494
Comment:
|
2979
Added sandbox links.
|
Deletions are marked like this. | Additions are marked like this. |
Line 2: | Line 2: |
== tav's jail == http://tav.espians.com/a-challenge-to-break-python-security.html * Remove evil attributes like frame.f_globals or object.__subclasses__ * Remove evil builtins like compile(), import() or reload() == Zope security == http://svn.zope.org/zope.security/trunk/src/zope/security/ * Sandboxing * Object proxies |
|
Line 5: | Line 19: |
Nicole King (cats-muvva.net) wrote a taint mode for CPython 3.0: http://www.cats-muvva.net/software/ | Nicole King (cats-muvva.net) wrote a taint mode for CPython 3.0: [[http://www.cats-muvva.net/software/|Python Taint Management]]. |
Line 13: | Line 27: |
See also the presentation: [[http://us.pycon.org/common/talkdata/PyCon2007/062/PyCon_2007.pdf|Securing Python: Controling the abilities of the interpreter]], PyCon US 2007, Brett Cannon and Eric Wohlstadter Related issue: [[http://bugs.python.org/issue500698|Taint a la Perl?]]. == Python Security Response Team == Some members: * Brett Cannon Email: security AT python.org == Controlling Access to Resources Within The Python Interpreter == * URL: [[http://sayspy.blogspot.com/2007/04/python-security-paper-online.html|Python security paper online]] * Paper: [[http://www.cs.ubc.ca/~drifty/papers/python_security.pdf|Controlling Access to Resources Within The Python Interpreter]], Brett Cannon and Eric Wohlstadter, University of British Columbia == Sandboxing == * PyPy project: [[http://codespeak.net/pypy/dist/pypy/doc/sandbox.html|PyPy's sandboxing features]]. * [[http://mail.python.org/pipermail/python-dev/2008-September/082475.html|CapPython]] is an object-capability subset of Python, inspired by Joe-E and Caja/Cajita, which are object-capability subsets of Java and Javascript respectively. * SandboxedPython * [[How can I run an untrusted Python script safely (i.e. Sandbox)]] == Unsafe modules == * os.kill(), os.chown(), os.unlink(), ... * imageop: many bugs * [[http://bugs.python.org/issue1179|CVE-2007-4965: Integer overflow in imageop module]] (2007-09 .. 2008-08) * [[http://bugs.python.org/issue4317|Buffer overflow in imageop module]] (rgb2rgb8): fixed in Python 2.6.1 and Python 3.0 == Restricted == * Deprecated (disabled?) since Python 2.3 * http://docs.python.org/library/restricted.html * http://docs.python.org/library/rexec.html * http://docs.python.org/library/bastion.html == Fuzzing == Victor Stinner wrote a fuzzer called [[http://fusil.hachoir.org/trac/|Fusil]] to test Python. It already helped to fix many bugs. fusil-python works on Python 2.4 .. 3.0. Fusil was also used on PyPy ([[http://morepypy.blogspot.com/2008/07/finding-bugs-in-pypy-with-fuz.html|Finding Bugs in PyPy with a Fuzzer]]). |
Notes about Python Security.
tav's jail
http://tav.espians.com/a-challenge-to-break-python-security.html
Remove evil attributes like frame.f_globals or object.subclasses
- Remove evil builtins like compile(), import() or reload()
Zope security
http://svn.zope.org/zope.security/trunk/src/zope/security/
- Sandboxing
- Object proxies
Taint mode
Nicole King (cats-muvva.net) wrote a taint mode for CPython 3.0: Python Taint Management.
Problems:
amaury: The patch is indeed huge!
fijall: it seems that every function that returns a PyObject must be modified
fijall: need to patch (...) all places that might modify anything. (All side effects)
=> ncoghlan: PyPy is still a *much* better platform for that kind of experimentation than CPython
See also the presentation: Securing Python: Controling the abilities of the interpreter, PyCon US 2007, Brett Cannon and Eric Wohlstadter
Related issue: Taint a la Perl?.
Python Security Response Team
Some members:
- Brett Cannon
Email: security AT python.org
Controlling Access to Resources Within The Python Interpreter
Paper: Controlling Access to Resources Within The Python Interpreter, Brett Cannon and Eric Wohlstadter, University of British Columbia
Sandboxing
PyPy project: PyPy's sandboxing features.
CapPython is an object-capability subset of Python, inspired by Joe-E and Caja/Cajita, which are object-capability subsets of Java and Javascript respectively.
How can I run an untrusted Python script safely (i.e. Sandbox)
Unsafe modules
- os.kill(), os.chown(), os.unlink(), ...
- imageop: many bugs
CVE-2007-4965: Integer overflow in imageop module (2007-09 .. 2008-08)
Buffer overflow in imageop module (rgb2rgb8): fixed in Python 2.6.1 and Python 3.0
Restricted
- Deprecated (disabled?) since Python 2.3
Fuzzing
Victor Stinner wrote a fuzzer called Fusil to test Python. It already helped to fix many bugs. fusil-python works on Python 2.4 .. 3.0.
Fusil was also used on PyPy (Finding Bugs in PyPy with a Fuzzer).