[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited) (original) (raw)
Maciej Fijalkowski fijall at gmail.com
Tue Apr 12 07:38:09 EDT 2016
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Apr 12, 2016 at 1:14 PM, Jon Ribbens <jon+python-dev at unequivocal.co.uk> wrote:
On Tue, Apr 12, 2016 at 06:21:04AM -0400, Isaac Morland wrote:
On Tue, 12 Apr 2016, Jon Ribbens wrote: >>This is still a massive game of whack-a-mole. > >No, it still isn't. If the names blacklist had to keep being extended >then you would be right, but that hasn't happened so far. Whitelists >by definition contain only a small, limited number of potential moles. > >The only thing you found above that even remotely approaches an >exploit is the decimal.getcontext() thing, and even that I don't >think you could use to do any code execution.
"I don't think"? Where's the formal proof? I disallowed the module completely, that's the proof. Without a proof, this is indeed just a game of whack-a-mole. Almost no computer programs are ever "formally proved" to be secure. None of those that run the global Internet are. I don't see why it makes any sense to demand that my experiment be held to a massively higher standard than the rest of the code everyone relies on every day.
Python-Dev mailing list Python-Dev at python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/fijall%40gmail.com
Jon, let me reiterate. You asked people to break it (that's the title of the thread) and they did so almost immediately. Then you patched the thing and asked them to break it again and they did. Now the faulty assumption here is that this procedure, repeated enough times will produce a secure environment - this is not how security works, you need to be secure against people who will spend more than 5 minutes and who are not on this list or reading this incredibly long email chain. You can't do that just by asking on the mailing list and whacking all the examples. As others pointed out, this particular approach (with maybe different details) has been tried again and again and again and the result has been the same - you end up with either a completely unusable python (the python that can't run anything is trivially secure) or you end up with something that's insecure. I suggest you look instead at something like PyPy sandbox - which systematically replaces all external calls with a call to a proxy. Because PyPy is written in RPython, you can do that - the amount of code that needs reviewing is relatively small, a couple pages of code. The code you need to review in order to be even remotely secure is much larger - it's the amount of C code you can call from your python with or without knowing that it can happen.
Cheers, fijal
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]