Security test of embedded Python

Discussion in 'Python' started by Chris Angelico, Jun 22, 2011.

  1. I'm involved in the construction of an environment that allows end
    users to supply scripts which will then run on our servers. We need to
    be able to offer the full flexibility of a scripting language, but
    without the risk of compromise to our computers. To that end, we have
    set up a system with pretty much the same facilities as our live
    system will have, and are offering this to the world to hammer on -
    and requesting the world's assistance in hunting down bugs.

    The environment is Python 3.3a0 embedded in C++, running on Linux.
    It's currently home-hosted to keep things simple, with only one port
    forwarded to it from our NAT router (so don't bother port scanning,
    you aren't looking at Monty).

    And yes, that's right. I have no imagination when it comes to names.
    Our test box really is called Monty. And to sign up for our forums,
    you'll need to prove you're a human by knowing that the name "Python"
    goes with "Monty".

    Launch page: http://www.pythontest.com/
    PHPBB forum: http://www.pythontest.com/forum/
    (feedback here please, no need to clutter the python-list)
    Actual thing to whump into submission: http://www.pythontest.com:8000/

    Find a bug, get noted as a contributor! :)

    Thanks!

    Chris Angelico
    Chris Angelico, Jun 22, 2011
    #1
    1. Advertising

  2. Chris Angelico

    Paul Rubin Guest

    Chris Angelico <> writes:
    > users to supply scripts which will then run on our servers...
    > The environment is Python 3.3a0 embedded in C++, running on Linux.


    This doesn't sound like a bright idea, given the well-known difficulty
    of sandboxing Python.

    Geordi <http://weegen.home.xs4all.nl/eelis/geordi/> has some interesting
    examples (C++) you might want to try translating to Python and running
    on your server. It uses ptrace to control the execution of potentially
    hostile code. I don't know if any exploits have been found or whether
    it's still active.

    Maybe you want to look at Lua. IMHO it's not a very nice language, but
    I've heard that it's easy to embed and sandbox.
    Paul Rubin, Jun 22, 2011
    #2
    1. Advertising

  3. On Wed, Jun 22, 2011 at 12:02 PM, Paul Rubin <> wrote:
    > Chris Angelico <> writes:
    >> users to supply scripts which will then run on our servers...
    >> The environment is Python 3.3a0 embedded in C++, running on Linux.

    >
    > This doesn't sound like a bright idea, given the well-known difficulty
    > of sandboxing Python.


    So it seems! Less than half an hour after I made the announcement
    post, the box had been compromised.

    > Geordi <http://weegen.home.xs4all.nl/eelis/geordi/> has some interesting
    > examples (C++) you might want to try translating to Python and running
    > on your server.  It uses ptrace to control the execution of potentially
    > hostile code.  I don't know if any exploits have been found or whether
    > it's still active.


    Thanks, will look into it.

    > Maybe you want to look at Lua.  IMHO it's not a very nice language, but
    > I've heard that it's easy to embed and sandbox.


    Yeah, I've used Lua before (in a game called Angband), and it's not
    that great. But security's more important than ideal language syntax.

    I'll also be looking into Pike. Unfortunately its community is far
    smaller than Python's, so security holes may be less obvious.

    Chris Angelico
    Chris Angelico, Jun 22, 2011
    #3
  4. Chris Angelico

    Paul Rubin Guest

    Chris Angelico <> writes:
    > I'll also be looking into Pike. Unfortunately its community is far
    > smaller than Python's, so security holes may be less obvious.


    Actually the most obvious and widespread sandboxed language these days
    is Javascript. There's several embeddable implementations. Maybe you
    should just use one of those.
    Paul Rubin, Jun 22, 2011
    #4
  5. Followup: The test box has been administratively taken offline after
    about an hour of testing. Thank you to everyone who participated; it
    seems we have a lot of changes to make!

    Monty failed the test. But it was an incredibly successful test. And
    hopefully, we'll be bringing things back online for another shot once
    things are sorted out!

    Chris Angelico
    Chris Angelico, Jun 22, 2011
    #5
  6. On Tue, Jun 21, 2011 at 7:40 PM, Paul Rubin <> wrote:
    > Chris Angelico <> writes:
    >> I'll also be looking into Pike. Unfortunately its community is far
    >> smaller than Python's, so security holes may be less obvious.

    >
    > Actually the most obvious and widespread sandboxed language these days
    > is Javascript.  There's several embeddable implementations.  Maybe you
    > should just use one of those.


    Use Pyjamas with that and now you have your sandboxed Python :)
    Benjamin Kaplan, Jun 22, 2011
    #6
  7. On Wed, Jun 22, 2011 at 1:09 PM, Benjamin Kaplan
    <> wrote:
    > Use Pyjamas with that and now you have your sandboxed Python :)
    >


    Not a day goes past without a reminder that I haven't yet explored Pyjamas! :)

    Monty's back online now in a restricted environment. I'm going to a
    meeting in a couple of hours where we will decide where to go from
    here; between now and then, if anyone can gain filesystem or OS
    access, that will probably put the final nail in the coffin of us
    using Python.

    Meanwhile, I'm looking into V8 and whether we can do everything we
    need to that way, and how much dev time it's going to take me to
    change languages...

    Chris Angelico
    Chris Angelico, Jun 22, 2011
    #7
  8. Chris Angelico

    Paul Rubin Guest

    Chris Angelico <> writes:
    > Meanwhile, I'm looking into V8 and whether we can do everything we
    > need to that way, and how much dev time it's going to take me to
    > change languages...


    If you want to run Python, one obvious approach is a
    controlled-execution wrapper like Geordi uses.
    Paul Rubin, Jun 22, 2011
    #8
  9. Chris Angelico

    Dennis Guest

    Dennis, Jun 22, 2011
    #9
  10. On 22-6-2011 4:44, Chris Angelico wrote:
    > Followup: The test box has been administratively taken offline after
    > about an hour of testing. Thank you to everyone who participated; it
    > seems we have a lot of changes to make!
    >
    > Monty failed the test. But it was an incredibly successful test. And
    > hopefully, we'll be bringing things back online for another shot once
    > things are sorted out!
    >
    > Chris Angelico


    Maybe you should have a look at sandboxed pypy?
    http://pypy.org/features.html#sandboxing

    (disclaimer: never used it myself)

    Irmen
    Irmen de Jong, Jun 22, 2011
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Colin Paul Gloster
    Replies:
    48
    Views:
    1,847
    Colin Paul Gloster
    Apr 10, 2007
  2. Skybuck Flying

    Call oddities: &Test() vs &Test vs Test

    Skybuck Flying, Oct 4, 2009, in forum: C Programming
    Replies:
    1
    Views:
    682
    Skybuck Flying
    Oct 4, 2009
  3. Thomas Dodds

    Databind an embedded control in an embedded datagrid

    Thomas Dodds, Jul 26, 2004, in forum: ASP .Net Datagrid Control
    Replies:
    0
    Views:
    383
    Thomas Dodds
    Jul 26, 2004
  4. Trans
    Replies:
    11
    Views:
    281
    micathom
    Sep 5, 2007
  5. Num GG
    Replies:
    2
    Views:
    342
    Num GG
    Nov 17, 2008
Loading...

Share This Page