473,570 Members | 2,870 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Secure Python

Hi List!

I was thinking about secure Python code execution, and I'd really
appreciate some comments from those who know Python better than I do.

I was thinking that maybe it could be possible to load and run untrusted
Python code, simply by loading it in a module with a modified version of
__builtins__. Without any reachable function that do unsafe operations,
code running from there shouldn't be able to do evil things.

Or? What would happen to `import'? Would it be possible to set a null
import path for a specific module. Are there any other ways to reach
modules/functions that would make this impossible (I don't seem to be
able to remember, but aren't there cross-references somewhere to the
defining modules of data passed to the code in the secure module)?

If this doesn't work, might there be some other way to run untrusted
code that I haven't thought of (apart from using O/S-specific stuff like
SECCOMD, of course).

Thank you very much for your time!

Fredrik Tolf
Nov 16 '06 #1
31 2359
On Thu, 16 Nov 2006 04:02:58 +0100, Fredrik Tolf wrote:
Hi List!

I was thinking about secure Python code execution, and I'd really
appreciate some comments from those who know Python better than I do.

I was thinking that maybe it could be possible to load and run untrusted
Python code, simply by loading it in a module with a modified version of
__builtins__. Without any reachable function that do unsafe operations,
code running from there shouldn't be able to do evil things.
How would you prevent a Denial Of Service attack like this?

# don't try this at home kids! leave this to the professionals!
n = 10000**4
L = []
for i in range(n):
L.append(str(2L **n))

Here's an interesting one. Bug or deliberate attack?
def evens():
# iterator returning even numbers
i = 0
while True:
yield i
i += 2
# now get all the even numbers up to 15
L = [n for n in evens() if n < 15]

--
Steven D'Aprano

Nov 16 '06 #2
Steven D'Aprano wrote:
On Thu, 16 Nov 2006 04:02:58 +0100, Fredrik Tolf wrote:

>>Hi List!

I was thinking about secure Python code execution, and I'd really
appreciate some comments from those who know Python better than I do.

I was thinking that maybe it could be possible to load and run untrusted
Python code, simply by loading it in a module with a modified version of
__builtins_ _. Without any reachable function that do unsafe operations,
code running from there shouldn't be able to do evil things.


How would you prevent a Denial Of Service attack like this?

# don't try this at home kids! leave this to the professionals!
n = 10000**4
L = []
for i in range(n):
L.append(str(2L **n))

Here's an interesting one. Bug or deliberate attack?
def evens():
# iterator returning even numbers
i = 0
while True:
yield i
i += 2
# now get all the even numbers up to 15
L = [n for n in evens() if n < 15]
congraulations you have discovered loops and their misuse
Nov 16 '06 #3
timmy wrote:
congraulations you have discovered loops and their misuse
if you don't know what the phrase "denial of service attack" means, you
can always google for it.

</F>

Nov 16 '06 #4
On Thu, 16 Nov 2006 17:44:37 +1000, timmy wrote:
congraulations you have discovered loops and their misuse
Did you have a point in your utterly inane comment, or did you just want
to see your name on Usenet?

In any case, it isn't just "loops" that are dangerous.

print 2**512**512

No loop there, but it will operate as a lovely DoS attack if you run it.

The Original Poster is suggesting running UNTRUSTED code. That means you
have to assume that it will be actively hostile, but even if it isn't
deliberately hostile, there will be bugs which the developer can't control.

He wants to run this untrusted (hostile or buggy or both) code in an
environment where it can't do bad things. "Bad things" include Denial of
Service attacks. So, Timmy, let's hear your brilliant scheme for
preventing DoS attacks when running hostile code in Python.

--
Steven D'Aprano

Nov 16 '06 #5
Fredrik Tolf wrote:
If this doesn't work, might there be some other way to run untrusted
code that I haven't thought of (apart from using O/S-specific stuff like
SECCOMD, of course).
There was a module called rexec which tries to give you a restricted
environment for executing code. But it seems, that it is not maintained
anymore, because there were too much problems with it. It seems, that it is
very complicated to get a restricted execution environment without losing
too much of Pythons functionality.

One question is, what you want to achieve. As another posting in this thread
mentioned, you can't get around of denial of service attacks, even in
restricted or trusted environments. So I assume, that what you want is
something like a sandbox, where specific file actions (deleting files,
access to specific part of the FS at all) and some other things can be
restricted or forbidden. I think, this should be possible, even for some
DOS-Attacks (e.g. restricting the amount of memory that can be used by the
script, or the max stack size, depth of recursion limits etc.), but it is a
hard job to find all places, where code can break out of your sandbox. For
a full load of bad examples, simply have a look at JavaScript...

For a IMHO really good implementation of the sandbox idea, have a look at
the "safe interp" in Tcl. A short description (and by no mean complete) of
the safe interp is to run a second and completely independent interpreter
with all possibly dangerous commands completely removed and a
one-way-channel to inject commands and scripts into its evaluation loop
from the trusted interpreter. Depending on how much faith you have into the
untrusted script, you can selectively allow additional commands in the safe
interp or map common commands to other restricted or monitored versions of
them, which you implemented yourself inside your trusted environment. I do
not know, how complex it would be to do this in Python (since Tcl may look
a little old fashioned to some people but has some unique features that
helps especially with this kind of problem, such as having no keywords,
which makes it possible to change the semantics of even the most basic
constructs in the language from the scripting level), but I think it would
be a really useful feature for Python to have a sandbox mechanism to run
untrusted code.

