From: Noah Lavine <noah.b.lavine@gmail.com>
To: Mark H Weaver <mhw@netris.org>
Cc: guile-devel@gnu.org
Subject: Re: Psyntax security hole prevents secure sandboxing in Guile
Date: Mon, 7 May 2012 07:58:05 -0400 [thread overview]
Message-ID: <CA+U71=MXb10YxRVr0B9Z51cTSLXJM1SVejqQtfu_i2VipKHamw@mail.gmail.com> (raw)
In-Reply-To: <87havtp42i.fsf@netris.org>
That is an interesting problem. It would be nice to have sandboxing.
I'm writing to point out that there has been an attempt to make
"out-of-the-box" sandboxing work. The modules (ice-9 safe) and (ice-9
safe-r5rs) should be sandboxed environments, I think. (I encountered
them while looking for undocumented modules.) There's also the (ice-9
null) module, which gives an environment with only the basic syntax
and no procedures at all.
Noah
On Sun, May 6, 2012 at 2:17 PM, Mark H Weaver <mhw@netris.org> wrote:
> Hello all,
>
> Every once in a while someone asks about secure sandboxing with Guile,
> and generally the response is that it should be fairly easy, by creating
> a module with carefully selected bindings, but there's nothing ready
> "out of the box".
>
> I just realized that psyntax has a security hole that prevents secure
> sandboxing, and wanted to post this fact before it was forgotten.
>
> The problem is that psyntax accepts syntax-objects in the input, and
> syntax-objects are simply vectors (or sexps containing vectors).
> Therefore, it is always possible to _forge_ syntax-objects that refer to
> arbitrary bindings in arbitrary modules, even if the usual bindings of
> '@' and '@@' are not available.
>
> In particular (although this is an internal implementation detail that
> you cannot rely upon!) in Guile 2.0 the following two expressions are
> treated equivalently:
>
> (@@ (ice-9 popen) open-pipe*)
>
> #(syntax-object open-pipe* ((top)) (hygiene ice-9 popen))
>
> I don't think we can plug this hole until 2.2.
>
> Mark
>
next prev parent reply other threads:[~2012-05-07 11:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-06 18:17 Psyntax security hole prevents secure sandboxing in Guile Mark H Weaver
2012-05-07 11:58 ` Noah Lavine [this message]
2012-05-07 16:31 ` Ludovic Courtès
2012-05-07 17:44 ` Mark H Weaver
2012-05-07 18:25 ` Noah Lavine
2012-05-07 20:10 ` Andreas Rottmann
2012-05-08 14:41 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+U71=MXb10YxRVr0B9Z51cTSLXJM1SVejqQtfu_i2VipKHamw@mail.gmail.com' \
--to=noah.b.lavine@gmail.com \
--cc=guile-devel@gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).