couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Re: Elixir Sandbox
Date Wed, 16 Oct 2013 21:58:00 GMT

On Oct 16, 2013, at 23:40 , Benoit Chesneau <bchesneau@gmail.com> wrote:

> On Wed, Oct 16, 2013 at 11:32 PM, Klaus Trainer <klaus_trainer@posteo.de>wrote:
> 
>> Hi there!
>> 
>> You might want to check out Try Erlang (http://www.tryerlang.org/).
>> That is, you can't check out the source code right now.  However,
>> according to the FAQ (http://www.tryerlang.org/faq) they "plan to
>> release the whole project as Open Source very soon".  I guess that
>> nagging Roberto Aloi (who's the principal author) might speed that up ;)
>> 
>> Regarding sandbox security: I believe that it is possible to implement a
>> sandbox thing that provides reasonable security, as long as your
>> whitelist is restrictive enough.  That is, one has to be pretty cautious
>> regarding the whitelist policy, especially when it comes to functions
>> that have the ability to construct new terms, like for instance
>> `list_to_atom/1` or `binary_to_term/1,2`.  The former makes it possible
>> fill up the Erlang VM's atom table, which makes it prone to DoS attacks.
>> The latter has a "safe" mode (when being invoked with the `safe`
>> option), though, but still allows to create function references, which
>> can be exploited (see
>> 
>> http://aloiroberto.wordpress.com/2010/10/14/how-they-tried-to-fool-tryerlang-org/
>> ).
>> 
>> Oh, I've used the term "reasonable security" above.  I should explain
>> (at least roughly) what I mean with that ;)  For example, Try Erlang has
>> been existing (and being online) for several years now, and people
>> haven't found something exploitable, except for one time more than three
>> years ago.  Depending on your security needs, your knowledge of Erlang,
>> your knowledge of the sandbox code, and other known facts as well as
>> your general level of paranoia, this might be enough for you to trust it.
>> 
>> 
>> Klaus
>> 
>> 
> 
> On linux a simpler way would be launching an external command in a cgroup.
> with cgexec from libcgroup or stuff like
> https://github.com/thestinger/playpen rather than try to filter any call
> you could then forbid some devices, the network and such...

at which point you lose all the speed improvements an in-VM language gives
you.

Jan
--





> 
> - benoit
> 
> 
> 
> 
>> 
>> On 10/16/2013 08:48 PM, Paul Davis wrote:
>>> There have been discussions on figuring out how to sandbox Erlang. The
>>> biggest thing on that front was that we'd want it to be a whitelist as
>>> opposed to a blacklist of modules and/or module/function pairs. The
>>> second is that with dynamic invocation its not immediately apparent if
>>> that's entirely possible to do.
>>> 
>>> On Wed, Oct 16, 2013 at 10:39 AM, Chris Keele <email@chriskeele.com>
>> wrote:
>>>> Hey everyone! I'm trying to develop a sandbox for Elixir, and I wanted
>> to see how such a library might prove useful to the CouchDB dev community.
>>>> 
>>>> My initial goal is just to be able to run string of code in a
>> predefined environment with configurable modules disabled, returning all
>> output. But I'd like to design it for bigger things from the ground up, so
>> I was wondering what sorts of requirements you might have of a sandbox
>> library if you wanted to, say, implement a secure view processor.
>>>> 
>>>> I've started a discussion thread here:
>> https://groups.google.com/forum/#!topic/elixir-lang-talk/wA1l74HCZmI, but
>> I'm particularly interested in your opinions!
>>>> --
>>>> Chris Keele
>>>> 
>> 
>> 
>> 


Mime
View raw message