SlideShare ist ein Scribd-Unternehmen logo

Thinking Outside The [Sand]Box

Als PPTX, PDF herunterladen
Michael Genkin
Michael Genkin

A 40 minute talk about sandboxes, Python, creating Python in process sandboxes, and defeating them. (Based in part on PySandbox).

Technologie
1 von 25
Thinking Outside the [Sand]Box
>>> dir(self) • Michael Genkin • A computer engineer • A researcher • A jack of many trades • And a master of some • Prefers Python [2.7] to your favorite programming language since 2008. • Isn’t afraid of the bytecode.
Outline • Sandboxes – how & why? • A bit of Python • Code execution • __builtins__ • Python Sandbox – HowTo & Examples • Blacklisting • Whitelisting • Modifying __builtins__ • If time allows • CPython implementation details • Code objects
What’s a Sandbox? “A security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websites. The sandbox typically provides a tightly controlled set of resources for guest programs to run in…” [Wikipedia]
Why a Sandbox? • UNTRUSTED CODE? Why we’d ever want to execute untrusted code? • Learning platform • A certain challenge site • Development environment as a Service
How to Sandbox? OS Level • Linux seccomp • PyPy Sandboxing Language Level/In-Process* • PySandbox • rexec Don’t use those examples @Home/Production
A Bit of Python… Quick detour
Code Execution in Python • How does one execute untrusted code? • Or simply dynamically generated code… • A few ways… • exec(file) – compile & execute a statement (or a file). • eval – compile & execute an expression. • if you really need eval – try using ast.literal_eval() • os.exec* – create & execute a new shell • subprocess... • pickle – a minefield • Don’t do this at home..! • Really. Don’t. Ever.
Shit Can Happen… • Resource exhaustion – DoS • Information disclosure • Server takeover
Tools of Chaos • file/open • Though we might need those… • eval/exec(file) • exit/quit • pickle/os/subprocess • We might need those as well
Nice to Meet You __builtins__ >>> print dir(__builtins__) ['ArithmeticError', 'AssertionError', 'AttributeError', 'BaseException', 'BufferError', 'BytesWarning', 'DeprecationWarning', 'EOFError', 'Ellipsis', 'EnvironmentError', 'Exception', 'False', 'FloatingPointError', 'FutureWarning', 'GeneratorExit', 'IOError', 'ImportError', 'ImportWarning', 'IndentationError', 'IndexError', 'KeyError', 'KeyboardInterrupt', 'LookupError', 'MemoryError', 'NameError', 'None', 'NotImplemented', 'NotImplementedError', 'OSError', 'OverflowError', 'PendingDeprecationWarning', 'ReferenceError', 'RuntimeError', 'RuntimeWarning', 'StandardError', 'StopIteration', 'SyntaxError', 'SyntaxWarning', 'SystemError', 'SystemExit', 'TabError', 'True', 'TypeError', 'UnboundLocalError', 'UnicodeDecodeError', 'UnicodeEncodeError', 'UnicodeError', 'UnicodeTranslateError', 'UnicodeWarning', 'UserWarning', 'ValueError', 'Warning', 'ZeroDivisionError', '_', '__debug__', '__doc__', '__import__', '__name__', '__package__', 'abs', 'all', 'any', 'apply', 'basestring', 'bin', 'bool', 'buffer', 'bytearray', 'bytes', 'callable', 'chr', 'classmethod', 'cmp', 'coerce', 'compile', 'complex', 'copyright', 'credits', 'delattr', 'dict', 'dir', 'divmod', 'enumerate', 'eval', 'execfile', 'exit', 'file', 'filter', 'float', 'format', 'frozenset', 'getattr', 'globals', 'hasattr', 'hash', 'help', 'hex', 'id', 'input', 'int', 'intern', 'isinstance', 'issubclass', 'iter', 'len', 'license', 'list', 'locals', 'long', 'map', 'max', 'memoryview', 'min', 'next', 'object', 'oct', 'open', 'ord', 'pow', 'print', 'property', 'quit', 'range', 'raw_input', 'reduce', 'reload', 'repr', 'reversed', 'round', 'set', 'setattr', 'slice', 'sorted', 'staticmethod', 'str', 'sum', 'super', 'tuple', 'type', 'unichr', 'unicode', 'vars', 'xrange', 'zip']
