Python "sub-interpreter," security
faulkner
faulkner612 at comcast.net
Mon Jun 26 02:12:46 EDT 2006
http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/496746
jvvhie at gmail.com wrote:
> Hello, I am writing a pure-Python game engine that interprets the code
> of game objects within the same process with the exec statement. My
> main goal is to make as much power available as possible and exec seems
> like the best way to do that.
>
> This is my "proof-of-concept" code(only 18 lines and some whitespace,
> including the test):
>
> http://people.ucsc.edu/~jhofmann/programmables.py
>
> I showed this to the Pygame list and recieved some interest and a
> completely different, more sophisticated implementation:
>
> http://codereactor.net/~shang/interpret/
>
> As-is, both versions are wide-open security holes. I think that I can
> patch them up if I run checks on the statements and eliminate all
> language features that pose risks. Then, features that are useful but
> not needed at their full capacity can be accessed through functions
> designed to be secure. Forcing a crash is not considered an exploit for
> this purpose(since it's a game engine - if it crashes, the user can
> recover and lose no data)
>
> What I'd like to know is, is it possible to meet this level of
> security, and if so, which features have to be eliminated?
>
> The two that I'm sure should go are module imports and self-modifying
> code. But in the latter case, I don't know all the ways that might be
> done. It seems like a very complicated problem, and if I can't solve it
> I might leave the whole thing unsecured.
More information about the Python-list
mailing list