couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Klaus Trainer <klaus_trai...@posteo.de>
Subject Re: Elixir Sandbox
Date Wed, 16 Oct 2013 21:32:24 GMT
Hi there!

You might want to check out Try Erlang (http://www.tryerlang.org/).
That is, you can't check out the source code right now.  However,
according to the FAQ (http://www.tryerlang.org/faq) they "plan to
release the whole project as Open Source very soon".  I guess that
nagging Roberto Aloi (who's the principal author) might speed that up ;)

Regarding sandbox security: I believe that it is possible to implement a
sandbox thing that provides reasonable security, as long as your
whitelist is restrictive enough.  That is, one has to be pretty cautious
regarding the whitelist policy, especially when it comes to functions
that have the ability to construct new terms, like for instance
`list_to_atom/1` or `binary_to_term/1,2`.  The former makes it possible
fill up the Erlang VM's atom table, which makes it prone to DoS attacks.
 The latter has a "safe" mode (when being invoked with the `safe`
option), though, but still allows to create function references, which
can be exploited (see
http://aloiroberto.wordpress.com/2010/10/14/how-they-tried-to-fool-tryerlang-org/).

Oh, I've used the term "reasonable security" above.  I should explain
(at least roughly) what I mean with that ;)  For example, Try Erlang has
been existing (and being online) for several years now, and people
haven't found something exploitable, except for one time more than three
years ago.  Depending on your security needs, your knowledge of Erlang,
your knowledge of the sandbox code, and other known facts as well as
your general level of paranoia, this might be enough for you to trust it.


Klaus


On 10/16/2013 08:48 PM, Paul Davis wrote:
> There have been discussions on figuring out how to sandbox Erlang. The
> biggest thing on that front was that we'd want it to be a whitelist as
> opposed to a blacklist of modules and/or module/function pairs. The
> second is that with dynamic invocation its not immediately apparent if
> that's entirely possible to do.
> 
> On Wed, Oct 16, 2013 at 10:39 AM, Chris Keele <email@chriskeele.com> wrote:
>> Hey everyone! I'm trying to develop a sandbox for Elixir, and I wanted to see how
such a library might prove useful to the CouchDB dev community.
>>
>> My initial goal is just to be able to run string of code in a predefined environment
with configurable modules disabled, returning all output. But I'd like to design it for bigger
things from the ground up, so I was wondering what sorts of requirements you might have of
a sandbox library if you wanted to, say, implement a secure view processor.
>>
>> I've started a discussion thread here: https://groups.google.com/forum/#!topic/elixir-lang-talk/wA1l74HCZmI,
but I'm particularly interested in your opinions!
>> --
>> Chris Keele
>>



Mime
View raw message