[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Security Enhancements for Python scripts - PyPy

Troubadour I was posting this to get your thoughts on these two ways to further improve security of Python scripts.

PyPy:

I was looking for a secure sandboxing mechanism for Python and I found PyPy.

They are an implementation of the entire Python interpreter except they have designed their version to handle untrusted code safely.

No functionality is removed when compared to standard Python.

They have packages in Debian Jessie.

Obviously not all Python modules have been implemented using RPython or PyPy but they should be compatible. I don’t understand if the normal modules, in standard Python could also take advantage of the hardened PyPy interpreter. Would like a word on that if you understand more about it.

References:
[1] https://lwn.net/Articles/574215/
(Where I got the idea. Note that PyPy was recommended as an alternative by the author of a failed approach called pysandbox - which he confessed as having restricted too much functionality but its sandbox still leaky. That was because he tried to implement the sandbox inside the interpreter itself rather than from the outside).
[2] http://pypy.org/ (PyPy’s many virtues)
[3] http://pypy.org/features.html#sandboxing
[4] https://packages.debian.org/search?keywords=pypy
[5] https://packages.debian.org/jessie/python-pypy.sandboxing
[6] https://packages.debian.org/jessie/pypy
[7] http://pypy.org/compat.html (notes on compatibility with standard Python modules)

Edit by Patrick:
edited title

Edit by HulaHoop:
split topics

PyPy looks promising. If time permits, I shall give it a try in my host (jessie). Please note that pypy-sandbox is only available from source at the moment, and for this reason, will not be used as is in Whonix (I believe).

I don't understand if the normal modules, in standard Python could also take advantage of the hardened PyPy interpreter.

That’s a big question. Will have to find out when I start testing. In the meantime, I think we’ll try to confine cpfp.py with AppArmor.

pypy also doesn’t support python 3.x yet.
http://pypy.org/py3donate.html

Are you sure about this?

Found this one:
https://packages.debian.org/jessie/python-pypy.sandbox

[quote=“Patrick, post:3, topic:622”]pypy also doesn’t support python 3.x yet.
http://pypy.org/py3donate.html[/quote]
Perhaps I was wrong. Wikipedia and the blog says, there is pypy3 that has python 3.x support.

Ticket:
https://phabricator.whonix.org/T129

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]