Newbie query about secure embedded python

R

Richard Dwan

(Originally incorrectly posted to C++ SIG mailing
list)

Hello,

First let me apologise if this question is obvious -
I've never embedded python before and I am deciding of
it meets my needs.



My question is; is there a secure python interpreter
that prevents malicious code from using C/C++ modules
or built-in functions from causing damage to a users
system.


My objective is to have an embedded interpreted
language to drive all non CPU intensive application
behaviour with user / downloadable scripts to
customise the UI / scripting processing.

My concern with a simply embedding python is that this
would give arbitrary scripts the ability to make
system level changes (e.g. destructive abilities using
file access). As I wish to encourage scripts to be
shared across the Internet this could not be
tolerated.

Python provides a very good script language to which I
can expose application specific functions/objects
using the already documented methods. To use Python
with the above security restrictions I would need to
be able to disable all file / system built-ins when
running the interpreter across user scripts. In
addition, importing C/C++ functions would have to be
disabled as well. As a complication, a set of
'approved C/C++ functions' such as numpy would need to
be supported in order to allow the user to do 'useful
processing' within the scripts driving the
application.

My naive solution would be to customise the
'PyImport_Import' and 'PyObject_CallObject' routines
used with user scripts so that:
--- an imported C/C++ module would be checked against
an approved list to prevent arbitrary C/C++ code from
being executed
--- built-in function calls would be checked against
an approved list to prevent system damaging calls from
being made
--- the application API that is exposed to the user
code must not expose to scripts a way of damaging
anything more than the data currently being
'processed'
--- the application would have to ensure that user
code is only executed within the secure interpreter
scope (e.g. not use callbacks to user script code
outside the secure interpreter)

Has the necessary secure python interpreter already
been created / a work in progress?



Many thanks for any advice you can give me,
Richard

Send instant messages to your online friends http://uk.messenger.yahoo.com
 
P

Paul Rubin

Richard Dwan said:
My question is; is there a secure python interpreter
that prevents malicious code from using C/C++ modules
or built-in functions from causing damage to a users
system.

You mean like a java sandbox? There used to be one in Python (the
rexec/Bastion modules) but they were removed for security reasons
(i.e. they weren't secure and there was no way to fix the holes).
There seems to currently be no really reliable way to do what you're
asking. Your best bet may be either a small JVM, or a very limited
special purpose language that you could implement in Python.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,999
Messages
2,570,243
Members
46,836
Latest member
login dogas

Latest Threads

Top