Python jail: whitelist vs blacklist
Hi, Today it's clear that tav's jail is broken. Many hackers proved how to break it. Fixing each hole is maybe not the good solution. IMHO the problem is that tav choosed the blacklist approach: hide some "evil" attributes/functions and hope that the other are safe... which is wrong (eg. evil compile(), reload(), isinstance(), str !!!, TypeError, ...). A better approach would be to create a new world (namespace) from an empty namespace and then add our "secure" functions/types using strong validations (using a whitelist instead of a blacklist). Examples: - why compile() was still available? - why __builtins__ is modifiable? - why __class__ is readable? We should built an empty world and then add functions, types, attributes one by one until we can display an hello world ;-) -- This approach was implemented in PyPy using two interpreters. In CPython, we may use proxies on anything to check all operations. jail -- validations --> real world jail <-- proxy objects -- real world tav's jail might be converted to the whitelist approach: - add proxy to __builtins__ - add proxy to globals() - add proxy to dir() - ... well, add proxies to anything going to the jail ;-) and make sure that a proxy can not be modified by itself or read private attributes My approach is maybe naive and imposible to implement :-) -- Victor Stinner aka haypo http://www.haypocalc.com/blog/
Victor Stinner wrote:
My approach is maybe naive and imposible to implement :-)
It actually goes back to some of the stuff Brett Cannon was working on in his object capabilities branch. However, one of the key building blocks turned out to be an easier to tailor import system, so the project was kind of taken over by Brett's work on importlib. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia ---------------------------------------------------------------
Hey Victor,
Today it's clear that tav's jail is broken.
Forgive me as I'm sleep deprived, but no =)
Many hackers proved how to break it. Fixing each hole is maybe not the good solution.
The aim of this challenge has been to: 1. Validate the functions-based approach 2. Verify if the proposed set of new attribute RESTRICTIONs are enough As such, it has been important to ensure that we have as large an attack surface as possible. And given how trivial it has been to fix the bugs, the functions-based approach seems to be holding up =) And as for the attributes needing to be restricted, we've discovered that we need to restrict the f_* attributes of frameobject along with the initial type.__subclasses__, gi_code and gi_frame.
A better approach would be to create a new world (namespace) from an empty namespace and then add our "secure" functions/types using strong validations (using a whitelist instead of a blacklist).
Sure -- you are absolutely right about using a whitelist approach. safelite.py is just for the challenge... to demonstrate that the functions-based approach could possibly lead to securing the Python interpreter and to verify that we've restricted the necessary attributes. Once the patch gets accepted, we can start creating a fresh world built up from an object capability base =)
In CPython, we may use proxies on anything to check all operations. jail -- validations --> real world jail <-- proxy objects -- real world
Ehm, I'd strongly discourage any approaches using proxies. The performance penalties will just be insane. If you really want one though -- check out Zope proxy. It already implements this quite well and you can use it today! =) -- love, tav plex:espians/tav | tav@espians.com | +44 (0) 7809 569 369 http://tav.espians.com | http://twitter.com/tav | skype:tavespian
On Tue, Feb 24, 2009 at 6:18 AM, tav <tav@espians.com> wrote:
Ehm, I'd strongly discourage any approaches using proxies. The performance penalties will just be insane.
And yet your FileReader is essentially a proxy?! -- --Guido van Rossum (home page: http://www.python.org/~guido/)
Victor Stinner wrote:
This approach was implemented in PyPy using two interpreters.
In CPython, we may use proxies on anything to check all operations. jail -- validations --> real world jail <-- proxy objects -- real world
tav's jail might be converted to the whitelist approach: - add proxy to __builtins__ - add proxy to globals() - add proxy to dir() - ... well, add proxies to anything going to the jail ;-) and make sure that a proxy can not be modified by itself or read private attributes
My approach is maybe naive and imposible to implement :-)
Something similar to your approach is already implemented in Zope 3's security system. Have a look at http://svn.zope.org/zope.security/trunk/src/zope/security/ Christian
participants (5)
-
Christian Heimes -
Guido van Rossum -
Nick Coghlan -
tav -
Victor Stinner