We Need a Sandbox… A Builder & Breaker How-To
An Optimal [Python] Sandbox class Sandbox(object): def __make_secure(self, unsafecode): """ Black Magic """ return safecode def execute(self, code): exec self.__make_secure(code) if __name__ == '__main__': s = Sandbox() s.execute("print 'Hello World!'") # Hello World! s.execute("*bad stuff*") # RuntimeException • How does this *black magic* really looks like?
Blacklisting __builtins__ def __make_secure(self, unsafecode): keyword_blacklist = ["file", "quit", "eval", "exec", "execfile", "exit"] for keyword in keyword_blacklist: if keyword in unsafecode: raise ValueError("Blacklisted") return unsafecode
Circumventing a Blacklist • The problem with blacklist is that they’re always incomplete… • What isn’t in the blacklist? s.execute(""" __builtins__.__dict__["ZXZhbA==".decode("base64")](*bad stuff*) """) • Lesson learned… • If we can get a reference to something – we can invoke it.
Whitelisting __builtins__ import sys def __make_secure(self, unsafecode): # Blacklisting code main = sys.modules["__main__"].__dict__ orig_builtins = main["__builtins__"].__dict__ builtins_whitelist = set(( 'ArithmeticError', 'AssertionError', 'AttributeError', ... # Exceptions 'False', 'None', 'True', ... # Constants 'basestring', 'bytearray', 'bytes', 'complex', 'dict', ... # Types '__import__', 'abs', 'all', 'any', 'apply', 'bin', 'bool', ... # Functions # Block: eval, execfile, file, quit, exit, reload, etc. )) for builtin in orig_builtins.keys(): if builtin not in builtins_whitelist: del orig_builtins[builtin] return unsafecode # No way to do bad stuff now... s.execute('__builtins__.__dict__["ZXZhbA==".decode("base64")](*bad stuff*)') # NameError
I brought This Little Something… • The whitelist insures we don’t have anything useful in scope… • But, can we bring more stuff into the scope? s.execute(""" import os os.exec("python -c '*something bad*'") """) • Lesson learned… • Whitelisting __builtins__ isn’t enough if the attacker can just import stuff
Whitelisting Imports • Ever wondered how do Python imports work? importer = __builtins__.__dict__.get('__import__') os = importer('os') • And how to roll your own?
Whitelisting Imports def safe_importer(module_name, globals={}, locals={}, fromlist=[], level=-1): print "You can't import anything bad now..." good_modules = ['string', 're', ...] # Doesn't include os, subprocess, or pickle! if module_name in good_modules: return __import__(module_name, globals, locals, fromlist, level) else: raise ImportError('You can't import this!') def __make_secure(self, unsafecode): # Blacklisting code # Whitelisting code orig_builtins['__import__'] = safe_importer s.execute(""" import os os.exec("python -c '*something bad*'") """) # ImportError
I Know I Left This Somewhere… • What do we have left? • Do we have anything useful left? • We have some types… let’s check them out • If we have a class – why not have a metaclass as well? • PEP 0253 - __bases__ & __subclasses__()
I Know I Left This Somewhere…
If We Have a Reference… s.execute(""" __builtins__.__dict__['__import__'] = ().__class__.__bases__[0].__subclasses__()[59]()._module.__builtins__['__import__'] import os os.exec("python -c '*something bad*'") """)
Questions Time! How many interactive Python interpreters were harmed while preparing this talk?
Thanks for listening! misha.genkin@gmail.com

