[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Psyntax security hole prevents secure sandboxing in Guile

From: Ludovic Courtès
Subject: Re: Psyntax security hole prevents secure sandboxing in Guile
Date: Tue, 08 May 2012 16:41:17 +0200
User-agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.93 (gnu/linux)

Hi Mark,

Mark H Weaver <address@hidden> skribis:

> address@hidden (Ludovic Courtès) writes:
>> Mark H Weaver <address@hidden> skribis:
>>> Every once in a while someone asks about secure sandboxing with Guile,
>>> and generally the response is that it should be fairly easy, by creating
>>> a module with carefully selected bindings, but there's nothing ready
>>> "out of the box".
>>> I just realized that psyntax has a security hole that prevents secure
>>> sandboxing, and wanted to post this fact before it was forgotten.
>> There are many other holes, such as the fact that ‘@@’ is compiled to
>> the ‘toplevel-ref’ instruction, which can search inside modules.
> '@@' can be rebound, so that its default binding is no longer available:

Right.  However, code compiled outside the sandbox, with the real ‘@@’,
does have that ‘toplevel-ref’ in it.

> Can you think of anything else that would need to be fixed, besides this
> problem with forgeable syntax-objects?

CPU/memory resource revocation, the ability to pass immutable references
to existing objects (variables, vectors, etc.), and mediated access to
OS resources such as file descriptors.

Also, a simple way to create a new module hierarchy based on an existing
one is needed.  To goal would be to make it easy, for instance, to
invoke code within a module hierarchy that lacks (system foreign), has
no POSIX procedures in (guile), and where (set! + -) would not affect
the outside world.  All this is currently doable, but a high-level API
to do it is lacking.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]