[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

Isaac Morland ijmorlan at uwaterloo.ca
Mon Apr 11 07:04:56 EDT 2016

On Mon, 11 Apr 2016, Victor Stinner wrote:

> 2016-04-10 18:43 GMT+02:00 Jon Ribbens <jon+python-dev at unequivocal.co.uk>:
>> That's the opposite of my approach though - I'm starting small and
>> adding things, not starting with everything and removing stuff. Even
>> if what we end up with is an extremely restricted subset of Python,
>> there are still cases where that could be a useful tool to have.
> You design rely on the assumption that CPython is only pure Python.
> That's wrong. A *lot* of Python features are implemented in C and
> "ignore" your sandboxing code. Quick reminder: 50% of CPython is
> written in the C language.
> It means that your protections like hiding builtin functions from the
> Python scope don't work. If an attacker gets access to a C function
> giving access to the hidden builtin, the game is over.

Non-Python core developer, non-expert-specifically-in-computer-security 
here, so won't take up much room on this list.

I know enough about almost everything in Computer Science to know just how 
ignorant I am about almost everything in Computer Science.

But I would not use for security purposes a Python sandbox that was not 
formally verified to be correct and unbreakable.  Of course in order for 
this to be possible, there first has to be a formal semantics for Python. 
Has anybody made a formal semantics for Python?  If not, then this project 
is missing a pretty important pre-requisite.

Isaac Morland           CSCF Web Guru
DC 2619, x36650         WWW Software Specialist

More information about the Python-Dev mailing list