Empfohlen

Unleash your inner console cowboy
Unleash your inner console cowboyUnleash your inner console cowboy
Unleash your inner console cowboyKenneth Geisshirt
 
Node.js
Node.jsNode.js
Node.jsMat Schaffer
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
 
wwc start-launched
wwc start-launchedwwc start-launched
wwc start-launchedMat Schaffer
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and newLarry Cashdollar
 
Down the Rabbit Hole
Down the Rabbit HoleDown the Rabbit Hole
Down the Rabbit HoleCharles Nutter
 
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Charles Nutter
 
Обзор фреймворка Twisted
Обзор фреймворка TwistedОбзор фреймворка Twisted
Обзор фреймворка TwistedMaxim Kulsha
 

Empfohlen

Unleash your inner console cowboy
Unleash your inner console cowboyUnleash your inner console cowboy
Unleash your inner console cowboyKenneth Geisshirt
 
Node.js
Node.jsNode.js
Node.jsMat Schaffer
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
 
wwc start-launched
wwc start-launchedwwc start-launched
wwc start-launchedMat Schaffer
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and newLarry Cashdollar
 
Down the Rabbit Hole
Down the Rabbit HoleDown the Rabbit Hole
Down the Rabbit HoleCharles Nutter
 
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Charles Nutter
 
Обзор фреймворка Twisted
Обзор фреймворка TwistedОбзор фреймворка Twisted
Обзор фреймворка TwistedMaxim Kulsha
 
Ansible inside
Ansible insideAnsible inside
Ansible insideIdeato
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化Taro Matsuzawa
 
Bootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bootstrap your Cloud Infrastructure using puppet and hashicorp stackBootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bootstrap your Cloud Infrastructure using puppet and hashicorp stackBram Vogelaar
 
Testing For Unicorns
Testing For UnicornsTesting For Unicorns
Testing For UnicornsAlex Soto
 
Fast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible JavaFast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible JavaCharles Nutter
 
Stanford Hackathon - Puppet Modules
Stanford Hackathon - Puppet ModulesStanford Hackathon - Puppet Modules
Stanford Hackathon - Puppet ModulesPuppet
 
Lets make better scripts
Lets make better scriptsLets make better scripts
Lets make better scriptsMichael Boelen
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricksbcoca
 
Beyond JVM - YOW! Brisbane 2013
Beyond JVM - YOW! Brisbane 2013Beyond JVM - YOW! Brisbane 2013
Beyond JVM - YOW! Brisbane 2013Charles Nutter
 
Getting started with DataStax .NET Driver for Cassandra
Getting started with DataStax .NET Driver for CassandraGetting started with DataStax .NET Driver for Cassandra
Getting started with DataStax .NET Driver for CassandraLuke Tillman
 
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day JobAlex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day JobElixir Club
 
Mastering Java ByteCode
Mastering Java ByteCodeMastering Java ByteCode
Mastering Java ByteCodeEcommerce Solution Provider SysIQ
 
Live Updating Swift Code
Live Updating Swift CodeLive Updating Swift Code
Live Updating Swift CodeBartosz Polaczyk
 
Process Doppelgänging
Process Doppelgänging Process Doppelgänging
Process Doppelgänging KarlFrank99
 
Integrating icinga2 and the HashiCorp suite
Integrating icinga2 and the HashiCorp suiteIntegrating icinga2 and the HashiCorp suite
Integrating icinga2 and the HashiCorp suiteBram Vogelaar
 
Building Windows Images with Packer
Building Windows Images with PackerBuilding Windows Images with Packer
Building Windows Images with PackerMatt Wrock
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matterDawid Weiss
 
Adding ES6 to Your Developer Toolbox
Adding ES6 to Your Developer ToolboxAdding ES6 to Your Developer Toolbox
Adding ES6 to Your Developer ToolboxJeff Strauss
 
Ansible for beginners ...?
Ansible for beginners ...?Ansible for beginners ...?
Ansible for beginners ...?shirou wakayama
 
Social Media Analytics
Social Media AnalyticsSocial Media Analytics
Social Media Analyticskorzay
 
Customer analytics fast facts v3
Customer analytics fast facts v3Customer analytics fast facts v3
Customer analytics fast facts v3Absolutdata Analytics
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ansible inside
Ansible insideAnsible inside
Ansible insideIdeato
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化Taro Matsuzawa
 
Bootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bootstrap your Cloud Infrastructure using puppet and hashicorp stackBootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bootstrap your Cloud Infrastructure using puppet and hashicorp stackBram Vogelaar
 
Testing For Unicorns
Testing For UnicornsTesting For Unicorns
Testing For UnicornsAlex Soto
 
Fast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible JavaFast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible JavaCharles Nutter
 
