From: ludo@gnu.org (Ludovic Courtès)
To: guile-devel@gnu.org
Subject: Re: Psyntax security hole prevents secure sandboxing in Guile
Date: Tue, 08 May 2012 16:41:17 +0200 [thread overview]
Message-ID: <874nrq7n1u.fsf@gnu.org> (raw)
In-Reply-To: 87r4uvopgu.fsf@netris.org
Hi Mark,
Mark H Weaver <mhw@netris.org> skribis:
> ludo@gnu.org (Ludovic Courtès) writes:
>> Mark H Weaver <mhw@netris.org> skribis:
>>
>>> Every once in a while someone asks about secure sandboxing with Guile,
>>> and generally the response is that it should be fairly easy, by creating
>>> a module with carefully selected bindings, but there's nothing ready
>>> "out of the box".
>>>
>>> I just realized that psyntax has a security hole that prevents secure
>>> sandboxing, and wanted to post this fact before it was forgotten.
>>
>> There are many other holes, such as the fact that ‘@@’ is compiled to
>> the ‘toplevel-ref’ instruction, which can search inside modules.
>
> '@@' can be rebound, so that its default binding is no longer available:
Right. However, code compiled outside the sandbox, with the real ‘@@’,
does have that ‘toplevel-ref’ in it.
> Can you think of anything else that would need to be fixed, besides this
> problem with forgeable syntax-objects?
CPU/memory resource revocation, the ability to pass immutable references
to existing objects (variables, vectors, etc.), and mediated access to
OS resources such as file descriptors.
Also, a simple way to create a new module hierarchy based on an existing
one is needed. To goal would be to make it easy, for instance, to
invoke code within a module hierarchy that lacks (system foreign), has
no POSIX procedures in (guile), and where (set! + -) would not affect
the outside world. All this is currently doable, but a high-level API
to do it is lacking.
Thanks,
Ludo’.
prev parent reply other threads:[~2012-05-08 14:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-06 18:17 Psyntax security hole prevents secure sandboxing in Guile Mark H Weaver
2012-05-07 11:58 ` Noah Lavine
2012-05-07 16:31 ` Ludovic Courtès
2012-05-07 17:44 ` Mark H Weaver
2012-05-07 18:25 ` Noah Lavine
2012-05-07 20:10 ` Andreas Rottmann
2012-05-08 14:41 ` Ludovic Courtès [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874nrq7n1u.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guile-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).