From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Noah Lavine <noah.b.lavine@gmail.com>
Newsgroups: gmane.lisp.guile.devel
Subject: Re: Psyntax security hole prevents secure sandboxing in Guile
Date: Mon, 7 May 2012 07:58:05 -0400
Message-ID: <CA+U71=MXb10YxRVr0B9Z51cTSLXJM1SVejqQtfu_i2VipKHamw@mail.gmail.com>
References: <87havtp42i.fsf@netris.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Trace: dough.gmane.org 1336391900 19439 80.91.229.3 (7 May 2012 11:58:20 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Mon, 7 May 2012 11:58:20 +0000 (UTC)
Cc: guile-devel@gnu.org
To: Mark H Weaver <mhw@netris.org>
Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Mon May 07 13:58:17 2012
Return-path: <guile-devel-bounces+guile-devel=m.gmane.org@gnu.org>
Envelope-to: guile-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <guile-devel-bounces+guile-devel=m.gmane.org@gnu.org>)
	id 1SRMa1-0006wJ-GC
	for guile-devel@m.gmane.org; Mon, 07 May 2012 13:58:17 +0200
Original-Received: from localhost ([::1]:45222 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guile-devel-bounces+guile-devel=m.gmane.org@gnu.org>)
	id 1SRMa1-0000iH-07
	for guile-devel@m.gmane.org; Mon, 07 May 2012 07:58:17 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:48882)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <noah549@gmail.com>) id 1SRMZu-0000iC-NJ
	for guile-devel@gnu.org; Mon, 07 May 2012 07:58:14 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <noah549@gmail.com>) id 1SRMZs-0004FG-Jc
	for guile-devel@gnu.org; Mon, 07 May 2012 07:58:10 -0400
Original-Received: from mail-yw0-f41.google.com ([209.85.213.41]:38546)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <noah549@gmail.com>) id 1SRMZs-0004Ep-D9
	for guile-devel@gnu.org; Mon, 07 May 2012 07:58:08 -0400
Original-Received: by yhr47 with SMTP id 47so4981882yhr.0
	for <guile-devel@gnu.org>; Mon, 07 May 2012 04:58:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=vQUivLmaFrnZGFi9X+Xwy5OqIBy3q8yGzyfr4+7uJSM=;
	b=TqXuHr7lChJrq2rfWjz/fe/JXjX07BuiQ9zADzbZynOF1cn7v1EAeOruKHIJRcExZm
	fp9IzHlYnFtm6bI5iMmJUTSFz0oJNhWz8tio030jan/80gQRRjA66G+umMFd6HPvCFuj
	UQfEe5pj0hXYHnxuXBYbFiKIGRvfajvaOD3cuM6w8ERd55xeaYN/mfMGJcIN2P05mE66
	lKWNc81e8aiXLarC6WPQvHGHurqnH8yhEwXMkN8Mt8oWT+0HitcjwGOWQHDHRvzbIYrB
	AnlP9B8UlHlnbBNQUNQ0MFe0zVQjrrpKDcbhqM45b9xdamiicqGuy4flkTn2smAUVRIQ
	8nmw==
Original-Received: by 10.50.180.137 with SMTP id do9mr7887383igc.71.1336391885607; Mon,
	07 May 2012 04:58:05 -0700 (PDT)
Original-Received: by 10.42.29.200 with HTTP; Mon, 7 May 2012 04:58:05 -0700 (PDT)
In-Reply-To: <87havtp42i.fsf@netris.org>
X-Google-Sender-Auth: LAdNDIkW2bhdvRGDJvvgFPr5loI
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 209.85.213.41
X-BeenThere: guile-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Developers list for Guile,
	the GNU extensibility library" <guile-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guile-devel>,
	<mailto:guile-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guile-devel>
List-Post: <mailto:guile-devel@gnu.org>
List-Help: <mailto:guile-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guile-devel>,
	<mailto:guile-devel-request@gnu.org?subject=subscribe>
Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org
Original-Sender: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.lisp.guile.devel:14366
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.devel/14366>

That is an interesting problem. It would be nice to have sandboxing.

I'm writing to point out that there has been an attempt to make
"out-of-the-box" sandboxing work. The modules (ice-9 safe) and (ice-9
safe-r5rs) should be sandboxed environments, I think. (I encountered
them while looking for undocumented modules.) There's also the (ice-9
null) module, which gives an environment with only the basic syntax
and no procedures at all.

Noah

On Sun, May 6, 2012 at 2:17 PM, Mark H Weaver <mhw@netris.org> wrote:
> Hello all,
>
> Every once in a while someone asks about secure sandboxing with Guile,
> and generally the response is that it should be fairly easy, by creating
> a module with carefully selected bindings, but there's nothing ready
> "out of the box".
>
> I just realized that psyntax has a security hole that prevents secure
> sandboxing, and wanted to post this fact before it was forgotten.
>
> The problem is that psyntax accepts syntax-objects in the input, and
> syntax-objects are simply vectors (or sexps containing vectors).
> Therefore, it is always possible to _forge_ syntax-objects that refer to
> arbitrary bindings in arbitrary modules, even if the usual bindings of
> '@' and '@@' are not available.
>
> In particular (although this is an internal implementation detail that
> you cannot rely upon!) in Guile 2.0 the following two expressions are
> treated equivalently:
>
> =A0(@@ (ice-9 popen) open-pipe*)
>
> =A0#(syntax-object open-pipe* ((top)) (hygiene ice-9 popen))
>
> I don't think we can plug this hole until 2.2.
>
> =A0 =A0 Mark
>