Stanford Hackathon - Puppet Modules
Stanford Hackathon - Puppet ModulesStanford Hackathon - Puppet Modules
Stanford Hackathon - Puppet ModulesPuppet
 
Lets make better scripts
Lets make better scriptsLets make better scripts
Lets make better scriptsMichael Boelen
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricksbcoca
 
Beyond JVM - YOW! Brisbane 2013
Beyond JVM - YOW! Brisbane 2013Beyond JVM - YOW! Brisbane 2013
Beyond JVM - YOW! Brisbane 2013Charles Nutter
 
Getting started with DataStax .NET Driver for Cassandra
Getting started with DataStax .NET Driver for CassandraGetting started with DataStax .NET Driver for Cassandra
Getting started with DataStax .NET Driver for CassandraLuke Tillman
 
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day JobAlex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day JobElixir Club
 
Process Doppelgänging
Process Doppelgänging Process Doppelgänging
Process Doppelgänging KarlFrank99
 
Integrating icinga2 and the HashiCorp suite
Integrating icinga2 and the HashiCorp suiteIntegrating icinga2 and the HashiCorp suite
Integrating icinga2 and the HashiCorp suiteBram Vogelaar
 
Building Windows Images with Packer
Building Windows Images with PackerBuilding Windows Images with Packer
Building Windows Images with PackerMatt Wrock
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matterDawid Weiss
 
Adding ES6 to Your Developer Toolbox
Adding ES6 to Your Developer ToolboxAdding ES6 to Your Developer Toolbox
Adding ES6 to Your Developer ToolboxJeff Strauss
 
Ansible for beginners ...?
Ansible for beginners ...?Ansible for beginners ...?
Ansible for beginners ...?shirou wakayama
 

Was ist angesagt? (20)

Ansible inside
Ansible insideAnsible inside
Ansible inside
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
 
Bootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bootstrap your Cloud Infrastructure using puppet and hashicorp stackBootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bootstrap your Cloud Infrastructure using puppet and hashicorp stack
 
Testing For Unicorns
Testing For UnicornsTesting For Unicorns
Testing For Unicorns
 
Fast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible JavaFast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible Java
 
Stanford Hackathon - Puppet Modules
Stanford Hackathon - Puppet ModulesStanford Hackathon - Puppet Modules
Stanford Hackathon - Puppet Modules
 
Lets make better scripts
Lets make better scriptsLets make better scripts
Lets make better scripts
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricks
 
Beyond JVM - YOW! Brisbane 2013
Beyond JVM - YOW! Brisbane 2013Beyond JVM - YOW! Brisbane 2013
Beyond JVM - YOW! Brisbane 2013
 
Getting started with DataStax .NET Driver for Cassandra
Getting started with DataStax .NET Driver for CassandraGetting started with DataStax .NET Driver for Cassandra
Getting started with DataStax .NET Driver for Cassandra
 
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day JobAlex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
 
Mastering Java ByteCode
Mastering Java ByteCodeMastering Java ByteCode
Mastering Java ByteCode
 
Live Updating Swift Code
Live Updating Swift CodeLive Updating Swift Code
Live Updating Swift Code
 
Process Doppelgänging
Process Doppelgänging Process Doppelgänging
Process Doppelgänging
 
Integrating icinga2 and the HashiCorp suite
Integrating icinga2 and the HashiCorp suiteIntegrating icinga2 and the HashiCorp suite
Integrating icinga2 and the HashiCorp suite
 
Building Windows Images with Packer
Building Windows Images with PackerBuilding Windows Images with Packer
Building Windows Images with Packer
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matter
 
Adding ES6 to Your Developer Toolbox
Adding ES6 to Your Developer ToolboxAdding ES6 to Your Developer Toolbox
Adding ES6 to Your Developer Toolbox
 
Ansible for beginners ...?
Ansible for beginners ...?Ansible for beginners ...?
Ansible for beginners ...?
 

