信息网络安全 ›› 2024, Vol. 24 ›› Issue (5): 682-693.doi: 10.3969/j.issn.1671-1122.2024.05.003

• 专题论文:网络安全防御 • 上一篇    下一篇

基于第三方库隔离的Python沙箱逃逸防御机制

杨志鹏1,2, 王鹃1,2(), 马陈军1,2, 亢云峰3   

  1. 1.武汉大学国家网络安全学院,武汉 430072
    2.武汉大学空天信息安全与可信计算教育部重点实验室,武汉 430072
    3.北京华为数字技术有限公司,北京 100085
  • 收稿日期:2023-05-04 出版日期:2024-05-10 发布日期:2024-06-24
  • 通讯作者: 王鹃 E-mail:jwang@whu.edu.cn
  • 作者简介:杨志鹏(1999—),男,湖南,硕士研究生,主要研究方向为系统和软件安全|王鹃(1976—),女,湖北,教授,博士,CCF会员,主要研究方向为系统和软件安全、可信计算、人工智能应用、云计算、物联网安全|马陈军(2000—),男,安徽,硕士研究生,主要研究方向为系统和软件安全|亢云峰(1983—),男,陕西,工程师,主要研究方向为系统安全
  • 基金资助:
    国家自然科学基金(61872430);国家重点研发计划(2020AAA0107700);国家电网有限公司科技项目(520940210009)

Python Sandbox Escape Defense Mechanism Based on Third-Party Library Isolation

YANG Zhipeng1,2, WANG Juan1,2(), MA Chenjun1,2, KANG Yunfeng3   

  1. 1. School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
    2. Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education, Wuhan University, Wuhan 430072, China
    3. Beijing Huawei Digital Technologies Co., Ltd., Beijing 100085, China
  • Received:2023-05-04 Online:2024-05-10 Published:2024-06-24
  • Contact: WANG Juan E-mail:jwang@whu.edu.cn

摘要:

PaaS平台由于可提供Python服务成为目前较受欢迎的云服务。PaaS平台应用Python沙箱解决安全问题,同时允许用户使用Python C化模块以降低Python对性能的影响。然而,攻击者能够利用Python沙箱策略的漏洞进行逃逸,导致危害底层系统。现有的Python沙箱大多在代码层进行防御,缺乏对Python C化模块的监管和防护。文章分析了Python C化模块的底层原理和Python沙箱逃逸的特点,针对沙箱逃逸后需要执行特定危险函数发起攻击的特征,提出一种基于第三方库隔离的Python沙箱逃逸防御机制,并实现了原型系统。该机制的原型系统利用GOT Hook技术对Python的C化模块导入行为和危险函数调用行为进行接管,在Python导入C化模块时,提前对该C化模块进行安全检查和隔离。另外,在Python调用危险函数时,对该函数的参数进行检查。实验结果表明,文章所提机制能够有效防御攻击者利用自定义的C化模块逃逸Python沙箱以及使用恶意参数调用危险函数。在正常使用时,文章所提机制的时间开销较低,平均时间开销小于5%。

关键词: Python沙箱, 第三方库隔离, 沙箱逃逸防御机制, Hook技术

Abstract:

The PaaS platform has become a popular cloud service due to its ability to provide Python services. PaaS platform utilizes Python sandboxes to ensure security, while also allowing users to use optimized Python C-modules to reduce the impact of Python on performance. However, attackers can exploit vulnerabilities in Python sandbox policies to escape and harm the underlying system. Most of the existing Python sandboxes are used for defense at the code level, lacking supervision and protection of Python C-modules. This paper analyzed the underlying principles of Python C-modules and the characteristics of Python sandbox escapes. Targeting the specific dangerous functions executed after the sandbox escape, this paper proposed a Python sandbox escape defense mechanism based on third-party library isolation and implemented a prototype system. The prototype system leveraged GOT Hook technology to take over C-module import and dangerous function call in Python. Therefore, the system was capable of checking and isolating C-modules before they were imported. Moreover, when dangerous functions were called, the system checked the parameters. The experimental results demonstrate that the system effectively mitigates attacker’s abusively use of custom C-modules to escape Python sandboxes and calling dangerous functions with malicious parameter. The mechanism has negligible overheads in normal Python applications, with an average time overhead of less than 5%.

Key words: Python sandbox, third-party library isolation, sandbox escape defense mechanism, Hook technology

中图分类号: