Python Sandbox Escape Defense Mechanism Based on Third-Party Library Isolation
The PaaS platform has become a popular cloud service due to its ability to provide Python services.PaaS platform utilizes Python sandboxes to ensure security,while also allowing users to use optimized Python C-modules to reduce the impact of Python on performance.However,attackers can exploit vulnerabilities in Python sandbox policies to escape and harm the underlying system.Most of the existing Python sandboxes are used for defense at the code level,lacking supervision and protection of Python C-modules.This paper analyzed the underlying principles of Python C-modules and the characteristics of Python sandbox escapes.Targeting the specific dangerous functions executed after the sandbox escape,this paper proposed a Python sandbox escape defense mechanism based on third-party library isolation and implemented a prototype system.The prototype system leveraged GOT Hook technology to take over C-module import and dangerous function call in Python.Therefore,the system was capable of checking and isolating C-modules before they were imported.Moreover,when dangerous functions were called,the system checked the parameters.The experimental results demonstrate that the system effectively mitigates attacker's abusively use of custom C-modules to escape Python sandboxes and calling dangerous functions with malicious parameter.The mechanism has negligible overheads in normal Python applications,with an average time overhead of less than 5%.
万方数据
维普