Andere mochten auch

Social Media Analytics
Social Media AnalyticsSocial Media Analytics
Social Media Analyticskorzay
 
E contracts busines law
E contracts busines lawE contracts busines law
E contracts busines lawBabasab Patil
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Juniper Networks
 
BCG matrix-Market Growth Share Matrix
BCG matrix-Market Growth Share MatrixBCG matrix-Market Growth Share Matrix
BCG matrix-Market Growth Share MatrixNavneet Dwivedi
 
BCG matrix by gamal arafa
BCG matrix by gamal arafaBCG matrix by gamal arafa
BCG matrix by gamal arafaGamal Arafa
 
Latest trends in Business Analytics
Latest trends in Business AnalyticsLatest trends in Business Analytics
Latest trends in Business AnalyticsPuneet Bhalla
 
Fact or Question: Analytics for UX
Fact or Question: Analytics for UXFact or Question: Analytics for UX
Fact or Question: Analytics for UXJulie Strothman
 
Top 6 Business Intelligence & Analytics Trends for 2016
Top 6 Business Intelligence & Analytics Trends for 2016Top 6 Business Intelligence & Analytics Trends for 2016
Top 6 Business Intelligence & Analytics Trends for 2016TARGIT
 
Business analytics
Business analyticsBusiness analytics
Business analyticsSilla Rupesh
 
Boston Consulting Group Matrix
Boston Consulting Group MatrixBoston Consulting Group Matrix
Boston Consulting Group MatrixAmit Pramanik
 
Lean Analytics Cycle
Lean Analytics CycleLean Analytics Cycle
Lean Analytics CycleHiten Shah
 
BCG matrix with example
BCG matrix with exampleBCG matrix with example
BCG matrix with exampleMayur Narole
 

Andere mochten auch (17)

Social Media Analytics
Social Media AnalyticsSocial Media Analytics
Social Media Analytics
 
Customer analytics fast facts v3
Customer analytics fast facts v3Customer analytics fast facts v3
Customer analytics fast facts v3
 
E contracts busines law
E contracts busines lawE contracts busines law
E contracts busines law
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
BCG matrix-Market Growth Share Matrix
BCG matrix-Market Growth Share MatrixBCG matrix-Market Growth Share Matrix
BCG matrix-Market Growth Share Matrix
 
BCG matrix by gamal arafa
BCG matrix by gamal arafaBCG matrix by gamal arafa
BCG matrix by gamal arafa
 
Bcg matrix
Bcg matrixBcg matrix
Bcg matrix
 
Latest trends in Business Analytics
Latest trends in Business AnalyticsLatest trends in Business Analytics
Latest trends in Business Analytics
 
BCG Matrix
BCG MatrixBCG Matrix
BCG Matrix
 
Fact or Question: Analytics for UX
Fact or Question: Analytics for UXFact or Question: Analytics for UX
Fact or Question: Analytics for UX
 
Top 6 Business Intelligence & Analytics Trends for 2016
Top 6 Business Intelligence & Analytics Trends for 2016Top 6 Business Intelligence & Analytics Trends for 2016
Top 6 Business Intelligence & Analytics Trends for 2016
 
Business analytics
Business analyticsBusiness analytics
Business analytics
 
12 Interesting Facts about Big Data
12 Interesting Facts about Big Data12 Interesting Facts about Big Data
12 Interesting Facts about Big Data
 
Boston Consulting Group Matrix
Boston Consulting Group MatrixBoston Consulting Group Matrix
Boston Consulting Group Matrix
 
BCG Matrix
BCG MatrixBCG Matrix
BCG Matrix
 
Lean Analytics Cycle
Lean Analytics CycleLean Analytics Cycle
Lean Analytics Cycle
 
BCG matrix with example
BCG matrix with exampleBCG matrix with example
BCG matrix with example
 

Ähnlich wie Thinking Outside The [Sand]Box

FI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsFI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsPetr Dvorak
 
MFF UK - Introduction to iOS
MFF UK - Introduction to iOSMFF UK - Introduction to iOS
MFF UK - Introduction to iOSPetr Dvorak
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangChris McEniry
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Why Every Tester Should Learn Ruby
Why Every Tester Should Learn RubyWhy Every Tester Should Learn Ruby
Why Every Tester Should Learn RubyRaimonds Simanovskis
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectYen-Chin Lee
 
Paver: the build tool you missed
Paver: the build tool you missedPaver: the build tool you missed
Paver: the build tool you missedalmadcz
 
