[openvas-discuss] Future enhancements: plugins in perl??
oxdeadbeef at pit-of-despair.com
Wed Nov 23 18:06:31 CET 2005
On Wed, 23 Nov 2005, Jan-Oliver Wagner wrote:
> On Wed, Nov 23, 2005 at 12:35:20AM -0500, oxdeadbeef <oxdeadbeef at pit-of-despair.com> wrote:
>> On Tue, 22 Nov 2005, stripes wrote:
>>> On Wed, Nov 23, 2005 at 04:14:53AM +0100, Jan-Oliver Wagner wrote:
>>> I agree, something like SecurePerl (stripped down for
>>> security purposes) would be very cool.
>> I dont see the point of actually stripping it down. That then would limit
>> the use of the language. The application is testing for security
>> vulnerabilities by *any* means. Sure certain places in the core *have* to
>> be secure code. But limiting a language would just defeat the
>> purpose of using it in the first place. NASL is limited and lacks alot of
>> functionality, but yet it still can be used maliciously.
> the plugin scripts should have a stripped environment.
> The Server of course not.
> The example I am having in mind is Zope - they solved
> this quite nicely.
Just out of curiousity... what would you strip out?
Yes I can see in a web application such as Zope that you have a restricted
environment. But, in a security *testing* application you want the ability
to run everything and anything to emulate an attack. If you strip a
language then you are just stuck with NASL all over again. The whole point
of allowing for language X embedding is to enhance the features and not
give you the same limit functionality of the current (i.e NASL) with just
a syntax change.
I totally agree that there is a time an place for having restricted
environments. I am not sure if in this instance if it is necessary. Even
in todays NASL world, there are malicious scripts. There is no getting
But, as was stated in subsequent emails. I dont believe we can rid
ourselves of NASL. We just have to all get along =)
Flamewars... hehe. I have been through too many flamewars. they are
pointless.. and I personally dont want to get into them.
besides I never leave the house without my flame retardant undies ;)
Best > > Jan > --
> Jan-Oliver Wagner: www.intevation.de/~jan | GISpatcher: www.gispatcher.de
> Kolab Konsortium : www.kolab-konsortium.de | Thuban : thuban.intevation.org
> Intevation GmbH : www.intevation.de | Kolab : www.kolab.org
> FreeGIS : www.freegis.org | GAV : www.grass-verein.de
> openvas-discuss mailing list
> openvas-discuss at openvas.org
More information about the Openvas-discuss