Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!eternal-september.org!feeder.eternal-september.org!border1.nntp.ams1.giganews.com!nntp.giganews.com!newsfeed.xs4all.nl!newsfeed3a.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.001 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'python,': 0.02; 'heavily': 0.04; 'subject:Python': 0.05; 'motivated': 0.05; 'overflow': 0.07; 'pypy': 0.07; 'creighton': 0.09; 'guarded': 0.09; 'interpreter,': 0.09; 'url:pypy': 0.09; 'cc:addr:python-list': 0.10; 'thread': 0.10; 'python.': 0.11; '>>': 0.16; '"i': 0.16; 'correlation': 0.16; 'exploits': 0.16; 'of"': 0.16; 'rough': 0.16; 'to:addr:pearwood.info': 0.16; "to:name:steven d'aprano": 0.16; 'wrote:': 0.16; "wouldn't": 0.16; 'laura': 0.18; '>': 0.18; 'language': 0.19; '(not': 0.20; 'discussion': 0.20; 'cc:2**0': 0.21; 'cc:addr:python.org': 0.21; "aren't": 0.22; '2015': 0.23; 'wrote': 0.23; 'sat,': 0.23; 'header:In-Reply-To:1': 0.24; 'bugs': 0.27; 'wonder': 0.27; 'message-id:@mail.gmail.com': 0.28; 'host': 0.28; 'equally': 0.29; 'environment': 0.29; 'lines': 0.30; 'that.': 0.30; 'programmers': 0.31; 'maybe': 0.31; 'url:mailman': 0.31; 'code': 0.31; "can't": 0.32; 'possibly': 0.32; 'url:python': 0.33; "d'aprano": 0.33; 'environment,': 0.33; 'lock': 0.33; 'steven': 0.33; 'skip:& 10': 0.34; 'received:google.com': 0.34; 'url:listinfo': 0.35; 'along': 0.35; 'i.e.': 0.35; 'but': 0.36; 'being': 0.36; 'url:org': 0.36; 'there': 0.36; 'subject:: ': 0.37; 'level': 0.37; 'doing': 0.38; 'pm,': 0.39; 'url:en': 0.39; 'data': 0.40; 'where': 0.40; 'some': 0.40; 'secure': 0.61; 'even': 0.61; 'claim': 0.61; 'simple': 0.61; 'more': 0.62; '30,': 0.63; 'different': 0.64; 'due': 0.65; 'between': 0.65; 'theoretical': 0.72; '+1000,': 0.84; 'holes': 0.84; 'hostile': 0.84; 'url:latest': 0.84; 'url:readthedocs': 0.84; 'processes,': 0.93; 'technique': 0.93; 'url:sandbox': 0.93 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eHR9Ozz/WuISoGZRywlRzJn0kqpjc0UkknmRawx7sk0=; b=dIvzONch02uhyAFezmN9g7pMcMRxNZeNXx2VKjn/KgQKFk0ji5ur21qQVuGrZKwBC/ Gw60Bt0g91HEtYWrikwGhXIUJzXEC9o56VyMW7erafGRuvo0XGCZKufQI0U8rVOMEhii QJ3OXVsTCxvoaQc3p8YKGvnl7yNDFAT9BssRwnMQqNIjN+LAfAus2Ex5ZoDAl+9Xfz4f EmfSrDkglsK4iPdZClVPpCUffzcRLr3495MynL9Fi+/8s4lL8Fx4We9nQz/7M/DIS9cA MzPrzfu3jaZYa3Ounu5qKMAzCCgekyApahsyEguU91ukZH7NkfFKGHln5WTU9glxJ5+9 /QIQ== MIME-Version: 1.0 X-Received: by 10.112.146.97 with SMTP id tb1mr15156508lbb.12.1433034517986; Sat, 30 May 2015 18:08:37 -0700 (PDT) In-Reply-To: <556a4d3f$0$12998$c3e8da3$5496439d@news.astraweb.com> References: <60b424a2-2273-42b2-b60c-92656af0afa5@googlegroups.com> <87h9qvxmh0.fsf@jester.gateway.sonic.net> <878uc6yhtq.fsf@jester.gateway.sonic.net> <874mmuy8ko.fsf@jester.gateway.sonic.net> <55697c1f$0$13013$c3e8da3$5496439d@news.astraweb.com> <556a4d3f$0$12998$c3e8da3$5496439d@news.astraweb.com> Date: Sat, 30 May 2015 19:08:37 -0600 Subject: Re: Creating a reliable sandboxed Python environment From: Modulok To: "Steven D'Aprano" Cc: Python mailing list Content-Type: multipart/alternative; boundary=047d7b3a85a06544f905175659eb X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.20+ Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 133 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1433034526 news.xs4all.nl 2969 [2001:888:2000:d::a6]:51220 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:91555 --047d7b3a85a06544f905175659eb Content-Type: text/plain; charset=UTF-8 While this thread is indeed a theoretical discussion of the interpreter, for a practical solution where you control the host environment, one might look into OS level sandboxing like FreeBSD's Jails (not to be confused with a simple chroot environment) along with various resource limiting parameters. You can lock down a 'sandboxed' i.e. jailed environment for arbitrary data and processes, including python, pretty tightly. -Kurt- On Sat, May 30, 2015 at 5:52 PM, Steven D'Aprano wrote: > On Sat, 30 May 2015 09:24 pm, Laura Creighton wrote: > > > In a message of Sat, 30 May 2015 19:00:14 +1000, "Steven D'Aprano" > writes: > >>I wouldn't have imagined that the claim "it's easier to secure a small > >>language with a few features than a big language with lots of features" > >>would have been so controversial. I wonder if this claim will be equally > >>as controversial? > >> > >>There is a rough correlation between the number of lines of code in a > code > >>base, and the number of potential security holes that need to be guarded > >>against. > > > > Maybe these aren't controversial if you are doing langauge level > > sandboxing, but you don't have to sandbox like that. Consider, for a > > moment, the sandboxing technique used by PyPy > > discussed at > > > > http://pypy.readthedocs.org/en/latest/sandbox.html > > > > You think it is way cool, but, alas, you want to sandbox some other > > language than Python. > > How many PyPy sandboxes are being used with hostile users motivated to > break > out of the sandbox? > > "I wrote a sandbox which I can't break out of" is different from "I wrote a > sandbox which nobody can break out of". Javascript is sandboxed, but due to > bugs in implementations, Javascript-based exploits are now heavily used by > malware. There are possibly even more Javascript-based exploits than buffer > overflow based exploits these days, as C programmers get better at using > automated tools that check for buffer overflows. > > > > -- > Steven > > -- > https://mail.python.org/mailman/listinfo/python-list > --047d7b3a85a06544f905175659eb Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
While this thread is indeed a theoretical discussion = of the interpreter, for a practical solution where you control the host env= ironment, one might look into OS level sandboxing like FreeBSD's Jails = (not to be confused with a simple chroot environment) along with various re= source limiting parameters. You can lock down a 'sandboxed' i.e. ja= iled environment for arbitrary data and processes, including python, pretty= tightly.