How Secure Are Docker Containers?
How Secure Are Docker Containers?How Secure Are Docker Containers?
How Secure Are Docker Containers?Ben Hall
 
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろうUnity Technologies Japan K.K.
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
iOS 2 - The practical Stuff
iOS 2 - The practical StuffiOS 2 - The practical Stuff
iOS 2 - The practical StuffPetr Dvorak
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformationLars Marius Garshol
 
lesson03.ppt
lesson03.pptlesson03.ppt
lesson03.pptIraqReshi
 
Javascript done right - Open Web Camp III
Javascript done right - Open Web Camp IIIJavascript done right - Open Web Camp III
Javascript done right - Open Web Camp IIIDirk Ginader
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 

Ähnlich wie Thinking Outside The [Sand]Box (20)

FI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsFI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS Basics
 
MFF UK - Introduction to iOS
MFF UK - Introduction to iOSMFF UK - Introduction to iOS
MFF UK - Introduction to iOS
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with Golang
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Django at Scale
Django at ScaleDjango at Scale
Django at Scale
 
Intro to Python
Intro to PythonIntro to Python
Intro to Python
 
Why Every Tester Should Learn Ruby
Why Every Tester Should Learn RubyWhy Every Tester Should Learn Ruby
Why Every Tester Should Learn Ruby
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
 
Paver: the build tool you missed
Paver: the build tool you missedPaver: the build tool you missed
Paver: the build tool you missed
 
How Secure Are Docker Containers?
How Secure Are Docker Containers?How Secure Are Docker Containers?
How Secure Are Docker Containers?
 
Intro
IntroIntro
Intro
 
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
 
iOS 2 - The practical Stuff
iOS 2 - The practical StuffiOS 2 - The practical Stuff
iOS 2 - The practical Stuff
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformation
 
DIY Java Profiling
DIY Java ProfilingDIY Java Profiling
DIY Java Profiling
 
lesson03.ppt
lesson03.pptlesson03.ppt
lesson03.ppt
 
Javascript done right - Open Web Camp III
Javascript done right - Open Web Camp IIIJavascript done right - Open Web Camp III
Javascript done right - Open Web Camp III
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 

Mehr von Michael Genkin

Web Information Extraction for the Database Research Domain
Web Information Extraction for the Database Research DomainWeb Information Extraction for the Database Research Domain
Web Information Extraction for the Database Research DomainMichael Genkin
 
Summarizing short stories (without spoiling the fun)
Summarizing short stories (without spoiling the fun)Summarizing short stories (without spoiling the fun)
Summarizing short stories (without spoiling the fun)Michael Genkin
 
Post-PC: Geolocation & Maps in the Android Ecosystem
Post-PC: Geolocation & Maps in the Android EcosystemPost-PC: Geolocation & Maps in the Android Ecosystem
Post-PC: Geolocation & Maps in the Android EcosystemMichael Genkin
 
The Road To The Semantic Web
The Road To The Semantic WebThe Road To The Semantic Web
The Road To The Semantic WebMichael Genkin
 
Slideshows 101 (30 Mins)
Slideshows 101 (30 Mins)Slideshows 101 (30 Mins)
Slideshows 101 (30 Mins)Michael Genkin
 

Mehr von Michael Genkin (9)

Web Information Extraction for the Database Research Domain
Web Information Extraction for the Database Research DomainWeb Information Extraction for the Database Research Domain
Web Information Extraction for the Database Research Domain
 
Summarizing short stories (without spoiling the fun)
Summarizing short stories (without spoiling the fun)Summarizing short stories (without spoiling the fun)
Summarizing short stories (without spoiling the fun)
 
Post-PC: Geolocation & Maps in the Android Ecosystem
Post-PC: Geolocation & Maps in the Android EcosystemPost-PC: Geolocation & Maps in the Android Ecosystem
Post-PC: Geolocation & Maps in the Android Ecosystem
 
The Road To The Semantic Web
The Road To The Semantic WebThe Road To The Semantic Web
The Road To The Semantic Web
 
Slideshows 101 (30 Mins)
Slideshows 101 (30 Mins)Slideshows 101 (30 Mins)
Slideshows 101 (30 Mins)
 
