[pypy-svn] r47120 - pypy/dist/pypy/doc

arigo at codespeak.net arigo at codespeak.net
Wed Oct 3 19:58:46 CEST 2007

Author: arigo
Date: Wed Oct  3 19:58:46 2007
New Revision: 47120

Extra introduction, taken from the upcoming pypy-dev e-mail.

Modified: pypy/dist/pypy/doc/sandbox.txt
--- pypy/dist/pypy/doc/sandbox.txt	(original)
+++ pypy/dist/pypy/doc/sandbox.txt	Wed Oct  3 19:58:46 2007
@@ -1,6 +1,31 @@
 PyPy's sandboxing features
+It is possible to compile a version of pypy-c that runs
+fully "virtualized", i.e. where an external process controls all
+input/output.  Such a pypy-c is a secure sandbox: it is safe to run
+any untrusted Python code with it.  The Python code cannot see or
+modify any local file except via interaction with the external
+process.  It is also impossible to do any other I/O or consume more
+than some amount of RAM or CPU time or real time.  This works with no
+OS support at all - just ANSI C code generated in a careful way.  It's
+the kind of thing you could embed in a browser plug-in, for example
+(it would be safe even if it wasn't run as a separate process,
+For comparison, trying to plug CPython into a special virtualizing C
+library is not only OS-specific, but unsafe, because one of the known
+ways to segfault CPython could be used by an attacker to trick CPython
+into issuing malicious system calls directly.  The C code generated by
+PyPy is not segfaultable, as long as our code generators are correct -
+that's a lower number of lines of code to trust.  For the paranoid, in
+this case we also generate systematic run-time checks against buffer

More information about the Pypy-commit mailing list