On Mon, Mar 5, 2012 at 1:21 PM, Greg Ewing <greg.ew...@canterbury.ac.nz> wrote: > Armin Rigo wrote: >> >> For example, let's assume we can decref >> a object to 0 before its last usage, at address x. All you need is >> the skills and luck to arrange that the memory at x becomes occupied >> by a new bigger string object allocated at "x - small_number". > > > That's a lot of assumptions. When you claimed that *any* segfault > bug could be turned into an arbitrary-code exploit, it sounded > like you had a provably general procedure in mind for doing so, > but it seems not. > > In any case, I think Victor is right to object to his sandbox > being shot down on such grounds. The same thing equally applies > to any method of sandboxing any computation, whether it involves > Python or not. Even if you fork a separate process running code > written in Befunge, it could be prone to this kind of attack if > there is a bug in it. > > What you seem to be saying is "Python cannot be sandboxed, > because any code can have bugs." Or, "Nothing is ever 100% secure, > because the universe is not perfect." Which is true, but not in > a very interesting way.
Not all of segfaults are exploitable, but most of them are. Some are super trivial (like the one armin explained, where it takes ~few hours for a skilled person), or some are only research paper kind of proof of concepts (double free is an example). I strongly disagree that sandbox is secure because it's "just segfaults" and "any code is exploitable that way". Finding segfaults in CPython is "easy". As in all you need is armin, a bit of coffee and a free day. Reasons for this vary, but one of those is that python is a large code base that does not have automatic ways of preventing such issues like C-level recursion. For a comparison, PyPy sandbox is a compiled from higher-level language program that by design does not have all sorts of problems described. The amount of code you need to carefully review is very minimal (as compared to the entire CPython interpreter). It does not mean it has no bugs, but it does mean finding segfaults is a significantly harder endeavour. There are no bug-free programs, however having for example to segfault an arbitrary interpreter *written* in Python would be significantly harder than one in C, wouldn't it? Cheers, fijal _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
