[Python-Dev] Restricted execution: what's the threat model?

Brett Cannon brett at python.org
Thu Jul 13 00:58:50 CEST 2006

On 7/12/06, Jim Jewett <jimjjewett at gmail.com> wrote:
> Ka-Ping Yee writes:
> >   A.  The interpreter will not crash no matter what Python code
> >       it is given to execute.
> Why?
> We don't want it to crash the embedding app (which might be another
> python interpreter), but if the sandboxed interpreter itself crashes,
> is that so bad?  The embedding app should just act as though that
> interpreter exited, possibly with a status code.

As Bob said, "crash" means segfaulting the Python proceess.  Can't exactly
save yourself from that one easily.  =)

>  B.  Python programs running in different interpreters embedded
> >       in the same process cannot communicate with each other.
> Why not?  Can't eavesdrop, yes.   Can't force a connection, so that
> the other interpreter is free to ignore them.  Maybe even make it
> lockable, like sockets -- but it isn't something worth promising.

>From an initial design point it is.  It is an assumption I want to be able
to make about the design.  If we can come up with a reasonable way for it to
work, great.  But to begin with, I am assuming objects created within an
interpreter will not be passed into another one.

>   C.  Python programs running in different interpreters embedded
> >       in the same process cannot access each other's Python objects.
> Note that Brett's assumption of shared extension modules violates this
> -- but I'm not sure why he needs to assume that.  (Because of the
> init-only-once semantics, I'm not even sure it is a good idea to share
> them.)

Security reasons.  If I can get  a Python object in other interpreter with
more rights to do something for me I have a serious problem.

Do realize that things assumed might have to be made true as much as
possible.  And in my Threat Model list, I have the caveat that C extension
modules are exempt from this.

>   D.  A given piece of Python code cannot access or communicate
> >       with certain Python objects in the same interpreter.
> Why not?  Is this just a way of allowing lightweight subinterpreters?
> Or do you really mean that they can't replace or modify certain
> objects, such as the permission-controlling code?

This one is not in my Threat Model.

>   E.  A given piece of Python code can access only a limited set
> >       of Python objects in the same interpreter.
> Does this include objects it creates?  Or are you just saying that it
> will behave as if its builtins were segregated, and not see changes
> made by another interpreter?

I am going with your latter assumption in my design.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/python-dev/attachments/20060712/98b621f6/attachment.html 

More information about the Python-Dev mailing list