Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > Security test of embedded Python

Reply
Thread Tools

Security test of embedded Python

 
 
Chris Angelico
Guest
Posts: n/a
 
      06-22-2011
I'm involved in the construction of an environment that allows end
users to supply scripts which will then run on our servers. We need to
be able to offer the full flexibility of a scripting language, but
without the risk of compromise to our computers. To that end, we have
set up a system with pretty much the same facilities as our live
system will have, and are offering this to the world to hammer on -
and requesting the world's assistance in hunting down bugs.

The environment is Python 3.3a0 embedded in C++, running on Linux.
It's currently home-hosted to keep things simple, with only one port
forwarded to it from our NAT router (so don't bother port scanning,
you aren't looking at Monty).

And yes, that's right. I have no imagination when it comes to names.
Our test box really is called Monty. And to sign up for our forums,
you'll need to prove you're a human by knowing that the name "Python"
goes with "Monty".

Launch page: http://www.pythontest.com/
PHPBB forum: http://www.pythontest.com/forum/
(feedback here please, no need to clutter the python-list)
Actual thing to whump into submission: http://www.pythontest.com:8000/

Find a bug, get noted as a contributor!

Thanks!

Chris Angelico
 
Reply With Quote
 
 
 
 
Paul Rubin
Guest
Posts: n/a
 
      06-22-2011
Chris Angelico <(E-Mail Removed)> writes:
> users to supply scripts which will then run on our servers...
> The environment is Python 3.3a0 embedded in C++, running on Linux.


This doesn't sound like a bright idea, given the well-known difficulty
of sandboxing Python.

Geordi <http://weegen.home.xs4all.nl/eelis/geordi/> has some interesting
examples (C++) you might want to try translating to Python and running
on your server. It uses ptrace to control the execution of potentially
hostile code. I don't know if any exploits have been found or whether
it's still active.

Maybe you want to look at Lua. IMHO it's not a very nice language, but
I've heard that it's easy to embed and sandbox.
 
Reply With Quote
 
 
 
 
Chris Angelico
Guest
Posts: n/a
 
      06-22-2011
On Wed, Jun 22, 2011 at 12:02 PM, Paul Rubin <(E-Mail Removed)> wrote:
> Chris Angelico <(E-Mail Removed)> writes:
>> users to supply scripts which will then run on our servers...
>> The environment is Python 3.3a0 embedded in C++, running on Linux.

>
> This doesn't sound like a bright idea, given the well-known difficulty
> of sandboxing Python.


So it seems! Less than half an hour after I made the announcement
post, the box had been compromised.

> Geordi <http://weegen.home.xs4all.nl/eelis/geordi/> has some interesting
> examples (C++) you might want to try translating to Python and running
> on your server. *It uses ptrace to control the execution of potentially
> hostile code. *I don't know if any exploits have been found or whether
> it's still active.


Thanks, will look into it.

> Maybe you want to look at Lua. *IMHO it's not a very nice language, but
> I've heard that it's easy to embed and sandbox.


Yeah, I've used Lua before (in a game called Angband), and it's not
that great. But security's more important than ideal language syntax.

I'll also be looking into Pike. Unfortunately its community is far
smaller than Python's, so security holes may be less obvious.

Chris Angelico
 
Reply With Quote
 
Paul Rubin
Guest
Posts: n/a
 
      06-22-2011
Chris Angelico <(E-Mail Removed)> writes:
> I'll also be looking into Pike. Unfortunately its community is far
> smaller than Python's, so security holes may be less obvious.


Actually the most obvious and widespread sandboxed language these days
is Javascript. There's several embeddable implementations. Maybe you
should just use one of those.
 
Reply With Quote
 
Chris Angelico
Guest
Posts: n/a
 
      06-22-2011
Followup: The test box has been administratively taken offline after
about an hour of testing. Thank you to everyone who participated; it
seems we have a lot of changes to make!

Monty failed the test. But it was an incredibly successful test. And
hopefully, we'll be bringing things back online for another shot once
things are sorted out!

Chris Angelico
 
Reply With Quote
 
Benjamin Kaplan
Guest
Posts: n/a
 
      06-22-2011
On Tue, Jun 21, 2011 at 7:40 PM, Paul Rubin <(E-Mail Removed)> wrote:
> Chris Angelico <(E-Mail Removed)> writes:
>> I'll also be looking into Pike. Unfortunately its community is far
>> smaller than Python's, so security holes may be less obvious.

>
> Actually the most obvious and widespread sandboxed language these days
> is Javascript. *There's several embeddable implementations. *Maybe you
> should just use one of those.


Use Pyjamas with that and now you have your sandboxed Python
 
Reply With Quote
 
Chris Angelico
Guest
Posts: n/a
 
      06-22-2011
On Wed, Jun 22, 2011 at 1:09 PM, Benjamin Kaplan
<(E-Mail Removed)> wrote:
> Use Pyjamas with that and now you have your sandboxed Python
>


Not a day goes past without a reminder that I haven't yet explored Pyjamas!

Monty's back online now in a restricted environment. I'm going to a
meeting in a couple of hours where we will decide where to go from
here; between now and then, if anyone can gain filesystem or OS
access, that will probably put the final nail in the coffin of us
using Python.

Meanwhile, I'm looking into V8 and whether we can do everything we
need to that way, and how much dev time it's going to take me to
change languages...

Chris Angelico
 
Reply With Quote
 
Paul Rubin
Guest
Posts: n/a
 
      06-22-2011
Chris Angelico <(E-Mail Removed)> writes:
> Meanwhile, I'm looking into V8 and whether we can do everything we
> need to that way, and how much dev time it's going to take me to
> change languages...


If you want to run Python, one obvious approach is a
controlled-execution wrapper like Geordi uses.
 
Reply With Quote
 
Dennis
Guest
Posts: n/a
 
      06-22-2011
Hi,

The Google App Engine product seems to sandbox Python code, however it
comes with a lot of limitations and maybe those can be an inspiration
for how you design your infrastructure.

http://code.google.com/appengine/doc.../overview.html

http://code.google.com/appengine/kb/commontasks.html

I hope this helps somewhat - I know lacking some specifics.

Dennis O.
 
Reply With Quote
 
Irmen de Jong
Guest
Posts: n/a
 
      06-22-2011
On 22-6-2011 4:44, Chris Angelico wrote:
> Followup: The test box has been administratively taken offline after
> about an hour of testing. Thank you to everyone who participated; it
> seems we have a lot of changes to make!
>
> Monty failed the test. But it was an incredibly successful test. And
> hopefully, we'll be bringing things back online for another shot once
> things are sorted out!
>
> Chris Angelico


Maybe you should have a look at sandboxed pypy?
http://pypy.org/features.html#sandboxing

(disclaimer: never used it myself)

Irmen

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Embedded vs. Non-embedded Tests Trans Ruby 11 09-05-2007 11:22 AM
Embedded languages based on early Ada (from "Re: Preferred OS, processor family for running embedded Ada?") Colin Paul Gloster VHDL 48 04-10-2007 10:31 AM
How to display images embedded in e-mail as embedded, not attachments Jim Firefox 4 12-11-2004 05:36 AM
Databind an embedded control in an embedded datagrid Thomas Dodds ASP .Net Datagrid Control 0 07-26-2004 08:20 PM
test test test test test test test Computer Support 2 07-02-2003 06:02 PM



Advertisments