Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #8154 > unrolled thread

Security test of embedded Python

Back to article view | Back to comp.lang.python

Contents

  Security test of embedded Python Chris Angelico <rosuav@gmail.com> - 2011-06-22 10:49 +1000
    Re: Security test of embedded Python Paul Rubin <no.email@nospam.invalid> - 2011-06-21 19:02 -0700
      Re: Security test of embedded Python Chris Angelico <rosuav@gmail.com> - 2011-06-22 12:35 +1000
        Re: Security test of embedded Python Paul Rubin <no.email@nospam.invalid> - 2011-06-21 19:40 -0700
          Re: Security test of embedded Python Benjamin Kaplan <benjamin.kaplan@case.edu> - 2011-06-21 20:09 -0700
          Re: Security test of embedded Python Chris Angelico <rosuav@gmail.com> - 2011-06-22 13:26 +1000
            Re: Security test of embedded Python Paul Rubin <no.email@nospam.invalid> - 2011-06-21 20:42 -0700
              Re: Security test of embedded Python Dennis <daodennis@gmail.com> - 2011-06-21 22:37 -0700
      Re: Security test of embedded Python Chris Angelico <rosuav@gmail.com> - 2011-06-22 12:44 +1000
        Re: Security test of embedded Python Irmen de Jong <irmen.NOSPAM@xs4all.nl> - 2011-06-22 19:33 +0200

#8154 — Security test of embedded Python

I'm involved in the construction of an environment that allows end
users to supply scripts which will then run on our servers. We need to
be able to offer the full flexibility of a scripting language, but
without the risk of compromise to our computers. To that end, we have
set up a system with pretty much the same facilities as our live
system will have, and are offering this to the world to hammer on -
and requesting the world's assistance in hunting down bugs.

The environment is Python 3.3a0 embedded in C++, running on Linux.
It's currently home-hosted to keep things simple, with only one port
forwarded to it from our NAT router (so don't bother port scanning,
you aren't looking at Monty).

And yes, that's right. I have no imagination when it comes to names.
Our test box really is called Monty. And to sign up for our forums,
you'll need to prove you're a human by knowing that the name "Python"
goes with "Monty".

Launch page: http://www.pythontest.com/
PHPBB forum: http://www.pythontest.com/forum/
  (feedback here please, no need to clutter the python-list)
Actual thing to whump into submission: http://www.pythontest.com:8000/

Find a bug, get noted as a contributor! :)

Thanks!

Chris Angelico

[toc] | [next] | [standalone]

#8163

Chris Angelico <rosuav@gmail.com> writes:
> users to supply scripts which will then run on our servers...
> The environment is Python 3.3a0 embedded in C++, running on Linux.

This doesn't sound like a bright idea, given the well-known difficulty
of sandboxing Python.

Geordi <http://weegen.home.xs4all.nl/eelis/geordi/> has some interesting
examples (C++) you might want to try translating to Python and running
on your server.  It uses ptrace to control the execution of potentially
hostile code.  I don't know if any exploits have been found or whether
it's still active.

Maybe you want to look at Lua.  IMHO it's not a very nice language, but
I've heard that it's easy to embed and sandbox.

[toc] | [prev] | [next] | [standalone]

#8166

On Wed, Jun 22, 2011 at 12:02 PM, Paul Rubin <no.email@nospam.invalid> wrote:
> Chris Angelico <rosuav@gmail.com> writes:
>> users to supply scripts which will then run on our servers...
>> The environment is Python 3.3a0 embedded in C++, running on Linux.
>
> This doesn't sound like a bright idea, given the well-known difficulty
> of sandboxing Python.

So it seems! Less than half an hour after I made the announcement
post, the box had been compromised.

> Geordi <http://weegen.home.xs4all.nl/eelis/geordi/> has some interesting
> examples (C++) you might want to try translating to Python and running
> on your server.  It uses ptrace to control the execution of potentially
> hostile code.  I don't know if any exploits have been found or whether
> it's still active.

