headers
Grant Rettke | 3 May 2012 04:48
Picon
Favicon
Gravatar

Creating a sandbox

Hi,


Although I've not yet learned Lisp and SBCL well, I'm curious about whether preparing an eval sandbox so that it would be restricted in it's bindings, file system access, memory usage, network access, and CPU time, something like this


would be possible?

Best wishes,

Grant

--
http://www.wisdomandwonder.com/
ACM, AMA, COG, IEEE
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Sbcl-help mailing list
Sbcl-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sbcl-help
Permalink | Reply |
headers
Nikodemus Siivola | 3 May 2012 08:54
Gravatar

Re: Creating a sandbox

On 3 May 2012 05:48, Grant Rettke <grettke <at> acm.org> wrote:

> Although I've not yet learned Lisp and SBCL well, I'm curious about whether
> preparing an eval sandbox so that it would be restricted in it's bindings,
> file system access, memory usage, network access, and CPU time, something
> like this
>
> http://docs.racket-lang.org/reference/Sandboxed_Evaluation.html
>
> would be possible?

/Possible/, yes. Straightforward, actually, mostly yes. Easy to get right? No.

Racket's language abstraction is pretty cool, and we don't have
anything like that. So you'd be rolling up some infrastructure to
start with.

Cheers,

 -- nikodemus

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
Grant Rettke | 3 May 2012 19:38
Picon
Favicon
Gravatar

Re: Creating a sandbox

Thanks guys.

On Thu, May 3, 2012 at 1:54 AM, Nikodemus Siivola <nikodemus <at> random-state.net> wrote:
On 3 May 2012 05:48, Grant Rettke <grettke <at> acm.org> wrote:

> Although I've not yet learned Lisp and SBCL well, I'm curious about whether
> preparing an eval sandbox so that it would be restricted in it's bindings,
> file system access, memory usage, network access, and CPU time, something
> like this
>
> http://docs.racket-lang.org/reference/Sandboxed_Evaluation.html
>
> would be possible?

/Possible/, yes. Straightforward, actually, mostly yes. Easy to get right? No.

Racket's language abstraction is pretty cool, and we don't have
anything like that. So you'd be rolling up some infrastructure to
start with.

Cheers,

 -- nikodemus



--
http://www.wisdomandwonder.com/
ACM, AMA, COG, IEEE
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Sbcl-help mailing list
Sbcl-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sbcl-help
Permalink | Reply |
headers
Anton Vodonosov | 3 May 2012 23:30
Picon
Favicon

Re: Creating a sandbox

Check this https://github.com/tlikonen/cl-eval-bot. This project receives lisp code from
external source and executes it in a sandbox. Will not give you control over memory
usage and CPU time I think, but will allow to control what API's (file system functions, network
functions) are available to the lisp code.
 
Another thought is that OS process is a sanbox. Running lisp process from a
restricted OS user (quitas, fs access rights) might be usefull probably
if you are lookiing for a sandbox solution.
 
If you find a better solution, please drop news here. I am curious in sandboxing
common lisp.
 
03.05.2012, 21:38, "Grant Rettke" <grettke <at> acm.org>:
Thanks guys.

On Thu, May 3, 2012 at 1:54 AM, Nikodemus Siivola <nikodemus <at> random-state.net> wrote:
On 3 May 2012 05:48, Grant Rettke <grettke <at> acm.org> wrote:

> Although I've not yet learned Lisp and SBCL well, I'm curious about whether
> preparing an eval sandbox so that it would be restricted in it's bindings,
> file system access, memory usage, network access, and CPU time, something
> like this
>
> http://docs.racket-lang.org/reference/Sandboxed_Evaluation.html
>
> would be possible?
/Possible/, yes. Straightforward, actually, mostly yes. Easy to get right? No.

Racket's language abstraction is pretty cool, and we don't have
anything like that. So you'd be rolling up some infrastructure to
start with.

Cheers,

 -- nikodemus


--
http://www.wisdomandwonder.com/
ACM, AMA, COG, IEEE

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Sbcl-help mailing list
Sbcl-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sbcl-help

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Sbcl-help mailing list
Sbcl-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sbcl-help
Permalink | Reply |
headers
Teemu Likonen | 4 May 2012 05:11
Picon
Picon
Favicon

Re: Creating a sandbox

* Anton Vodonosov [2012-05-04 01:30:46 +0400] wrote:

> Check this https://github.com/tlikonen/cl-eval-bot. This project
> receives lisp code from external source and executes it in a sandbox.
> Will not give you control over memory usage and CPU time I think, but
> will allow to control what API's (file system functions, network
> functions) are available to the lisp code.

Yes. Especially files sandbox-impl.lisp and sandbox-cl.lisp.

(I'm doing a database which looks like a simple virtual filesystem. Its
basic framework is ready but have been too busy with my dayjob to finish
it yet.)

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
Grant Rettke | 5 May 2012 20:18
Picon
Favicon
Gravatar

Re: Creating a sandbox

Excellent thanks guys.

On Thu, May 3, 2012 at 10:11 PM, Teemu Likonen <tlikonen <at> iki.fi> wrote:
* Anton Vodonosov [2012-05-04 01:30:46 +0400] wrote:

> Check this https://github.com/tlikonen/cl-eval-bot. This project
> receives lisp code from external source and executes it in a sandbox.
> Will not give you control over memory usage and CPU time I think, but
> will allow to control what API's (file system functions, network
> functions) are available to the lisp code.

Yes. Especially files sandbox-impl.lisp and sandbox-cl.lisp.

(I'm doing a database which looks like a simple virtual filesystem. Its
basic framework is ready but have been too busy with my dayjob to finish
it yet.)



--
http://www.wisdomandwonder.com/
ACM, AMA, COG, IEEE
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Sbcl-help mailing list
Sbcl-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sbcl-help
Permalink | Reply |

Gmane