All geek questions in one place

Built-in IronPython Protection

I embed IronPython in my game engine, where you can attach scripts to objects. I do not want scripts to be able to simply access the CLR whenever they want, because then they could do something.

Having random scripts, especially if they are downloaded from the Internet, the ability to open Internet connections, access to users' hard drives or change the internal game state is very bad.

Usually people just suggest "Use a separate AppDomain." However, if I'm not mistaken, cross-AppDomains is slow. Very slow. Too slow for the game engine. Therefore, I am considering alternatives.

I was thinking of compiling a custom version of IronPython that is stopping you from importing clr or any namespace, thereby limiting it to a standard library.

The option I'd rather go with goes along the following lines:

__builtins__.__import__ = None #Stops imports working reload = None #Stops reloading working (specifically stops them reloading builtins #giving back an unbroken __import___!

I read this in another overflow column. Suppose that instead of setting __ builtins _._ import__ to none, instead I set it to a user-defined function that allows loading the standard API.

The question is, using the method described above, will there be any way for the script to be able to access the clr module, BCL BCnet, or anything else that could potentially do bad things? Or do I need to change the source? Third option?

+4
source share
2 answers

The only way to guarantee this is to use AppDomain. I do not know what performance is; it depends on your use case, so you must first measure it to make sure that it is actually too slow.

If you only need the system with the best efforts, and if the scripts do not need to import anything, and you supply all the objects that they need from the host, then your scheme should be acceptable. You can also avoid sending the standard Python library, which will save some space.

You want to check the rest of the built-in functions for anything that can talk to the outside world; open , file , input , raw_input and execfile come to mind, but there may be others. exec can also be a problem, and since this is a keyword, it can be more difficult to disconnect if there are holes. Never underestimate the ability of a particular attacker!

+3
source

I have built-in Iron Python in applications before and shared similar security issues. What I did to help reduce the risk was to create special objects only for runtime scenarios, which were essentially wrappers around my main objects, which only displayed "safe" functionality.

Another advantage of creating objects only for scripts is that you can optimize them for scripts with helper functions that make your scripts more subtle and neat.

Appdomain or not, nothing prevents anyone from loading an external .py module into their script .... Its price is for your flexibility.

+3
source

Source: https://habr.com/ru/post/1414612/

More articles:


All Articles