limited python virtual machine (WAS: Another scripting language implemented into Python itself?)
Steven Bethard
steven.bethard at gmail.com
Wed Jan 26 15:23:17 EST 2005
Jack Diederich wrote:
> On Wed, Jan 26, 2005 at 10:23:03AM -0700, Steven Bethard wrote:
>
>>Jack Diederich wrote:
>>
>>>Yes, this comes up every couple months and there is only one answer:
>>>This is the job of the OS.
>>>Java largely succeeds at doing sandboxy things because it was written that
>>>way from the ground up (to behave both like a program interpreter and an
>>>OS).
>>>Python the language was not, and the CPython interpreter definitely was
>>>not.
>>>
>>>Search groups.google.com for previous discussions of this on c.l.py
>>
>>Could you give some useful queries? Every time I do this search, I get
>>a few results, but never anything that really goes into the security
>>holes in any depth. (They're ususally something like -- "look, given
>>object, I can get int" not "look, given object, I can get eval,
>>__import__, etc.)
>
>
> A search on "rexec bastion" will give you most of the threads,
> search on "rexec bastion diederich" to see the other times I tried to
> stop the threads by reccomending reading the older ones *wink*.
>
> Thread subjects:
> Replacement for rexec/Bastion?
> Creating a capabilities-based restricted execution system
> Embedding Python in Python
> killing thread ?
Thanks for the keywords -- I hadn't tried anything like any of these.
Unfortunately, they leave me with the same feeling as before... The
closest example that I saw that actually showed a security hole made use
of __builtins__. As you'll note from the beginning of this thread, I
was considering the case where no builtins are provided and imports are
disabled.
I also read a number of messages that had the same problems I do -- too
many threads just say "look at google groups", without saying what to
search for. They also often spend most of their time talking about
abstract problems, without showing code that illustrates how to break
the "security". For example, I never found anything close to describing
how to retrieve, say, 'eval' or '__import__' given only 'object'.
What would be really nice is a wiki that had examples of how to derive
"unsafe" functions from 'object'. I'd be glad to put one together, but
so far, I can't find many examples... If you want to consider reading
and writing of files as "unsafe", then I guess this might be one:
file = object.__subclasses__()[16]
If I could see how to go from 'object' (or 'int', 'str', 'file', etc.)
to 'eval' or '__import__', that would help out a lot...
Steve
More information about the Python-list
mailing list