From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Mark H Weaver <mhw@netris.org>
Newsgroups: gmane.lisp.guile.devel
Subject: Re: Psyntax security hole prevents secure sandboxing in Guile
Date: Mon, 07 May 2012 13:44:49 -0400
Message-ID: <87r4uvopgu.fsf@netris.org>
References: <87havtp42i.fsf@netris.org> <87ipg8uf44.fsf@gnu.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: dough.gmane.org 1336412755 31918 80.91.229.3 (7 May 2012 17:45:55 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Mon, 7 May 2012 17:45:55 +0000 (UTC)
Cc: guile-devel@gnu.org
To: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Mon May 07 19:45:54 2012
Return-path: <guile-devel-bounces+guile-devel=m.gmane.org@gnu.org>
Envelope-to: guile-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <guile-devel-bounces+guile-devel=m.gmane.org@gnu.org>)
	id 1SRS0P-0002Gk-U8
	for guile-devel@m.gmane.org; Mon, 07 May 2012 19:45:54 +0200
Original-Received: from localhost ([::1]:40033 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guile-devel-bounces+guile-devel=m.gmane.org@gnu.org>)
	id 1SRS0P-0004QX-Ax
	for guile-devel@m.gmane.org; Mon, 07 May 2012 13:45:53 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:40275)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1SRS0L-0004QH-Uj
	for guile-devel@gnu.org; Mon, 07 May 2012 13:45:51 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1SRS0J-0006NH-Lg
	for guile-devel@gnu.org; Mon, 07 May 2012 13:45:49 -0400
Original-Received: from world.peace.net ([96.39.62.75]:46093)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>)
	id 1SRS0J-0006N3-E0; Mon, 07 May 2012 13:45:47 -0400
Original-Received: from 209-6-91-212.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com
	([209.6.91.212] helo=yeeloong)
	by world.peace.net with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.72) (envelope-from <mhw@netris.org>)
	id 1SRS0B-0005Dv-FK; Mon, 07 May 2012 13:45:39 -0400
In-Reply-To: <87ipg8uf44.fsf@gnu.org> ("Ludovic
	\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
	\=\?utf-8\?Q\?s\?\= message of "Mon, 07 May 2012 18:31:55 +0200")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.92 (gnu/linux)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 96.39.62.75
X-BeenThere: guile-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Developers list for Guile,
	the GNU extensibility library" <guile-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guile-devel>,
	<mailto:guile-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guile-devel>
List-Post: <mailto:guile-devel@gnu.org>
List-Help: <mailto:guile-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guile-devel>,
	<mailto:guile-devel-request@gnu.org?subject=subscribe>
Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org
Original-Sender: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.lisp.guile.devel:14374
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.devel/14374>

ludo@gnu.org (Ludovic Court=C3=A8s) writes:
> Mark H Weaver <mhw@netris.org> skribis:
>
>> Every once in a while someone asks about secure sandboxing with Guile,
>> and generally the response is that it should be fairly easy, by creating
>> a module with carefully selected bindings, but there's nothing ready
>> "out of the box".
>>
>> I just realized that psyntax has a security hole that prevents secure
>> sandboxing, and wanted to post this fact before it was forgotten.
>
> There are many other holes, such as the fact that =E2=80=98@@=E2=80=99 is=
 compiled to
> the =E2=80=98toplevel-ref=E2=80=99 instruction, which can search inside m=
odules.

'@@' can be rebound, so that its default binding is no longer available:

   scheme@(guile-user)> (@@ (ice-9 popen) open-pipe*)
   $1 =3D #<procedure open-pipe* (mode command . args)>
   scheme@(guile-user)> (define @@ 2)
   scheme@(guile-user)> (@@ (ice-9 popen) open-pipe*)
   ;;; <stdin>:3:4: warning: possibly unbound variable `ice-9'
   ;;; <stdin>:3:4: warning: possibly unbound variable `popen'
   ;;; <stdin>:3:0: warning: possibly unbound variable `open-pipe*'
   <unnamed port>:3:4: In procedure #<procedure 103199b0 at <current input>=
:3:0 ()>:
   <unnamed port>:3:4: In procedure module-lookup: Unbound variable: ice-9
=20=20=20
   Entering a new prompt.  Type `,bt' for a backtrace or `,q' to continue.
   scheme@(guile-user) [1]>=20

In the past, some of us (including me) have suspected that by creating a
module with all dangerous bindings removed (including '@' and '@@'), one
could create a secure sandbox in Guile.  Sadly, that is not the case.

>> The problem is that psyntax accepts syntax-objects in the input, and
>> syntax-objects are simply vectors (or sexps containing vectors).
>
> I agree it would be nice to fix eventually, using structs, but it takes
> more than this to allow for =E2=80=9Csecure sandboxing=E2=80=9D.

Can you think of anything else that would need to be fixed, besides this
problem with forgeable syntax-objects?

    Thanks,
      Mark