On Tue, Apr 12, 2016 at 11:12:27PM +1000, Steven D'Aprano wrote: > I can think of one possible threat. Suppose that the locale library > has a bug, so that calling "aardvark".isdigit seg faults, potentially > executing arbitrary C code, but at the very least crashing the > application. Is that the sort of attack you're concerned by?
This thread already covered the need to address SEGV at length. For a truly evil user, almost any kind of crash is an opportunity to take control of the system, and a security solution ignoring this is no security solution at all. > Maybe so. And then Jon will fix that vulnerability. And somebody will > find a new one. And he'll fix that too, or decide that it is too hard > to fix and give up. > > That's how security works. Even software designed for security can > have exploitable bugs: > > It seems unfair to me to hold Jon to a higher standard than we hold > people like Apple, or the Linux kernal devs. I don't believe that's what is happening here. In the OS analogy, Jon is generating busywork trying to secure an environment similar to Windows 3.1 that was simply never designed with e.g. memory protection in mind to begin with, and there is no evidence after numerous attempts spanning many years by multiple people that such an environment can be secured meaningfully while still remaining generally useful. > I fully accept and respect your personal opinion, based on your > experience, that Jon's tactic is doomed to failure. But if he needs to > learn this for himself, just as you had to learn it for yourself > (otherwise you wouldn't have started your own sandbox project), I can > respect that too. Progress depends on the unreasonable person who > thinks they can overturn the conventional wisdom. I'd deeply prefer it is this turned into an investigation or patchset making CPython work nicely with seccomp, sandbox(7), pledge(2) or whatever capability minimization mechanisms exist on Windows, they are all mechanisms to make it much safer for random code to be executing on your system, designed by folk who at all times expressively had security in mind. But that's not what's happening, instead a dead horse is being flogged over a hundred messages in our inboxes and IMHO it is excruciating to watch. > Even if the only thing we learn from Jon's experiment is a new set of > tricks for breaking out of the sandbox, that's still interesting, if > not useful. Don't forget the worst case: a fundamentally broken security module heavily marketed to the naive using claims the core team couldn't break it. David _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
