Re: [pygame] Use of PyScheme for game projects

["René Dudfield" <renesd@xxxxxxxxx>]

Yeah, relying on language level protection is probably not going to work.

OS level protection is needed as well really.

Even with java there has been security problems.  If they had also
used OS level protections, then it would have been a little safer.

On unix you can set cpu, memory and other resource limits.  See
ulimit, and nice.  You can also run things inside a jail of sorts on
some unix.  I'm pretty sure windows has a way to limit resource use
too.

So perhaps have user code run in a separate process and comunicate
with sockets. Setting  OS level resource/access limits on it.
Then you have:
- language level protection.
- process level protection.
- os level protection.

The idea being that each part has multiple levels and layers of
protection.  At each stage limiting the damage that can be done, and
making it harder to do bad stuff.  It will still be possible, just
harder.

Perhaps you should also be building in some trust restrictions too.
Making it a requirement for people to login first, or be a player for
1-3 days before letting them do possibly dangerous stuff.



Have fun!


On 7/17/06, Bob Ippolito <bob@xxxxxxxxxx> wrote:
> On Jul 16, 2006, at 12:33 PM, James Hofmann wrote:
>
> >
> >
> > --- andrew baker <failrate@xxxxxxxxx> wrote:
> >
> >> Howdy,
> >>
> >> I've been pondering alternative methods to allowing
> >> unknown persons to
> >> submit game code in my game engine, e.g. player
> >> created levels, characters,
> >> monsters and items, but of course sandboxing Python
> >> code is nontrivial.
> >> I've hit upon using a Scheme interpreter in Python
> >> to potentially solve this
> >> problem, with a possible variation on parsing to
> >> make the Scheme code appear
> >> more Pythonic.  Has anyone had similar success or
> >> failure or a better
> >> understanding of Scheme than me who explain why this
> >> is A) awesome or B) teh
> >> suck.
> >>
> >> And, yes, I know how daft it may seem to embed
> >> another interpreted language
> >> inside an interpreted language, but I'm expecting
> >> rather small Scheme
> >> patterns, and Python in its current state simply
> >> cannot be sandboxed, and I
> >> think I might actually hate C++. :D
> >>
> >> Thanks,
> >>
> >> --
> >> Andrew Ulysses Baker
> >> "failrate"
> >>
> >
> > Had the exact same problem. You (should) be able to
> > base a safe Python sub-interpreter off of this code:
> >
> > http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/496746
> >
> > When I tested it a little bit(haven't actually
> > implemented in my project) I found that I had to
> > disable one of the asserts to make it work as an
> > imported module; and I didn't actually execute the
> > eval with the time-out thread after it ran the tests,
> > but instead flagged the code as safe. This means that
> > I've left it open to crash programs, but in theory it
> > should otherwise be safe and perform about as well as
> > my main code.
>
> I really wouldn't trust that to actually be safe. There's probably
> plenty of holes in the implementation (blacklisting is always less
> secure than whitelisting) and it still can't do anything about denial
> of service by memory and CPU consumption.
>
> -bob