Creating a reliable sandboxed Python environment
Laura Creighton
lac at openend.se
Sat May 30 07:24:49 EDT 2015
In a message of Sat, 30 May 2015 19:00:14 +1000, "Steven D'Aprano" writes:
>I wouldn't have imagined that the claim "it's easier to secure a small
>language with a few features than a big language with lots of features"
>would have been so controversial. I wonder if this claim will be equally as
>controversial?
>
>There is a rough correlation between the number of lines of code in a code
>base, and the number of potential security holes that need to be guarded
>against.
Maybe these aren't controversial if you are doing langauge level
sandboxing, but you don't have to sandbox like that. Consider, for a
moment, the sandboxing technique used by PyPy
discussed at
http://pypy.readthedocs.org/en/latest/sandbox.html
You think it is way cool, but, alas, you want to sandbox some other
language than Python.
What do you do? You write an interpreter for this language in
RPython. Clearly, writing such a thing will be a lot easier for 'the
toy language that does hardly anything I invented this morning' as
opposed to 'javascript that is expected to operate in the real world'
but this has nothing to do with the security aspects of the two
langauges. You'd have the exact same problem of difficulty even if
you never intend to sandbox the thing at all. The sandboxing
aspects will happen, automatically, as soon as you have a
written a working interpreter. The layer that provides the security
doesn't care about your target language, just as long as it is written in
RPython.
As a point of fact, We've _already got_ Topaz, a Ruby interpreter,
Hippy, a PHP interpreter, a Prolog interpreter, a Smalltalk
interpeter, and a javascript interpreter. Recently we got Pyket a
Racket compiler. There also exist plenty of experimental languages
written by academic langauge designers, and other crazy people who
like such things. But don't ask the PyPy project about hard is it to
sandbox one versus the other. From our point of view, they all cost
the same -- free, as in _already done for you_, same as you get a JIT
for free, and pluggable garbage collectors for free, etc. etc.
If you find this stuff interesting, come check it out.
Laura
More information about the Python-list
mailing list