[pypy-dev] Running untrusted code in pypy

Carl Friedrich Bolz cfbolz at gmx.de
Mon Feb 19 18:51:14 CET 2007 

Hi Vineet!

Vinj Vinj wrote:
 > PyPy does not (currently) aim at offering cpu/mem
 >> restrictions, but you could use virtual hosts (XEN
 > or vserver)
 >> for that, both offer such restriction settings.
 > PyPy itself
 >> may help with the Taint Object Space:
 >>
 > Unfortunately, for my use cases, using virtual hosts
 > will not work. All the user models work on time series
 > price data. This data can get very large and has to be
 > shared by all user models. It is not practical for
 > each vmware client to have its own copy of user data.
 > With lua, I'm able to share this time series with all
 > user models and still ensure that all the models are
 > run securely.

How is the data shared? Using files or somehow differently?

 >> obviously all depends a bit on concrete use cases
 >> and intentions).
 >>
 > Among many things, will I be able to restrict the user
 > from doing:
 >
 > 1. a = []*10000000000000000000000000

Already CPython notices that this will use too much memory. But yes, in
PyPy you could impose an upper limit to memory used, by using our
custom mark-and-sweep garbage collector. This collector collects quite a
bit information while it is running, especially how much non-dead memory
is used currently. This would make it possible to impose a hard limit there.

 > 2. a = 23**3294832098980989898

Doable, but harder (and I guess you mean this in a more general way than
just checking during long computations). You would need a transformation
that inserts checks into the PyPy graphs to see whether something is
running too long without ever reaching the interpreter main loop. You
might be better served with having the program run with a timeout.

 > 3. disable recursive calls

You could fix the recursion limit.

 > 4. writing while loops which never end

You could limit the maximum numbers of bytecode instructions executed.
Again, a timeout might be the better solution.

 > 5. etc.

Another thing I can see there is accessing the file system in malicious
ways. Can be fixed on the OS level, I guess. You could not include
things like socket into your PyPy interpreter executable.


 > I'm trying to get a feel for whether this kind of
 > thing would be (in the future) possible with pypy.

As Holger said, it depends very much on what exactly you want. In PyPy
usually many things are possible and you have to choose the right
possibilities.

 > With cPython, I've been told that it is just not going
 > to be possible. Which is why, I moved to lua for user
 > models. I would much rather use python so that I don't
 > have to maintain the python-lua bridge.

Do you know about lunatic Python?  http://labix.org/lunatic-python

Cheers,

Carl Friedrich

More information about the Pypy-dev mailing list