[pypy-svn] r47120 - pypy/dist/pypy/doc
arigo at codespeak.net
arigo at codespeak.net
Wed Oct 3 19:58:46 CEST 2007
Author: arigo
Date: Wed Oct 3 19:58:46 2007
New Revision: 47120
Modified:
pypy/dist/pypy/doc/sandbox.txt
Log:
Extra introduction, taken from the upcoming pypy-dev e-mail.
Modified: pypy/dist/pypy/doc/sandbox.txt
==============================================================================
--- pypy/dist/pypy/doc/sandbox.txt (original)
+++ pypy/dist/pypy/doc/sandbox.txt Wed Oct 3 19:58:46 2007
@@ -1,6 +1,31 @@
PyPy's sandboxing features
==========================
+Introduction
+------------
+
+It is possible to compile a version of pypy-c that runs
+fully "virtualized", i.e. where an external process controls all
+input/output. Such a pypy-c is a secure sandbox: it is safe to run
+any untrusted Python code with it. The Python code cannot see or
+modify any local file except via interaction with the external
+process. It is also impossible to do any other I/O or consume more
+than some amount of RAM or CPU time or real time. This works with no
+OS support at all - just ANSI C code generated in a careful way. It's
+the kind of thing you could embed in a browser plug-in, for example
+(it would be safe even if it wasn't run as a separate process,
+actually).
+
+For comparison, trying to plug CPython into a special virtualizing C
+library is not only OS-specific, but unsafe, because one of the known
+ways to segfault CPython could be used by an attacker to trick CPython
+into issuing malicious system calls directly. The C code generated by
+PyPy is not segfaultable, as long as our code generators are correct -
+that's a lower number of lines of code to trust. For the paranoid, in
+this case we also generate systematic run-time checks against buffer
+overflows.
+
+
Overview
--------
More information about the Pypy-commit
mailing list