Computeron 2006
Computeron 2006Computeron 2006
Computeron 2006
 
Computeron 2005.1
Computeron 2005.1Computeron 2005.1
Computeron 2005.1
 
Computeron 2005.2
Computeron 2005.2Computeron 2005.2
Computeron 2005.2
 
Computeron 2004
Computeron 2004Computeron 2004
Computeron 2004
 

Kürzlich hochgeladen

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Thinking Outside The [Sand]Box

  • 2. >>> dir(self) • Michael Genkin • A computer engineer • A researcher • A jack of many trades • And a master of some • Prefers Python [2.7] to your favorite programming language since 2008. • Isn’t afraid of the bytecode.
  • 3. Outline • Sandboxes – how & why? • A bit of Python • Code execution • __builtins__ • Python Sandbox – HowTo & Examples • Blacklisting • Whitelisting • Modifying __builtins__ • If time allows • CPython implementation details • Code objects
  • 4. What’s a Sandbox? “A security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websites. The sandbox typically provides a tightly controlled set of resources for guest programs to run in…” [Wikipedia]
  • 5. Why a Sandbox? • UNTRUSTED CODE? Why we’d ever want to execute untrusted code? • Learning platform • A certain challenge site • Development environment as a Service
  • 6. How to Sandbox? OS Level • Linux seccomp • PyPy Sandboxing Language Level/In-Process* • PySandbox • rexec Don’t use those examples @Home/Production
  • 7. A Bit of Python… Quick detour
  • 8. Code Execution in Python • How does one execute untrusted code? • Or simply dynamically generated code… • A few ways… • exec(file) – compile & execute a statement (or a file). • eval – compile & execute an expression. • if you really need eval – try using ast.literal_eval() • os.exec* – create & execute a new shell • subprocess... • pickle – a minefield • Don’t do this at home..! • Really. Don’t. Ever.
  • 9. Shit Can Happen… • Resource exhaustion – DoS • Information disclosure • Server takeover
  • 10. Tools of Chaos • file/open • Though we might need those… • eval/exec(file) • exit/quit • pickle/os/subprocess • We might need those as well
  • 11. Nice to Meet You __builtins__ >>> print dir(__builtins__) ['ArithmeticError', 'AssertionError', 'AttributeError', 'BaseException', 'BufferError', 'BytesWarning', 'DeprecationWarning', 'EOFError', 'Ellipsis', 'EnvironmentError', 'Exception', 'False', 'FloatingPointError', 'FutureWarning', 'GeneratorExit', 'IOError', 'ImportError', 'ImportWarning', 'IndentationError', 'IndexError', 'KeyError', 'KeyboardInterrupt', 'LookupError', 'MemoryError', 'NameError', 'None', 'NotImplemented', 'NotImplementedError', 'OSError', 'OverflowError', 'PendingDeprecationWarning', 'ReferenceError', 'RuntimeError', 'RuntimeWarning', 'StandardError', 'StopIteration', 'SyntaxError', 'SyntaxWarning', 'SystemError', 'SystemExit', 'TabError', 'True', 'TypeError', 'UnboundLocalError', 'UnicodeDecodeError', 'UnicodeEncodeError', 'UnicodeError', 'UnicodeTranslateError', 'UnicodeWarning', 'UserWarning', 'ValueError', 'Warning', 'ZeroDivisionError', '_', '__debug__', '__doc__', '__import__', '__name__', '__package__', 'abs', 'all', 'any', 'apply', 'basestring', 'bin', 'bool', 'buffer', 'bytearray', 'bytes', 'callable', 'chr', 'classmethod', 'cmp', 'coerce', 'compile', 'complex', 'copyright', 'credits', 'delattr', 'dict', 'dir', 'divmod', 'enumerate', 'eval', 'execfile', 'exit', 'file', 'filter', 'float', 'format', 'frozenset', 'getattr', 'globals', 'hasattr', 'hash', 'help', 'hex', 'id', 'input', 'int', 'intern', 'isinstance', 'issubclass', 'iter', 'len', 'license', 'list', 'locals', 'long', 'map', 'max', 'memoryview', 'min', 'next', 'object', 'oct', 'open', 'ord', 'pow', 'print', 'property', 'quit', 'range', 'raw_input', 'reduce', 'reload', 'repr', 'reversed', 'round', 'set', 'setattr', 'slice', 'sorted', 'staticmethod', 'str', 'sum', 'super', 'tuple', 'type', 'unichr', 'unicode', 'vars', 'xrange', 'zip']
