Running insecure python code
Noen
not.available at na.no
Thu Feb 26 13:23:09 EST 2004
Im developing a game where the players will program their equipment with
python. Are there any ways to run insecure code? I dont want the clients
to mess with the server-code through their own code, or even DOS the box
by using up too much memory.
Here is some examples of how the equipment should be programmed:
---
# Proxmity explosive example
import cpu
explosive = cpu.connection(0x01,"explosive")
motion_detector = cpu.connection(0x02,"explosive")
class Main:
def event_Motion(self):
explosive.trigger(delay=0)
cpu.reg_event(motion_detector.event_Motion, self.event_Motion)
cpu.start()
---
# Broadcast chat equipment
import cpu
import io
terminal = cpu.connection(0x01,"User personal terminal connection")
radio = cpu.connection(0x02,"Radio tranceiver")
mem = cpu.connection(0x03,"Memory chip")
if mem.get("FREQ") == None: freq = 12345 ; mem.store("FREQ",12345)
class Main:
cpu.reg_event(radio.receive, self.event_Message)
cpu.reg_event(terminal.input, self.event_Input)
def event_Message(self,message):
terminal.write(message + "\r\n")
def event_Input(self,data):
if data[0] == "/":
if string.upper(string.split(data[1:]))[0] == "CHANNEL":
radio.setFreq(int(string.split(data)[2]))
mem.store("FREQ",int(string.split(data)[2])
else:
radio.send(data)
---
I see the following problems:
1. looping code
Are there any way to avoid this by checking the "eip" within a usercode?
Is it possible to multiplex between user codes to avoid this?
Is it possible to limit execution speed (set the cpu to 5 instructions
pr second)
2. blocking code / untrusted/insecure code
Is there a effective way to limit the available functions the usercode?
(perhaps like the java securityhandler way)
3. memory-dos
Limiting the storage size (or even forcing the user to store EVERYTHING
in the mem object)
I dont know if this is even possible (without modifying the python
source, which would force me to perhaps seperate server code and user code)
More information about the Python-list
mailing list