Regards
Stephan
Nov 16 '06 #6
Fredrik Lundh wrote:
timmy wrote:
>congraulatio ns you have discovered loops and their misuse


if you don't know what the phrase "denial of service attack" means, you
can always google for it.

</F>
maybe you should google "linux kernel limit" and you can prevent any
user/process maxing out your system
Nov 16 '06 #7
Steven D'Aprano wrote:
On Thu, 16 Nov 2006 17:44:37 +1000, timmy wrote:

>>congraulation s you have discovered loops and their misuse


Did you have a point in your utterly inane comment, or did you just want
to see your name on Usenet?

In any case, it isn't just "loops" that are dangerous.

print 2**512**512

No loop there, but it will operate as a lovely DoS attack if you run it.

The Original Poster is suggesting running UNTRUSTED code. That means you
have to assume that it will be actively hostile, but even if it isn't
deliberately hostile, there will be bugs which the developer can't control.

He wants to run this untrusted (hostile or buggy or both) code in an
environment where it can't do bad things. "Bad things" include Denial of
Service attacks. So, Timmy, let's hear your brilliant scheme for
preventing DoS attacks when running hostile code in Python.
as posted before, linux kernel limit.

then you and your users can go as crazy as you want and you won't take
out your system.

maybe you should think a little more before going on the attack like that.
Nov 16 '06 #8
timmy wrote:
maybe you should google "linux kernel limit" and you can prevent any
user/process maxing out your system
one would have thought that the phrase "apart from OS-specific stuff"
might have meant that the OP wasn't asking for Linux-specific solutions.

</F>

Nov 16 '06 #9
timmy <"timothy at open-networks.net"wr ote:

This sub-thread starts to become a flame-war, isn't it? Calm down, both of
you... No need to fight, when only some ideas for a technical question are
requested.
as posted before, linux kernel limit.

then you and your users can go as crazy as you want and you won't take
out your system.
The problem with linux kernel limits are, that they won't work really good
on MacOSX and Windows... OTOH the idea is the right one, but the effect can
be achieved inside of Python. Since Python does byte compile the code and
the interpreter evaluates each byte code token in one evaluation step. The
interpreter could be extended for such usecases to count and limit the
number of evaluation steps allowed for untrusted script or methods in
untrusted script as well as to limit the recursion depth or memory to be
allocated. All those limits are managed by the interpreter for script code
and hence can be limited for untrusted code by the interpreter. This also
does not really make DoS impossible (what about C extensions? - maybe
restricting "import"?). - As I said before in this thread, making a sandbox
really secure is a hard job, and may need some serious changes in the
Python interpreter, but AFAIK from Tcl, it is possible - and would be nice
to have.

Regards
Stephan

Nov 16 '06 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
6610
by: d z e k y l | last post by:
Hello, I'd like to write a small backup utility in Python, which would take advantage of Secure FTP to upload backup archives. Is there a library implementing SFTP in Python (something like ftplib)? Or is there some other (noncomplicated) way how secure uploading can be implemented in Python? Thank you for advice, Michal
9
2078
by: PiedmontBiz | last post by:
Listening to National Public Radio while reading comp.lang.python. What a life! I just heard a piece on NPR about the security failures of an electronic voting system being developed. I know a voting system could be developed in python. I am working on a simulator myself to run via the web (a personal project only) Are there any features...
2
1711
by: Calvin | last post by:
Hi All, Could someone tell me just how secure Python is if compiled to an exe? Is it more or less secure than using some other language? Thanks
21
6736
by: Boris Genc | last post by:
Hi everybody. I was wandering is there a method or a function already implemented in python that supports secure deletion of data? I'm interested in something which is able to securely wipe data (from single file to bunch of MB's), and that should run both on Linux and Windows. I tried on google, but I hadn't found anything useful to me.
6
2078
by: andrew blah | last post by:
Hello I have recently released catchmail - a free (BSD license) open source Python utility www.users.bigpond.net.au/mysite/catchmail.htm This script processes in and outbound emails and stores them to a database. The source code is here: http://www.users.bigpond.net.au/mysite/current/catchmail.py
1
2038
by: jiba | last post by:
Hi all, I'm currently working on a secure Pickle-like module, Cerealizer, http://home.gna.org/oomadness/en/cerealizer/index.html Cerealizer has a pickle-like interface (load, dump, __getstate__, __setstate__,...), however it requires to register the class you want to "cerealize", by calling cerealizer.register(YourClass). Cerealizer...
7
2637
by: Laszlo Nagy | last post by:
Hello, I'm trying to create a simple XMLRPC server and a client. It is a small application, but the connection needs to be secure. I would like the client to be as thin as possible. Ideally, the client should only require the basic python library, nothing else. I found many examples on the net. But I could not find secure ones (except...
8
3728
by: Daniel Crespo | last post by:
Hello everybody, I'm trying to implement a secure xmlrpc server with basis on http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/496786 recipe. The thing that I'm concerned about is how can I get/create rapidly the ..pem files (the key and cert). Any help? Thanks
5
3674
by: walterbyrd | last post by:
I honestly don't know. But, I have seen articles and posts about how PHP is terribly insecure. I don't usually see comparisons to other common web languages. I think the big vulnerablity is supposed to be code injections. Another security issue would be having code stolen, but I think that PHP can be protected from that. Obviously, I...
0
7636
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7948
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
8150
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
5523
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
5247
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3671
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
2131
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
1
1238
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
971
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.