Dailydave mailing list archives

Re: Google Apps Engine

From: "Thomas Ptacek" <tqbf () matasano com>
Date: Sat, 12 Apr 2008 13:22:15 -0500

If you own the interpreter codebase, shouldn't it be possible just to
hook libc's open(2) stub, and give a unique signature to calls that
originated on a trusted code path? This doesn't seem at all hard to
me.

On 4/12/08, Aidan Thornton <makosoft () googlemail com> wrote:

 On 4/11/08, Lutz Böhne <lboehne () damogran de> wrote:
 > > Even those could easily be sanitized by just some fun with function
 > > pointers.
 > >
 > >     >>> open=lambda *x: "no"
 > >     >>> open('/etc/passwd')
 > >     'no'
 >
 > Unless there are other ways to find these functions:
 >
 >     >>> __builtins__.__dict__["open"]( '/etc/passwd')
 >     <open file '/etc/passwd', mode 'r' at 0xb7dac7b8>
 >
 > or even:
 >
 >     >>> open=lambda *x: "no"
 >     >>> open('/etc/passwd')
 >     'no'
 >     >>> del open
 >     >>> open('/etc/passwd')
 >     <open file '/etc/passwd', mode 'r' at 0xb7db44a0>
 >
 > Python is fun, there are so many ways to have it do what you want ;)
 >
 > It might be possible to remove these functions like this:
 >
 >     >>> del __builtins__.__dict__["open"]
 >     >>> open('/etc/passwd')
 >     Traceback (most recent call last):
 >       File "<stdin>", line 1, in <module>
 >     NameError: name 'open' is not defined
 >     [...]
 >
 > But i don't know whether that'd get rid of all problems.
 >
 > Best regards,
 >
 > Lutz
 >

Hi,

 The quick answer is no, it wouldn't be enough. For example, try
 type(sys.stdin)('/etc/passwd') or the equivalent
 sys.stdin.__class__('/etc/passwd'). Also, as
 http://mail.python.org/pipermail/python-dev/2006-July/067291.html
 points out, file can be obtained from object.__subclasses__(). (object itself can be found by working up the 
inheritance tree from any new-style class - say, a string - using __bases__)

 Python's powerful introspection support and lack of data hiding make
 doing any sort of meaningful sandboxing within the language itself very difficult. There used to be a bundled module 
called rexec to do this (via a combination of hooks into the interpreter and built-in support), but it was 
depreciated due to security issues. They might be doing something similar - it seems to strip what functions from 
native-code modules can be imported to some safe whitelist (and load all modules written in Python within the 
sandbox).

 Aidan

_______________________________________________
 Dailydave mailing list
 Dailydave () lists immunitysec com
 http://lists.immunitysec.com/mailman/listinfo/dailydave



-- 
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Google Apps Engine Dave Aitel (Apr 08)
- Re: Google Apps Engine jf (Apr 08)
- Re: Google Apps Engine Jeremy Kelley (Apr 08)
  - Re: Google Apps Engine jf (Apr 08)
  - Re: Google Apps Engine Lutz Böhne (Apr 11)
    - Re: Google Apps Engine Jeremy Kelley (Apr 11)
    - Re: Google Apps Engine Aidan Thornton (Apr 12)
    - Re: Google Apps Engine Thomas Ptacek (Apr 13)