Matthew Keeter <matt.j.kee...@gmail.com> writes: > I’m currently embedding Python in a C / C++ application that evaluates > user-provided scripts. > > Obviously, this is terribly unsafe: user-provided scripts can execute > arbitrary malicious actions, > and there’s no good way to sandbox Python in a desktop context. > > If I were to replace Python with Guile, is there a way to sandbox it so that > arbitrary (perhaps > malicious) user-provided scripts can be run safely?
Well, I would use ecl (Embeddable Common Lisp) rather, but the problem is not specific to a language. To ensure "safety", you need to _control_ things. Using a general algorithmic programming language with OS or platform interfaces will never be safe. What you need is to write your own implementation. It doesn't matter of what language. For example, you could take pypy, expurge it from the "dangerous" operations and go on with the resulting restricted python. Or you could do the same with guile or Common Lisp. The advantage of the later languages, is that it is easier to write languages in them, reusing parts of the existing infrastructure. I imagine the same can be done with pypy. On the other hand, if you mix metalinguistic layers, you may introduce leaking bugs. Ultimately, the problem comes down to the fact that the underlying hardware and OS layer is not safe itself. One easy way to allow potentially hostile code to run, is to make it run in a chroot, nope, we know it's not safe, so in its own virtual machine (either on an hypervisor or a qemu or simular), but, nope, we know it's not safe (there are exploitable bugs in hypervisors and qemu, etc). So you need to implement a language that won't provide any unwanted OS/platform API and that won't provide any way to generate code accessing to any unwanted feature, and that still allows user to write useful programs, while making no mistake; and since it will run on an unsafe platform, how will you ensure that a program written in your language will never be able to have any nefarious side effects? For example, the x86 MMU is turing complete. How do you ensure that there is no way any program written in your language will not have the side effect of introducing a nefarious program in the underlying MMU? Perhaps it would be easier to select good users, and just give them full Common Lisp with ecl (or full guile). -- __Pascal Bourguignon__ http://www.informatimago.com/ “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The dog will be there to keep the man from touching the equipment.” -- Carl Bass CEO Autodesk