Sandboxing Python
Jeremy Hylton
jeremy at beopen.com
Wed Sep 6 22:23:23 EDT 2000
cryptic at heavytech.com writes:
> I'm trying to determine if rexec actually does provide a bulletproof
> restricted execution environment. I've read that Grail used it for
> its applet system, but have found comments saying this wasn't very
> secure, and have heard from friends that the security provided is
> limited.
rexec can be used to construct an environment where the untrusted
Python code can be run safely. The trusted code that creates the
sandbox (call it the supervisor) controls what modules and names the
untrusted code has access to. Want to forbid access to the file
system? Remove the open function, the os module functions that
affects files, etc.
If you want to implement a particular security policy, you need to
implement that policy yourself using the basic building blocks
provided by rexec and Bastion. If you want to limit a program so that
it could only open sockets on port 80, you would need to write a
wrapper around the socket module that check the port number when the
connect call is made. There are no tools or libraries to make this
any easier and the standard libraries do not provide direct support
for security policies. Interposition is all you've got.
The rexec mechanism is laos rather complicated and places a number of
restrictions on the language features available to the untrusted code.
Most of the restrictions disable introspective features of the
language, like accessing an instance's __dict__ attribute. There are
also restrictions on the interface between trusted and untrusted code.
If you pass an object from trusted code to untrusted code, you can not
pass the object directly. Instead, you must pass a Bastion object
that wraps the instance and prevents tampering by the untrusted code.
So the basic mechanism is probably sound, though no formal proof
exists and no serious analysis has been done. The construction of a
secure system using the mechanism should also be possible, but it is
hard.
-- Jeremy Hylton <http://www.python.org/~jeremy/>
More information about the Python-list
mailing list