[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Psyntax security hole prevents secure sandboxing in Guile
From: |
Ludovic Courtès |
Subject: |
Re: Psyntax security hole prevents secure sandboxing in Guile |
Date: |
Tue, 08 May 2012 16:41:17 +0200 |
User-agent: |
Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.93 (gnu/linux) |
Hi Mark,
Mark H Weaver <address@hidden> skribis:
> address@hidden (Ludovic Courtès) writes:
>> Mark H Weaver <address@hidden> skribis:
>>
>>> Every once in a while someone asks about secure sandboxing with Guile,
>>> and generally the response is that it should be fairly easy, by creating
>>> a module with carefully selected bindings, but there's nothing ready
>>> "out of the box".
>>>
>>> I just realized that psyntax has a security hole that prevents secure
>>> sandboxing, and wanted to post this fact before it was forgotten.
>>
>> There are many other holes, such as the fact that ‘@@’ is compiled to
>> the ‘toplevel-ref’ instruction, which can search inside modules.
>
> '@@' can be rebound, so that its default binding is no longer available:
Right. However, code compiled outside the sandbox, with the real ‘@@’,
does have that ‘toplevel-ref’ in it.
> Can you think of anything else that would need to be fixed, besides this
> problem with forgeable syntax-objects?
CPU/memory resource revocation, the ability to pass immutable references
to existing objects (variables, vectors, etc.), and mediated access to
OS resources such as file descriptors.
Also, a simple way to create a new module hierarchy based on an existing
one is needed. To goal would be to make it easy, for instance, to
invoke code within a module hierarchy that lacks (system foreign), has
no POSIX procedures in (guile), and where (set! + -) would not affect
the outside world. All this is currently doable, but a high-level API
to do it is lacking.
Thanks,
Ludo’.