[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [pygame] Python bots in Galcon (or your game!) safe_eval



Hey,

I've updated the script with some more tests and other goodies.

http://www.imitationpickles.org/tmp/safe.py

Regarding the stuff you mentioned - yah, it'll be interesting to see where PyPy goes.  As for embeding another language in Galcon - I did consider embedding lua - it's pretty secure.  But after mulling it over, I figured I'd much rather have python bots, and warn users about the danger of downloading and running strange bots.

Later,
Phil

antont@xxxxxxxxxxxxx wrote:
Phil Hassey wrote:

> Anyway, feel free to poke around the code. I think a working safe_eval
> would be a huge asset for games developed in python that want to have
> user submitted mods / bots.

if submissions are handled manually, i guess reviewing might be possible too,
but certainly there are cases where it would be nice to just allow arbitary code
to be run in a restricted context.

just figured to mention that also the PyPy project has implemented restricted
execution contexts, and AFAIK in their implementation the base py architecture
supports it so that it can be done nice and safe. of course for action game
usage the speed is a concern and probably even a showstopper now, but perhaps
not totally for all kinds of games / simple logic code? and they do intend to
increase the performance..

i am no pypy expert though, basically just read this part of their 0.99.0
announcement some time ago:

new object spaces:

* Tainting: a 270-line proxy object space tracking and boxing
sensitive information within an application. A tainted object is
completely barred from crossing an I/O barrier, such as writing to
files, databases or sockets. This allows to significantly reduce
the effort of e.g. security reviews to the few places where
objects are "declassified" in order to send information across I/O
barriers.

so it is not exactly safe eval, but..?

i thought their _javascript_ demos were fun too, there are some dif py console
versions, a system terminal and a bub'n'bros game at
http://play1.codespeak.net:8008/ :)

BTW speaking of alternative py implementatins w.r.t restricted execution, it
seems there have been efforts on that with PLT Spy (Python
that uses PLT Scheme's runtime) too - dunno if anything
has become of that ..
http://radeex.blogspot.com/2004/04/i-spy-untrusted-code.html is radix's old post
about it, i did not see anything recent on
http://plt-spy.sourceforge.net/home.html either but did not look deep.

i am not qualified to evaluate this new safe_eval, good luck with it, am just
mentioning those similar efforts.

> Phil

~Toni
(oh and thanks for galcon, it's fun :)



It's here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.