On Nov 15, 2013, at 12:34 PM, Victor Stinner wrote:
> 2013/11/15 Trent Nelson <tr...@snakebite.org>:
>> This sounds a lot like the work I initially did with PyParallel to
>> try and intercept/prevent parallel threads mutating main-thread
>> objects.
>>
>> I ended up arriving at a much better solution by just relying on
>> memory protection; main thread pages are set read-only prior to
>> parallel threads being able to run. If a parallel thread attempts
>> to mutate a main thread object; a SEH is raised (SIGSEV on POSIX),
>> which I catch in the ceval loop and convert into an exception.
>
> Read-only is not enough, an attack must not be able to read sensitive data.
Well you could remove both write *and* read perms from pages, such that you
would trap on read attempts too. What's an example of sensitive data that
you'd need to have residing in the same process that you also want to sandbox?
I was going to suggest something like:
with memory.protected:
htpasswd = open('htpasswd', 'r').read()
...
But then I couldn't think of why you'd persist the sensitive data past the
point you'd need it.
> Protections of memory pages sound very low-level, so not very portable :-/
It's a pretty fundamental provision provided by operating systems; granted, the
interface differs (mprotect() versus VirtualProtect()), but the result is the
same.
> How do you know fif SIGSEGV comes from a legal call (parallel thread
> thing) or a real bug?
You don't, but it doesn't really matter. It'll be pretty obvious from looking
at the offending line of code in the exception whether it was a legitimate
memory protection error, or a bug in an extension module/CPython internals.
And having a ProtectionError bubble all the way back up to the top of the stack
with exact details about the offending frame/line could be considered a nicer
alternative to dumping core ;-) (Unless you happen to be in an `except: pass`
block.)
> Victor
Trent.
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
