[pypy-dev] pypy-dev at codespeak.net
Armin Rigo
arigo at tunes.org
Tue Sep 25 11:03:11 CEST 2007
Hi Simon,
On Wed, Sep 19, 2007 at 01:36:43PM -0700, Simon Burton wrote:
> > It's "sandboxing" as in "full virtualization", but done in normal C with
> > no OS support at all. (...)
>
> How is this different to just linking against a libc wrapper (that does
> whatever marshal magic is required) ?
The result is similar; what differs is how we arrive there, and the
level of confidence I'd have in the security of the result.
In the case of PyPy the wrapping is done automatically and in a
platform-independent way; contrast this with the need for the designers
of the libc wrapper to carefully close all possible ways the C program
could invoke the system and carefully review the result, which is
error-prone and platform-specific.
More importantly for the user, in the PyPy approach the C code is not
random C code, but was generated from RPython. This (together with
extra run-time assertions that the translation toolchain can insert for
the paranoid) means that buffer overflow or memory management attacks
should not be possible. This means that there is no need to review the
source code of the whole PyPy interpreter for security issues. By
contrast, if you take say CPython and put it inside a libc wrapper, the
result is not safe because CPython itself is open to attacks (e.g.
memory management issues where carefully crafted app-level Python code
could force CPython to execute arbitrary machine code - including system
calls bypassing the libc wrapper).
A bientot,
Armin.
More information about the Pypy-dev
mailing list