Newbie query about secure embedded python

Richard Dwan richardmartindwan at yahoo.co.uk
Tue Jan 2 09:41:34 EST 2007 

(Originally incorrectly posted to C++ SIG mailing
list)

Hello,

First let me apologise if this question is obvious -
I've never embedded python before and I am deciding of
it meets my needs.



My question is; is there a secure python interpreter
that prevents malicious code from using C/C++ modules
or built-in functions from causing damage to a users
system.


My objective is to have an embedded interpreted
language to drive all non CPU intensive application
behaviour with user / downloadable scripts to
customise the UI / scripting processing.

My concern with a simply embedding python is that this
would give arbitrary scripts the ability to make
system level changes (e.g. destructive abilities using
file access).  As I wish to encourage scripts to be
shared across the Internet this could not be
tolerated.

Python provides a very good script language to which I
can expose application specific functions/objects
using the already documented methods.  To use Python
with the above security restrictions I would need to
be able to disable all file / system built-ins when
running the interpreter across user scripts. In
addition, importing C/C++ functions would have to be
disabled as well.  As a complication, a set of
'approved C/C++ functions' such as numpy would need to
be supported in order to allow the user to do 'useful
processing' within the scripts driving the
application.

My naive solution would be to customise the
'PyImport_Import' and 'PyObject_CallObject' routines
used with user scripts so that:
--- an imported C/C++ module would be checked against
an approved list to prevent arbitrary C/C++ code from
being executed
--- built-in function calls would be checked against
an approved list to prevent system damaging calls from
being made
--- the application API that is exposed to the user
code must not expose to scripts a way of damaging
anything more than the data currently being
'processed'
--- the application would have to ensure that user
code is only executed within the secure interpreter
scope (e.g. not use callbacks to user script code
outside the secure interpreter)

Has the necessary secure python interpreter already
been created / a work in progress?



Many thanks for any advice you can give me,
Richard

Send instant messages to your online friends http://uk.messenger.yahoo.com

More information about the Python-list mailing list