  • 12. We Need a Sandbox… A Builder & Breaker How-To
  • 13. An Optimal [Python] Sandbox class Sandbox(object): def __make_secure(self, unsafecode): """ Black Magic """ return safecode def execute(self, code): exec self.__make_secure(code) if __name__ == '__main__': s = Sandbox() s.execute("print 'Hello World!'") # Hello World! s.execute("*bad stuff*") # RuntimeException • How does this *black magic* really looks like?
  • 14. Blacklisting __builtins__ def __make_secure(self, unsafecode): keyword_blacklist = ["file", "quit", "eval", "exec", "execfile", "exit"] for keyword in keyword_blacklist: if keyword in unsafecode: raise ValueError("Blacklisted") return unsafecode
  • 15. Circumventing a Blacklist • The problem with blacklist is that they’re always incomplete… • What isn’t in the blacklist? s.execute(""" __builtins__.__dict__["ZXZhbA==".decode("base64")](*bad stuff*) """) • Lesson learned… • If we can get a reference to something – we can invoke it.
  • 16. Whitelisting __builtins__ import sys def __make_secure(self, unsafecode): # Blacklisting code main = sys.modules["__main__"].__dict__ orig_builtins = main["__builtins__"].__dict__ builtins_whitelist = set(( 'ArithmeticError', 'AssertionError', 'AttributeError', ... # Exceptions 'False', 'None', 'True', ... # Constants 'basestring', 'bytearray', 'bytes', 'complex', 'dict', ... # Types '__import__', 'abs', 'all', 'any', 'apply', 'bin', 'bool', ... # Functions # Block: eval, execfile, file, quit, exit, reload, etc. )) for builtin in orig_builtins.keys(): if builtin not in builtins_whitelist: del orig_builtins[builtin] return unsafecode # No way to do bad stuff now... s.execute('__builtins__.__dict__["ZXZhbA==".decode("base64")](*bad stuff*)') # NameError
  • 17. I brought This Little Something… • The whitelist insures we don’t have anything useful in scope… • But, can we bring more stuff into the scope? s.execute(""" import os os.exec("python -c '*something bad*'") """) • Lesson learned… • Whitelisting __builtins__ isn’t enough if the attacker can just import stuff
  • 18. Whitelisting Imports • Ever wondered how do Python imports work? importer = __builtins__.__dict__.get('__import__') os = importer('os') • And how to roll your own?
  • 19. Whitelisting Imports def safe_importer(module_name, globals={}, locals={}, fromlist=[], level=-1): print "You can't import anything bad now..." good_modules = ['string', 're', ...] # Doesn't include os, subprocess, or pickle! if module_name in good_modules: return __import__(module_name, globals, locals, fromlist, level) else: raise ImportError('You can't import this!') def __make_secure(self, unsafecode): # Blacklisting code # Whitelisting code orig_builtins['__import__'] = safe_importer s.execute(""" import os os.exec("python -c '*something bad*'") """) # ImportError
  • 20. I Know I Left This Somewhere… • What do we have left? • Do we have anything useful left? • We have some types… let’s check them out • If we have a class – why not have a metaclass as well? • PEP 0253 - __bases__ & __subclasses__()
  • 21. I Know I Left This Somewhere…
  • 22. If We Have a Reference… s.execute(""" __builtins__.__dict__['__import__'] = ().__class__.__bases__[0].__subclasses__()[59]()._module.__builtins__['__import__'] import os os.exec("python -c '*something bad*'") """)
  • 23.
  • 24. Questions Time! How many interactive Python interpreters were harmed while preparing this talk?
  • 25. Thanks for listening! misha.genkin@gmail.com

Hinweis der Redaktion

  1. Continue just if you have more than 10 minutes…
  2. About everything there is to know about Python 2.7 sandboxes