On Wed, Oct 16, 2013 at 11:32 PM, Klaus Trainer <[email protected]>wrote:
> Hi there! > > You might want to check out Try Erlang (http://www.tryerlang.org/). > That is, you can't check out the source code right now. However, > according to the FAQ (http://www.tryerlang.org/faq) they "plan to > release the whole project as Open Source very soon". I guess that > nagging Roberto Aloi (who's the principal author) might speed that up ;) > > Regarding sandbox security: I believe that it is possible to implement a > sandbox thing that provides reasonable security, as long as your > whitelist is restrictive enough. That is, one has to be pretty cautious > regarding the whitelist policy, especially when it comes to functions > that have the ability to construct new terms, like for instance > `list_to_atom/1` or `binary_to_term/1,2`. The former makes it possible > fill up the Erlang VM's atom table, which makes it prone to DoS attacks. > The latter has a "safe" mode (when being invoked with the `safe` > option), though, but still allows to create function references, which > can be exploited (see > > http://aloiroberto.wordpress.com/2010/10/14/how-they-tried-to-fool-tryerlang-org/ > ). > > Oh, I've used the term "reasonable security" above. I should explain > (at least roughly) what I mean with that ;) For example, Try Erlang has > been existing (and being online) for several years now, and people > haven't found something exploitable, except for one time more than three > years ago. Depending on your security needs, your knowledge of Erlang, > your knowledge of the sandbox code, and other known facts as well as > your general level of paranoia, this might be enough for you to trust it. > > > Klaus > > On linux a simpler way would be launching an external command in a cgroup. with cgexec from libcgroup or stuff like https://github.com/thestinger/playpen rather than try to filter any call you could then forbid some devices, the network and such... - benoit > > On 10/16/2013 08:48 PM, Paul Davis wrote: > > There have been discussions on figuring out how to sandbox Erlang. The > > biggest thing on that front was that we'd want it to be a whitelist as > > opposed to a blacklist of modules and/or module/function pairs. The > > second is that with dynamic invocation its not immediately apparent if > > that's entirely possible to do. > > > > On Wed, Oct 16, 2013 at 10:39 AM, Chris Keele <[email protected]> > wrote: > >> Hey everyone! I'm trying to develop a sandbox for Elixir, and I wanted > to see how such a library might prove useful to the CouchDB dev community. > >> > >> My initial goal is just to be able to run string of code in a > predefined environment with configurable modules disabled, returning all > output. But I'd like to design it for bigger things from the ground up, so > I was wondering what sorts of requirements you might have of a sandbox > library if you wanted to, say, implement a secure view processor. > >> > >> I've started a discussion thread here: > https://groups.google.com/forum/#!topic/elixir-lang-talk/wA1l74HCZmI, but > I'm particularly interested in your opinions! > >> -- > >> Chris Keele > >> > > >
