* Psyntax security hole prevents secure sandboxing in Guile
@ 2012-05-06 18:17 Mark H Weaver
2012-05-07 11:58 ` Noah Lavine
2012-05-07 16:31 ` Ludovic Courtès
0 siblings, 2 replies; 7+ messages in thread
From: Mark H Weaver @ 2012-05-06 18:17 UTC (permalink / raw)
To: guile-devel
Hello all,
Every once in a while someone asks about secure sandboxing with Guile,
and generally the response is that it should be fairly easy, by creating
a module with carefully selected bindings, but there's nothing ready
"out of the box".
I just realized that psyntax has a security hole that prevents secure
sandboxing, and wanted to post this fact before it was forgotten.
The problem is that psyntax accepts syntax-objects in the input, and
syntax-objects are simply vectors (or sexps containing vectors).
Therefore, it is always possible to _forge_ syntax-objects that refer to
arbitrary bindings in arbitrary modules, even if the usual bindings of
'@' and '@@' are not available.
In particular (although this is an internal implementation detail that
you cannot rely upon!) in Guile 2.0 the following two expressions are
treated equivalently:
(@@ (ice-9 popen) open-pipe*)
#(syntax-object open-pipe* ((top)) (hygiene ice-9 popen))
I don't think we can plug this hole until 2.2.
Mark
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Psyntax security hole prevents secure sandboxing in Guile
2012-05-06 18:17 Psyntax security hole prevents secure sandboxing in Guile Mark H Weaver
@ 2012-05-07 11:58 ` Noah Lavine
2012-05-07 16:31 ` Ludovic Courtès
1 sibling, 0 replies; 7+ messages in thread
From: Noah Lavine @ 2012-05-07 11:58 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guile-devel
That is an interesting problem. It would be nice to have sandboxing.
I'm writing to point out that there has been an attempt to make
"out-of-the-box" sandboxing work. The modules (ice-9 safe) and (ice-9
safe-r5rs) should be sandboxed environments, I think. (I encountered
them while looking for undocumented modules.) There's also the (ice-9
null) module, which gives an environment with only the basic syntax
and no procedures at all.
Noah
On Sun, May 6, 2012 at 2:17 PM, Mark H Weaver <mhw@netris.org> wrote:
> Hello all,
>
> Every once in a while someone asks about secure sandboxing with Guile,
> and generally the response is that it should be fairly easy, by creating
> a module with carefully selected bindings, but there's nothing ready
> "out of the box".
>
> I just realized that psyntax has a security hole that prevents secure
> sandboxing, and wanted to post this fact before it was forgotten.
>
> The problem is that psyntax accepts syntax-objects in the input, and
> syntax-objects are simply vectors (or sexps containing vectors).
> Therefore, it is always possible to _forge_ syntax-objects that refer to
> arbitrary bindings in arbitrary modules, even if the usual bindings of
> '@' and '@@' are not available.
>
> In particular (although this is an internal implementation detail that
> you cannot rely upon!) in Guile 2.0 the following two expressions are
> treated equivalently:
>
> (@@ (ice-9 popen) open-pipe*)
>
> #(syntax-object open-pipe* ((top)) (hygiene ice-9 popen))
>
> I don't think we can plug this hole until 2.2.
>
> Mark
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Psyntax security hole prevents secure sandboxing in Guile
2012-05-06 18:17 Psyntax security hole prevents secure sandboxing in Guile Mark H Weaver
2012-05-07 11:58 ` Noah Lavine
@ 2012-05-07 16:31 ` Ludovic Courtès
2012-05-07 17:44 ` Mark H Weaver
1 sibling, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2012-05-07 16:31 UTC (permalink / raw)
To: guile-devel
Hi Mark!
Mark H Weaver <mhw@netris.org> skribis:
> Every once in a while someone asks about secure sandboxing with Guile,
> and generally the response is that it should be fairly easy, by creating
> a module with carefully selected bindings, but there's nothing ready
> "out of the box".
