Hi Simon, On Wed, Sep 19, 2007 at 01:36:43PM -0700, Simon Burton wrote: > > It's "sandboxing" as in "full virtualization", but done in normal C with > > no OS support at all. (...) > > How is this different to just linking against a libc wrapper (that does > whatever marshal magic is required) ?
The result is similar; what differs is how we arrive there, and the level of confidence I'd have in the security of the result. In the case of PyPy the wrapping is done automatically and in a platform-independent way; contrast this with the need for the designers of the libc wrapper to carefully close all possible ways the C program could invoke the system and carefully review the result, which is error-prone and platform-specific. More importantly for the user, in the PyPy approach the C code is not random C code, but was generated from RPython. This (together with extra run-time assertions that the translation toolchain can insert for the paranoid) means that buffer overflow or memory management attacks should not be possible. This means that there is no need to review the source code of the whole PyPy interpreter for security issues. By contrast, if you take say CPython and put it inside a libc wrapper, the result is not safe because CPython itself is open to attacks (e.g. memory management issues where carefully crafted app-level Python code could force CPython to execute arbitrary machine code - including system calls bypassing the libc wrapper). A bientot, Armin. _______________________________________________ [email protected] http://codespeak.net/mailman/listinfo/pypy-dev
