How to create a sandbox for newLisp?

Started by ale870, July 15, 2011, 08:42:06 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

ale870

July 15, 2011, 08:42:06 AM Last Edit: December 31, 1969, 04:00:00 PM by Guest
Hello,



is there any way to eliminate (or disable) some I/O functions from newLisp?



I wish to embed newLisp scripts inside some files downloaded from internet: imagine when you download an HTML page from internet, which contains Javascript. Well i want to create some specific pages containing newLisp code (to be executed on a local computer), but I I need to eliminate the possibility that someone may write some "dangerous" newLisp code. So I use newLisp as library, but I need to disable functions regarding read/write files, sockets, etc...



Is it possible? Can I use a trick?

Thank you for your help!



EDIT:

If I "erase" all "dangerous" functions using "constant" function

E.g.:

(constant 'write-file nil)



Is there any way, for an attacker, to restore the original value, or to write another, similar function to achieve the same behaviour? In practice, is there any way to write a function to read/write files without using the functions (write-file)?



Thank you
--

newdep

#1
July 16, 2011, 01:26:47 PM Last Edit: December 31, 1969, 04:00:00 PM by Guest
If you want to sandbox (limit access outside newlisp) you could think of using a FUSE way perhpas...

(seek for Filesystem in User Space)



But just to slimmdown newlisp... have a looks here: (where cormulion quotes me my old code ;-))

http://newlispfanclub.alh.net/forum/viewtopic.php?f=9&t=3843">//http://newlispfanclub.alh.net/forum/viewtopic.php?f=9&t=3843



Old topic already but works fine, just make sure to check all functions again before pushing it into to real world..  ;-)



Another way is to create a "slimlined" newlisp version where you have disabled functions during compile time.

This is thow not inline with any commercial use of newlisp as you adjust the source code.





Regarding read/writeing file... you could still use the "device" option inside newlisp OR go into "filter" mode where newlisp becomes a CGI portal...(see the cgi http exmaple in the docs...)



hope this covers the question ;-)
-- (define? (Cornflakes))

ale870

#2
July 16, 2011, 03:25:12 PM Last Edit: December 31, 1969, 04:00:00 PM by Guest
Yes, I understood that it is a mess!

Thank you, I'm reading about FUSE.



I didn't understand the topic related to cormullion.



THank you again!
--

Lutz

#3
July 16, 2011, 05:48:43 PM Last Edit: December 31, 1969, 04:00:00 PM by Guest
Here is a different version of the sandbox program online:



http://www.newlisp.org/syntax.cgi?code/sandbox.txt">http://www.newlisp.org/syntax.cgi?code/sandbox.txt

ale870

#4
July 17, 2011, 06:38:27 AM Last Edit: December 31, 1969, 04:00:00 PM by Guest
Very nice, thank you!

One question: can someone (using a trick) "restore" a function inside a "safe" session?



For example, in a newLisp session I set this:

(constant 'write-line "Error")



Well, can someone, in that session, restore the original write-line behavior?

Is yes, how?



Thank you!
--

Lutz

#5
July 17, 2011, 08:41:55 AM Last Edit: December 31, 1969, 04:00:00 PM by Guest
I don't think restoring the disabled functions is possible.



You would have to know the original address of the built-in function and also have the ability to change the type and auxiliary fields in a newLISP cell. The function address is different on each platform and version of newLISP. In order to change the type and auxiliary fields, the critical tool is the built-in 'cpymem', which is also disabled.



See also here:



http://www.newlisp.org/index.cgi?page=Embedded_Binary">http://www.newlisp.org/index.cgi?page=Embedded_Binary



But I also think that a better idea is, to run newLISP in some sort of virtual OS environment with limited resources. This way you can give the user a full functioning newLISP.

TedWalther

#6
July 17, 2011, 01:01:00 PM Last Edit: December 31, 1969, 04:00:00 PM by Guest
If your customer is using OpenBSD, you can do exactly what you want using "systrace".  You can create "profile" for your application.  The OS will control what system calls your application can access; it can even allow system calls with certain arguments to succeed, but deny others.  It controls file system access, network access, etc.  It is very flexible and nice.  Is it cross-platform?  No.  But it works.
Cavemen in bearskins invaded the ivory towers of Artificial Intelligence.  Nine months later, they left with a baby named newLISP.  The women of the ivory towers wept and wailed.  \"Abomination!\" they cried.

TedWalther

#7
July 17, 2011, 01:03:02 PM Last Edit: December 31, 1969, 04:00:00 PM by Guest
Systrace is distributed under a BSD-style license and has been integrated into NetBSD, OpenBSD and OpenDarwin. NetBSD-current contains the most recent Systrace source code. You can use AnonCVS to access it. At the moment, systrace supports native and Linux binaries.

Ports



    GNU/Linux port is finished and kernel patch is maintained actively by Marius Eriksen. Can be run without kernel changes using the ptrace backend.

    Mac OS X port is almost complete; currently unmaintained due to lack of hardware.

    FreeBSD port by Rich Murphey; in progress.
Cavemen in bearskins invaded the ivory towers of Artificial Intelligence.  Nine months later, they left with a baby named newLISP.  The women of the ivory towers wept and wailed.  \"Abomination!\" they cried.

ale870

#8
July 17, 2011, 02:59:12 PM Last Edit: December 31, 1969, 04:00:00 PM by Guest
systrace could be fine, but it is not cross-platform, and I miss one of the most important OS: Windows (I don't like it, but is "famous" and the most used).



I think the best idea is still remapping native newLisp functions, disabling even cpymem and similar.

For me, cross platform, is a key-feature.
--
Print
Go Up Pages1
User actions