[Dailydave] Google Apps Engine

Thomas Ptacek tqbf at matasano.com
Sat Apr 12 14:22:15 EDT 2008 

If you own the interpreter codebase, shouldn't it be possible just to
hook libc's open(2) stub, and give a unique signature to calls that
originated on a trusted code path? This doesn't seem at all hard to
me.

On 4/12/08, Aidan Thornton <makosoft at googlemail.com> wrote:
>
>  On 4/11/08, Lutz Böhne <lboehne at damogran.de> wrote:
>  > > Even those could easily be sanitized by just some fun with function
>  > > pointers.
>  > >
>  > >     >>> open=lambda *x: "no"
>  > >     >>> open('/etc/passwd')
>  > >     'no'
>  >
>  > Unless there are other ways to find these functions:
>  >
>  >     >>> __builtins__.__dict__["open"]( '/etc/passwd')
>  >     <open file '/etc/passwd', mode 'r' at 0xb7dac7b8>
>  >
>  > or even:
>  >
>  >     >>> open=lambda *x: "no"
>  >     >>> open('/etc/passwd')
>  >     'no'
>  >     >>> del open
>  >     >>> open('/etc/passwd')
>  >     <open file '/etc/passwd', mode 'r' at 0xb7db44a0>
>  >
>  > Python is fun, there are so many ways to have it do what you want ;)
>  >
>  > It might be possible to remove these functions like this:
>  >
>  >     >>> del __builtins__.__dict__["open"]
>  >     >>> open('/etc/passwd')
>  >     Traceback (most recent call last):
>  >       File "<stdin>", line 1, in <module>
>  >     NameError: name 'open' is not defined
>  >     [...]
>  >
>  > But i don't know whether that'd get rid of all problems.
>  >
>  > Best regards,
>  >
>  > Lutz
>  >
>
>
> Hi,
>
>  The quick answer is no, it wouldn't be enough. For example, try
>  type(sys.stdin)('/etc/passwd') or the equivalent
>  sys.stdin.__class__('/etc/passwd'). Also, as
>  http://mail.python.org/pipermail/python-dev/2006-July/067291.html
>  points out, file can be obtained from object.__subclasses__(). (object itself can be found by working up the inheritance tree from any new-style class - say, a string - using __bases__)
>
>  Python's powerful introspection support and lack of data hiding make
>  doing any sort of meaningful sandboxing within the language itself very difficult. There used to be a bundled module called rexec to do this (via a combination of hooks into the interpreter and built-in support), but it was depreciated due to security issues. They might be doing something similar - it seems to strip what functions from native-code modules can be imported to some safe whitelist (and load all modules written in Python within the sandbox).
>
>
>  Aidan
>
> _______________________________________________
>  Dailydave mailing list
>  Dailydave at lists.immunitysec.com
>  http://lists.immunitysec.com/mailman/listinfo/dailydave
>


-- 
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log

More information about the Dailydave mailing list