[Python-Dev] Sandboxing Python
Armin Rigo
arigo at tunes.org
Sun Mar 4 23:12:50 CET 2012
Hi Greg,
On Sun, Mar 4, 2012 at 22:44, Greg Ewing <greg.ewing at canterbury.ac.nz> wrote:
>> Segfaults (most of them) can generally be made into arbitrary code
>> execution,
>
> Can you give an example of how this can be done?
You should find tons of documented examples of various attacks. It's
not easy, but it's possible. For example, let's assume we can decref
a object to 0 before its last usage, at address x. All you need is
the skills and luck to arrange that the memory at x becomes occupied
by a new bigger string object allocated at "x - small_number". This
is enough to control exactly all the bytes that are put at address x
and following, just by choosing the characters of the string. For
example the bytes can be built to make address x look like a built-in
function object, which you can call --- which will call an arbitrary
chosen address in memory. This is enough to run arbitrary machine
code and do anything.
A bientôt,
Armin.
More information about the Python-Dev
mailing list