From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: ludo@gnu.org (Ludovic =?iso-8859-1?Q?Court=E8s?=) Newsgroups: gmane.lisp.guile.devel Subject: Re: Psyntax security hole prevents secure sandboxing in Guile Date: Tue, 08 May 2012 16:41:17 +0200 Message-ID: <874nrq7n1u.fsf@gnu.org> References: <87havtp42i.fsf@netris.org> <87ipg8uf44.fsf@gnu.org> <87r4uvopgu.fsf@netris.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Trace: dough.gmane.org 1336488102 18769 80.91.229.3 (8 May 2012 14:41:42 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Tue, 8 May 2012 14:41:42 +0000 (UTC) To: guile-devel@gnu.org Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Tue May 08 16:41:39 2012 Return-path: Envelope-to: guile-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1SRlbe-0001w8-OW for guile-devel@m.gmane.org; Tue, 08 May 2012 16:41:38 +0200 Original-Received: from localhost ([::1]:53355 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SRlbe-0003td-6z for guile-devel@m.gmane.org; Tue, 08 May 2012 10:41:38 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:56020) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SRlba-0003tO-TC for guile-devel@gnu.org; Tue, 08 May 2012 10:41:36 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SRlbV-0002tg-RW for guile-devel@gnu.org; Tue, 08 May 2012 10:41:34 -0400 Original-Received: from plane.gmane.org ([80.91.229.3]:43473) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SRlbV-0002ta-KZ for guile-devel@gnu.org; Tue, 08 May 2012 10:41:29 -0400 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1SRlbT-0001tB-QX for guile-devel@gnu.org; Tue, 08 May 2012 16:41:27 +0200 Original-Received: from reverse-83.fdn.fr ([80.67.176.83]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 08 May 2012 16:41:27 +0200 Original-Received: from ludo by reverse-83.fdn.fr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 08 May 2012 16:41:27 +0200 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 39 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: reverse-83.fdn.fr X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 20 =?iso-8859-1?Q?Flor=E9al?= an 220 de la =?iso-8859-1?Q?R=E9volution?= X-PGP-Key-ID: 0xEA52ECF4 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 83C4 F8E5 10A3 3B4C 5BEA D15D 77DD 95E2 EA52 ECF4 X-OS: x86_64-unknown-linux-gnu User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.93 (gnu/linux) Cancel-Lock: sha1:RxflmM03vK1EFFw2DZSYUbsfDHQ= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: guile-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Developers list for Guile, the GNU extensibility library" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Original-Sender: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.lisp.guile.devel:14383 Archived-At: Hi Mark, Mark H Weaver skribis: > ludo@gnu.org (Ludovic Courtès) writes: >> Mark H Weaver skribis: >> >>> Every once in a while someone asks about secure sandboxing with Guile, >>> and generally the response is that it should be fairly easy, by creating >>> a module with carefully selected bindings, but there's nothing ready >>> "out of the box". >>> >>> I just realized that psyntax has a security hole that prevents secure >>> sandboxing, and wanted to post this fact before it was forgotten. >> >> There are many other holes, such as the fact that ‘@@’ is compiled to >> the ‘toplevel-ref’ instruction, which can search inside modules. > > '@@' can be rebound, so that its default binding is no longer available: Right. However, code compiled outside the sandbox, with the real ‘@@’, does have that ‘toplevel-ref’ in it. > Can you think of anything else that would need to be fixed, besides this > problem with forgeable syntax-objects? CPU/memory resource revocation, the ability to pass immutable references to existing objects (variables, vectors, etc.), and mediated access to OS resources such as file descriptors. Also, a simple way to create a new module hierarchy based on an existing one is needed. To goal would be to make it easy, for instance, to invoke code within a module hierarchy that lacks (system foreign), has no POSIX procedures in (guile), and where (set! + -) would not affect the outside world. All this is currently doable, but a high-level API to do it is lacking. Thanks, Ludo’.