>
> I just realized that psyntax has a security hole that prevents secure
> sandboxing, and wanted to post this fact before it was forgotten.
There are many other holes, such as the fact that ‘@@’ is compiled to
the ‘toplevel-ref’ instruction, which can search inside modules.
> The problem is that psyntax accepts syntax-objects in the input, and
> syntax-objects are simply vectors (or sexps containing vectors).
I agree it would be nice to fix eventually, using structs, but it takes
more than this to allow for “secure sandboxing”.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Psyntax security hole prevents secure sandboxing in Guile
2012-05-07 16:31 ` Ludovic Courtès
@ 2012-05-07 17:44 ` Mark H Weaver
2012-05-07 18:25 ` Noah Lavine
2012-05-08 14:41 ` Ludovic Courtès
0 siblings, 2 replies; 7+ messages in thread
From: Mark H Weaver @ 2012-05-07 17:44 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guile-devel
ludo@gnu.org (Ludovic Courtès) writes:
> Mark H Weaver <mhw@netris.org> skribis:
>
>> Every once in a while someone asks about secure sandboxing with Guile,
>> and generally the response is that it should be fairly easy, by creating
>> a module with carefully selected bindings, but there's nothing ready
>> "out of the box".
>>
>> I just realized that psyntax has a security hole that prevents secure
>> sandboxing, and wanted to post this fact before it was forgotten.
>
> There are many other holes, such as the fact that ‘@@’ is compiled to
> the ‘toplevel-ref’ instruction, which can search inside modules.
'@@' can be rebound, so that its default binding is no longer available:
scheme@(guile-user)> (@@ (ice-9 popen) open-pipe*)
$1 = #<procedure open-pipe* (mode command . args)>
scheme@(guile-user)> (define @@ 2)
scheme@(guile-user)> (@@ (ice-9 popen) open-pipe*)
;;; <stdin>:3:4: warning: possibly unbound variable `ice-9'
;;; <stdin>:3:4: warning: possibly unbound variable `popen'
;;; <stdin>:3:0: warning: possibly unbound variable `open-pipe*'
<unnamed port>:3:4: In procedure #<procedure 103199b0 at <current input>:3:0 ()>:
<unnamed port>:3:4: In procedure module-lookup: Unbound variable: ice-9
Entering a new prompt. Type `,bt' for a backtrace or `,q' to continue.
scheme@(guile-user) [1]>
In the past, some of us (including me) have suspected that by creating a
module with all dangerous bindings removed (including '@' and '@@'), one
could create a secure sandbox in Guile. Sadly, that is not the case.
>> The problem is that psyntax accepts syntax-objects in the input, and
>> syntax-objects are simply vectors (or sexps containing vectors).
>
> I agree it would be nice to fix eventually, using structs, but it takes
> more than this to allow for “secure sandboxing”.
Can you think of anything else that would need to be fixed, besides this
problem with forgeable syntax-objects?
Thanks,
Mark
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Psyntax security hole prevents secure sandboxing in Guile
2012-05-07 17:44 ` Mark H Weaver
@ 2012-05-07 18:25 ` Noah Lavine
2012-05-07 20:10 ` Andreas Rottmann
2012-05-08 14:41 ` Ludovic Courtès
1 sibling, 1 reply; 7+ messages in thread
From: Noah Lavine @ 2012-05-07 18:25 UTC (permalink / raw)
To: Mark H Weaver; +Cc: Ludovic Courtès, guile-devel
> Can you think of anything else that would need to be fixed, besides this
> problem with forgeable syntax-objects?
It depends how much of a sandbox you're thinking of, but I'd like to
make sure that the untrusted code didn't go into an infinite loop,
which means either putting it in a separate process or having a timer
that would stop it after a deadline. Also you'd have to make sure that
you didn't run any procedure returned by the untrusted code, for the
same reason.
Also, what if the untrusted code allocated a lot of memory? I suppose
you could depend on that all being garbage-collected after it
finished, but you'd have to be prepared to handle out-of-memory errors
while it was running.