-Kurt-

On Sat, May 30, 2015 at 5:52 PM, Steven= D'Aprano <steve@pearwood.info> wrote:
On Sat, 30 May 2015 09:24 pm, Laura Creighton wrote:

> In a message of Sat, 30 May 2015 19:00:14 +1000, "Steven D'Ap= rano" writes:
>>I wouldn't have imagined that the claim "it's easier t= o secure a small
>>language with a few features than a big language with lots of featu= res"
>>would have been so controversial. I wonder if this claim wil= l be equally
>>as controversial?
>>
>>There is a rough correlation between the number of lines of code in= a code
>>base, and the number of potential security holes that need to be gu= arded
>>against.
>
> Maybe these aren't controversial if you are doing langauge = level
> sandboxing, but you don't have to sandbox like that.=C2=A0 Conside= r, for a
> moment, the sandboxing technique used by PyPy
> discussed at
>
> http://pypy.readthedocs.org/en/latest/sandbox.html
>
> You think it is way cool, but, alas, you want to sandbox some other > language than Python.

How many PyPy sandboxes are being used with hostile users motivated to brea= k
out of the sandbox?

"I wrote a sandbox which I can't break out of" is different f= rom "I wrote a
sandbox which nobody can break out of". Javascript is sandboxed, but d= ue to
bugs in implementations, Javascript-based exploits are now heavily used by<= br> malware. There are possibly even more Javascript-based exploits than buffer=
overflow based exploits these days, as C programmers get better at using automated tools that check for buffer overflows.



--
Steven

--
https://mail.python.org/mailman/listinfo/python-list

--047d7b3a85a06544f905175659eb--