future enhancements: plugins in perl??

oxdeadbeef <oxdeadbeef@pit-of-despair.com> oxdeadbeef at pit-of-despair.com
Wed Nov 23 18:06:31 CET 2005



On Wed, 23 Nov 2005, Jan-Oliver Wagner wrote:

> On Wed, Nov 23, 2005 at 12:35:20AM -0500, oxdeadbeef <oxdeadbeef at pit-of-despair.com> wrote:
>> On Tue, 22 Nov 2005, stripes wrote:
>>> On Wed, Nov 23, 2005 at 04:14:53AM +0100, Jan-Oliver Wagner wrote:
>>> I agree, something like SecurePerl (stripped down for
>>> security purposes) would be very cool.
>>
>> I dont see the point of actually stripping it down. That then would limit
>> the use of the language. The application is testing for security
>> vulnerabilities by *any* means. Sure certain places in the core *have* to
>> be secure code. But limiting a language would just defeat the
>> purpose of using it in the first place. NASL is limited and lacks alot of
>> functionality, but yet it still can be used maliciously.
>
> the plugin scripts should have a stripped environment.
> The Server of course not.
> The example I am having in mind is Zope - they solved
> this quite nicely.

Just out of curiousity... what would you strip out?

Yes I can see in a web application such as Zope that you have a restricted 
environment. But, in a security *testing* application you want the ability 
to run everything and anything to emulate an attack. If you strip a 
language then you are just stuck with NASL all over again. The whole point 
of allowing for language X embedding is to enhance the features and not 
give you the same limit functionality of the current (i.e NASL)  with just 
a syntax change.

I totally agree that there is a time an place for having restricted 
environments. I am not sure if in this instance if it is necessary. Even 
in todays NASL world, there are malicious scripts. There is no getting 
around that.

But, as was stated in subsequent emails. I dont believe we can rid 
ourselves of NASL. We just have to all get along =)




cheers

 		--jason


Flamewars... hehe. I have been through too many flamewars. they are 
pointless.. and I personally dont want to get into them.

besides I never leave the house without my flame retardant undies  ;)




  > > 
Best > > 	 Jan > -- 
> Jan-Oliver Wagner: www.intevation.de/~jan  | GISpatcher: www.gispatcher.de
> Kolab Konsortium : www.kolab-konsortium.de | Thuban    : thuban.intevation.org
> Intevation GmbH  : www.intevation.de       | Kolab     : www.kolab.org
> FreeGIS          : www.freegis.org         | GAV       : www.grass-verein.de
> _______________________________________________
> openvas-discuss mailing list
> openvas-discuss at openvas.org
> http://www.nth-dimension.org.uk/mailman/listinfo.cgi/openvas-discuss
>



More information about the Openvas-discuss mailing list