It might be easiest to just put it in a separate process, although
that would make communication harder.
Noah
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Psyntax security hole prevents secure sandboxing in Guile
2012-05-07 18:25 ` Noah Lavine
@ 2012-05-07 20:10 ` Andreas Rottmann
0 siblings, 0 replies; 7+ messages in thread
From: Andreas Rottmann @ 2012-05-07 20:10 UTC (permalink / raw)
To: Noah Lavine; +Cc: Mark H Weaver, Ludovic Courtès, guile-devel
Noah Lavine <noah.b.lavine@gmail.com> writes:
>> Can you think of anything else that would need to be fixed, besides this
>> problem with forgeable syntax-objects?
>
> It depends how much of a sandbox you're thinking of, but I'd like to
> make sure that the untrusted code didn't go into an infinite loop,
> which means either putting it in a separate process or having a timer
> that would stop it after a deadline. Also you'd have to make sure that
> you didn't run any procedure returned by the untrusted code, for the
> same reason.
>
> Also, what if the untrusted code allocated a lot of memory? I suppose
> you could depend on that all being garbage-collected after it
> finished, but you'd have to be prepared to handle out-of-memory errors
> while it was running.
>
> It might be easiest to just put it in a separate process, although
> that would make communication harder.
>
Racket has a facility that achieves sandboxing (with the above property
of CPU and RAM usage bounds), i believe:
http://docs.racket-lang.org/reference/Sandboxed_Evaluation.html
Regards, Rotty
--
Andreas Rottmann -- <http://rotty.yi.org/>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Psyntax security hole prevents secure sandboxing in Guile
2012-05-07 17:44 ` Mark H Weaver
2012-05-07 18:25 ` Noah Lavine
@ 2012-05-08 14:41 ` Ludovic Courtès
1 sibling, 0 replies; 7+ messages in thread
From: Ludovic Courtès @ 2012-05-08 14:41 UTC (permalink / raw)
To: guile-devel
Hi Mark,
Mark H Weaver <mhw@netris.org> skribis:
> ludo@gnu.org (Ludovic Courtès) writes:
>> Mark H Weaver <mhw@netris.org> skribis:
>>
>>> Every once in a while someone asks about secure sandboxing with Guile,
>>> and generally the response is that it should be fairly easy, by creating
>>> a module with carefully selected bindings, but there's nothing ready
>>> "out of the box".
>>>
>>> I just realized that psyntax has a security hole that prevents secure
>>> sandboxing, and wanted to post this fact before it was forgotten.
>>
>> There are many other holes, such as the fact that ‘@@’ is compiled to
>> the ‘toplevel-ref’ instruction, which can search inside modules.
>
> '@@' can be rebound, so that its default binding is no longer available:
Right. However, code compiled outside the sandbox, with the real ‘@@’,
does have that ‘toplevel-ref’ in it.
> Can you think of anything else that would need to be fixed, besides this
> problem with forgeable syntax-objects?
CPU/memory resource revocation, the ability to pass immutable references
to existing objects (variables, vectors, etc.), and mediated access to
OS resources such as file descriptors.
Also, a simple way to create a new module hierarchy based on an existing
one is needed. To goal would be to make it easy, for instance, to
invoke code within a module hierarchy that lacks (system foreign), has
no POSIX procedures in (guile), and where (set! + -) would not affect
the outside world. All this is currently doable, but a high-level API
to do it is lacking.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2012-05-08 14:41 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-05-06 18:17 Psyntax security hole prevents secure sandboxing in Guile Mark H Weaver
2012-05-07 11:58 ` Noah Lavine
2012-05-07 16:31 ` Ludovic Courtès
2012-05-07 17:44 ` Mark H Weaver
2012-05-07 18:25 ` Noah Lavine
2012-05-07 20:10 ` Andreas Rottmann
2012-05-08 14:41 ` Ludovic Courtès
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).