Thanks, will look into it.

> Maybe you want to look at Lua.  IMHO it's not a very nice language, but
> I've heard that it's easy to embed and sandbox.

Yeah, I've used Lua before (in a game called Angband), and it's not
that great. But security's more important than ideal language syntax.

I'll also be looking into Pike. Unfortunately its community is far
smaller than Python's, so security holes may be less obvious.

Chris Angelico

[toc] | [prev] | [next] | [standalone]

#8167

Chris Angelico <rosuav@gmail.com> writes:
> I'll also be looking into Pike. Unfortunately its community is far
> smaller than Python's, so security holes may be less obvious.

Actually the most obvious and widespread sandboxed language these days
is Javascript.  There's several embeddable implementations.  Maybe you
should just use one of those.

[toc] | [prev] | [next] | [standalone]

#8172

On Tue, Jun 21, 2011 at 7:40 PM, Paul Rubin <no.email@nospam.invalid> wrote:
> Chris Angelico <rosuav@gmail.com> writes:
>> I'll also be looking into Pike. Unfortunately its community is far
>> smaller than Python's, so security holes may be less obvious.
>
> Actually the most obvious and widespread sandboxed language these days
> is Javascript.  There's several embeddable implementations.  Maybe you
> should just use one of those.

Use Pyjamas with that and now you have your sandboxed Python :)

[toc] | [prev] | [next] | [standalone]

#8173

On Wed, Jun 22, 2011 at 1:09 PM, Benjamin Kaplan
<benjamin.kaplan@case.edu> wrote:
> Use Pyjamas with that and now you have your sandboxed Python :)
>

Not a day goes past without a reminder that I haven't yet explored Pyjamas! :)

Monty's back online now in a restricted environment. I'm going to a
meeting in a couple of hours where we will decide where to go from
here; between now and then, if anyone can gain filesystem or OS
access, that will probably put the final nail in the coffin of us
using Python.

Meanwhile, I'm looking into V8 and whether we can do everything we
need to that way, and how much dev time it's going to take me to
change languages...

Chris Angelico

[toc] | [prev] | [next] | [standalone]

#8176

Chris Angelico <rosuav@gmail.com> writes:
> Meanwhile, I'm looking into V8 and whether we can do everything we
> need to that way, and how much dev time it's going to take me to
> change languages...

If you want to run Python, one obvious approach is a
controlled-execution wrapper like Geordi uses.

[toc] | [prev] | [next] | [standalone]

#8186

Hi,

The Google App Engine product seems to sandbox Python code, however it
comes with a lot of limitations and maybe those can be an inspiration
for how you design your infrastructure.

http://code.google.com/appengine/docs/python/overview.html

http://code.google.com/appengine/kb/commontasks.html

I hope this helps somewhat - I know lacking some specifics.

Dennis O.

[toc] | [prev] | [next] | [standalone]

#8168

Followup: The test box has been administratively taken offline after
about an hour of testing. Thank you to everyone who participated; it
seems we have a lot of changes to make!

Monty failed the test. But it was an incredibly successful test. And
hopefully, we'll be bringing things back online for another shot once
things are sorted out!

Chris Angelico

[toc] | [prev] | [next] | [standalone]

#8233

On 22-6-2011 4:44, Chris Angelico wrote:
> Followup: The test box has been administratively taken offline after
> about an hour of testing. Thank you to everyone who participated; it
> seems we have a lot of changes to make!
> 
> Monty failed the test. But it was an incredibly successful test. And
> hopefully, we'll be bringing things back online for another shot once
> things are sorted out!
> 
> Chris Angelico

Maybe you should have a look at sandboxed pypy?
http://pypy.org/features.html#sandboxing

(disclaimer: never used it myself)

Irmen

[toc] | [prev] | [standalone]

Back to top | Article view | comp.lang.python

csiph-web