Python "sub-interpreter," security

jvvhie at gmail.com jvvhie at gmail.com
Mon Jun 26 07:07:45 CEST 2006


Hello, I am writing a pure-Python game engine that interprets the code
of game objects within the same process with the exec statement. My
main goal is to make as much power available as possible and exec seems
like the best way to do that.

This is my "proof-of-concept" code(only 18 lines and some whitespace,
including the test):

http://people.ucsc.edu/~jhofmann/programmables.py

I showed this to the Pygame list and recieved some interest and a
completely different, more sophisticated implementation:

http://codereactor.net/~shang/interpret/

As-is, both versions are wide-open security holes. I think that I can
patch them up if I run checks on the statements and eliminate all
language features that pose risks. Then, features that are useful but
not needed at their full capacity can be accessed through functions
designed to be secure. Forcing a crash is not considered an exploit for
this purpose(since it's a game engine - if it crashes, the user can
recover and lose no data)

What I'd like to know is, is it possible to meet this level of
security, and if so, which features have to be eliminated?

The two that I'm sure should go are module imports and self-modifying
code. But in the latter case, I don't know all the ways that might be
done. It seems like a very complicated problem, and if I can't solve it
I might leave the whole thing unsecured.




More information about the Python-list mailing list