guile-user
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Embedding Guile with sandboxing


From: Pascal J. Bourguignon
Subject: Re: Embedding Guile with sandboxing
Date: Sat, 21 Nov 2015 22:39:06 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)

Matthew Keeter <address@hidden> writes:

> I’m currently embedding Python in a C / C++ application that evaluates 
> user-provided scripts.
>
> Obviously, this is terribly unsafe: user-provided scripts can execute 
> arbitrary malicious actions,
> and there’s no good way to sandbox Python in a desktop context.
>
> If I were to replace Python with Guile, is there a way to sandbox it so that 
> arbitrary (perhaps
> malicious) user-provided scripts can be run safely?

Well, I would use ecl (Embeddable Common Lisp) rather, but the problem
is not specific to a language.

To ensure "safety", you need to _control_ things.

Using a general algorithmic programming language with OS or platform
interfaces will never be safe.

What you need is to write your own implementation. It doesn't matter of
what language.

For example, you could take pypy, expurge it from the "dangerous"
operations and go on with the resulting restricted python.

Or you could do the same with guile or Common Lisp.

The advantage of the later languages, is that it is easier to write
languages in them, reusing parts of the existing infrastructure.  I
imagine the same can be done with pypy.   On the other hand, if you mix
metalinguistic layers, you may introduce leaking bugs.  


Ultimately, the problem comes down to the fact that the underlying
hardware and OS layer is not safe itself.  One easy way to allow
potentially hostile code to run, is to make it run in a chroot, nope, we
know it's not safe, so in its own virtual machine (either on an
hypervisor or a qemu or simular), but, nope, we know it's not safe
(there are exploitable bugs in hypervisors and qemu, etc).


So you need to implement a language that won't provide any unwanted
OS/platform API and that won't provide any way to generate code accessing
to any unwanted feature, and that still allows user to write useful
programs, while making no mistake; and since it will run on an unsafe
platform, how will you ensure that a program written in your language
will never be able to have any nefarious side effects?

For example, the x86 MMU is turing complete.  How do you ensure that
there is no way any program written in your language will not have the
side effect of introducing a nefarious program in the underlying MMU?


Perhaps it would be easier to select good users, and just give them full
Common Lisp with ecl (or full guile).


-- 
__Pascal Bourguignon__                 http://www.informatimago.com/
“The factory of the future will have only two employees, a man and a
dog. The man will be there to feed the dog. The dog will be there to
keep the man from touching the equipment.” -- Carl Bass CEO Autodesk




reply via email to

[Prev in Thread] Current Thread [Next in Thread]