[Python-Dev] Sandboxing Python (original) (raw)
Armin Rigo arigo at tunes.org
Sun Mar 4 23:12:50 CET 2012
- Previous message: [Python-Dev] Sandboxing Python
- Next message: [Python-Dev] Sandboxing Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Greg,
On Sun, Mar 4, 2012 at 22:44, Greg Ewing <greg.ewing at canterbury.ac.nz> wrote:
Segfaults (most of them) can generally be made into arbitrary code execution, Can you give an example of how this can be done?
You should find tons of documented examples of various attacks. It's not easy, but it's possible. For example, let's assume we can decref a object to 0 before its last usage, at address x. All you need is the skills and luck to arrange that the memory at x becomes occupied by a new bigger string object allocated at "x - small_number". This is enough to control exactly all the bytes that are put at address x and following, just by choosing the characters of the string. For example the bytes can be built to make address x look like a built-in function object, which you can call --- which will call an arbitrary chosen address in memory. This is enough to run arbitrary machine code and do anything.
A bientôt,
Armin.
- Previous message: [Python-Dev] Sandboxing Python
- Next message: [Python-Dev] Sandboxing Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]