Security test of embedded Python

[Chris Angelico]

I'm involved in the construction of an environment that allows end
users to supply scripts which will then run on our servers. We need to
be able to offer the full flexibility of a scripting language, but
without the risk of compromise to our computers. To that end, we have
set up a system with pretty much the same facilities as our live
system will have, and are offering this to the world to hammer on -
and requesting the world's assistance in hunting down bugs.

The environment is Python 3.3a0 embedded in C++, running on Linux.
It's currently home-hosted to keep things simple, with only one port
forwarded to it from our NAT router (so don't bother port scanning,
you aren't looking at Monty).

And yes, that's right. I have no imagination when it comes to names.
Our test box really is called Monty. And to sign up for our forums,
you'll need to prove you're a human by knowing that the name "Python"
goes with "Monty".

Launch page: http://www.pythontest.com/
PHPBB forum: http://www.pythontest.com/forum/
(feedback here please, no need to clutter the python-list)
Actual thing to whump into submission: http://www.pythontest.com:8000/

Find a bug, get noted as a contributor!

Thanks!

Chris Angelico

 

[Paul Rubin]

users to supply scripts which will then run on our servers...
The environment is Python 3.3a0 embedded in C++, running on Linux.

This doesn't sound like a bright idea, given the well-known difficulty
of sandboxing Python.

Geordi <http://weegen.home.xs4all.nl/eelis/geordi/> has some interesting
examples (C++) you might want to try translating to Python and running
on your server. It uses ptrace to control the execution of potentially
hostile code. I don't know if any exploits have been found or whether
it's still active.

Maybe you want to look at Lua. IMHO it's not a very nice language, but
I've heard that it's easy to embed and sandbox.

 

[Chris Angelico]

This doesn't sound like a bright idea, given the well-known difficulty
of sandboxing Python.

So it seems! Less than half an hour after I made the announcement
post, the box had been compromised.

Geordi <http://weegen.home.xs4all.nl/eelis/geordi/> has some interesting
examples (C++) you might want to try translating to Python and running
on your server.  It uses ptrace to control the execution of potentially
hostile code.  I don't know if any exploits have been found or whether
it's still active.

Thanks, will look into it.

Maybe you want to look at Lua.  IMHO it's not a very nice language, but
I've heard that it's easy to embed and sandbox.

Yeah, I've used Lua before (in a game called Angband), and it's not
that great. But security's more important than ideal language syntax.

I'll also be looking into Pike. Unfortunately its community is far
smaller than Python's, so security holes may be less obvious.

Chris Angelico

 

[Paul Rubin]

I'll also be looking into Pike. Unfortunately its community is far
smaller than Python's, so security holes may be less obvious.

Actually the most obvious and widespread sandboxed language these days
is Javascript. There's several embeddable implementations. Maybe you
should just use one of those.

 

[Chris Angelico]

Followup: The test box has been administratively taken offline after
about an hour of testing. Thank you to everyone who participated; it
seems we have a lot of changes to make!

Monty failed the test. But it was an incredibly successful test. And
hopefully, we'll be bringing things back online for another shot once
things are sorted out!

Chris Angelico

 

[Benjamin Kaplan]

Actually the most obvious and widespread sandboxed language these days
is Javascript.  There's several embeddable implementations.  Maybe you
should just use one of those.

Use Pyjamas with that and now you have your sandboxed Python

 

[Chris Angelico]

Use Pyjamas with that and now you have your sandboxed Python

Not a day goes past without a reminder that I haven't yet explored Pyjamas!

Monty's back online now in a restricted environment. I'm going to a
meeting in a couple of hours where we will decide where to go from
here; between now and then, if anyone can gain filesystem or OS
access, that will probably put the final nail in the coffin of us
using Python.

Meanwhile, I'm looking into V8 and whether we can do everything we
need to that way, and how much dev time it's going to take me to
change languages...

Chris Angelico

 

[Paul Rubin]

Meanwhile, I'm looking into V8 and whether we can do everything we
need to that way, and how much dev time it's going to take me to
change languages...

If you want to run Python, one obvious approach is a
controlled-execution wrapper like Geordi uses.

 

[Dennis]

Hi,

The Google App Engine product seems to sandbox Python code, however it
comes with a lot of limitations and maybe those can be an inspiration
for how you design your infrastructure.

http://code.google.com/appengine/docs/python/overview.html

http://code.google.com/appengine/kb/commontasks.html

I hope this helps somewhat - I know lacking some specifics.

Dennis O.

 

[Irmen de Jong]

Followup: The test box has been administratively taken offline after
about an hour of testing. Thank you to everyone who participated; it
seems we have a lot of changes to make!

Monty failed the test. But it was an incredibly successful test. And
hopefully, we'll be bringing things back online for another shot once
things are sorted out!

Chris Angelico

Maybe you should have a look at sandboxed pypy?
http://pypy.org/features.html#sandboxing

(disclaimer: never used it myself)

Irmen