Re: Psyntax security hole prevents secure sandboxing in Guile

[Ludovic Courtès]

Hi Mark,

Mark H Weaver <address@hidden> skribis:

> address@hidden (Ludovic Courtès) writes:
>> Mark H Weaver <address@hidden> skribis:
>>
>>> Every once in a while someone asks about secure sandboxing with Guile,
>>> and generally the response is that it should be fairly easy, by creating
>>> a module with carefully selected bindings, but there's nothing ready
>>> "out of the box".
>>>
>>> I just realized that psyntax has a security hole that prevents secure
>>> sandboxing, and wanted to post this fact before it was forgotten.
>>
>> There are many other holes, such as the fact that ‘@@’ is compiled to
>> the ‘toplevel-ref’ instruction, which can search inside modules.
>
> '@@' can be rebound, so that its default binding is no longer available:

Right.  However, code compiled outside the sandbox, with the real ‘@@’,
does have that ‘toplevel-ref’ in it.

> Can you think of anything else that would need to be fixed, besides this
> problem with forgeable syntax-objects?

CPU/memory resource revocation, the ability to pass immutable references
to existing objects (variables, vectors, etc.), and mediated access to
OS resources such as file descriptors.

Also, a simple way to create a new module hierarchy based on an existing
one is needed.  To goal would be to make it easy, for instance, to
invoke code within a module hierarchy that lacks (system foreign), has
no POSIX procedures in (guile), and where (set! + -) would not affect
the outside world.  All this is currently doable, but a high-level API
to do it is lacking.

Thanks,
Ludo’.