[Python-Dev] Add a frozendict builtin type
Victor Stinner
victor.stinner at haypocalc.com
Thu Mar 1 11:01:07 CET 2012
>> The main idea of pysandbox is to reuse most of CPython but hide
>> "dangerous" functions and run untrusted code in a separated namespace.
>> The problem is to create the sandbox and ensure that it is not
>> possible to escape from this sandbox. pysandbox is still a
>> proof-of-concept, even if it works pretty well for short dummy
>> scripts. But pysandbox is not ready for real world programs.
>
> I hope you have studied (recent) history. Sandboxes in Python
> traditionally have not been secure. Read the archives for details.
The design of pysandbox makes it difficult to implement. It is mostly
based on blacklist, so any omission would lead to a vulnerability. I
read the recent history of sandboxes and see other security modules
for Python, and I don't understand your reference to "Sandboxes in
Python traditionally have not been secure." There is no known
vulnerability in pysandbox, did I miss something? (there is only a
limitation on the dict API because of the lack of frozendict.)
Are you talking about rexec/Bastion? (which cannot be qualified as "recent" :-))
pysandbox limitations are documented in its README file:
<< pysandbox is a sandbox for the Python namespace, not a sandbox between Python
and the operating system. It doesn't protect your system against Python
security vulnerabilities: vulnerabilities in modules/functions available in
your sandbox (depend on your sandbox configuration). By default, only few
functions are exposed to the sandbox namespace which limits the attack surface.
pysandbox is unable to limit the memory of the sandbox process: you have to use
your own protection. >>
Hum, I am also not sure that pysandbox "works" with threads :-) I mean
that enabling pysandbox impacts all running threads, not only one
thread, which can cause issues. It should also be mentioned.
PyPy sandbox has a different design: it uses a process with no
priviledge, all syscalls are redirected to another process which apply
security checks to each syscall.
http://doc.pypy.org/en/latest/sandbox.html
See also the seccomp-nurse project, a generic sandbox using Linux SECCOMP:
http://chdir.org/~nico/seccomp-nurse/
See also pysandbox README for a list of other Python security modules.
Victor
More information about the Python-Dev
mailing list