Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124811 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id EBE711A00B7 for ; Tue, 6 Aug 2024 18:57:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1722970779; bh=eb46Cva5Dq+n4iiKU/A+Wg3ajwxsullVkNYy6xhSh/0=; h=Date:Subject:To:References:From:In-Reply-To:From; b=eAxePEEJ6xw8j5VD/ep+MKyK3gQ7DXbcaNPfjHJTedBCjOdVIWIiqjF7m32Fw1UbH b7lVmHp//uvbinFPA/NkzMb8EiGRxxnr+UbBIRPwkSPg+oifrykqilyartn+/i146h D4mYwnTXV/CcWfZ3QvdGiKFIDxISTqZnEdsjys+4QWZvej8ZEYr1VQ12MmZ/DP52Ky UFqF4LyJeU7AZNf91nx0PxzP7V+YSZknmkc+ONeKN6s0rPWtskOdNuF06SW9vKbtOC DL8hAYUEFJ9oT6sTTT4cOYjpiQ2qbzEt4HCMQC9+2c8L4sqigtuy3kbEmkiouks3dM qlsnv/s59m2Cw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 569341801EA for ; Tue, 6 Aug 2024 18:59:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com [209.85.208.176]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 6 Aug 2024 18:59:32 +0000 (UTC) Received: by mail-lj1-f176.google.com with SMTP id 38308e7fff4ca-2f149845d81so12690271fa.0 for ; Tue, 06 Aug 2024 11:57:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722970670; x=1723575470; darn=lists.php.net; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=pDxA8IqFYBNIPN2PIZtEyjGQzUIuAr1MtlVDzl1l358=; b=jzmAwiwX0O6mJVXde1Spla/vrGU2yQa52qzdan35rVgPnJMUYnzQcnJwOdwAWgEbrW 3a9M6yXrv1GeCZdAC5UKjADZJ41srL2QincDXkMzbBFBcHPkf/mxXEBmLSvvauhQXuOF NZqrjaCkCQyu+ZhF4VpBeW9QhRp9C7ipsgfIMFbmjSNB/355+67+n6/cIqZolbrBlin3 IL0L0nIe0sSS9MiBIrRH0gOuF+DrG0eWNDZMZI0HHMqERla41BuRkX7itjr9JdyWgFIN 2udxZC0fsqju+JtPob7drDZKVj7FP3QdNGEYNsvK3ntSiN07abykWD1s40W9wz6wOQJl IEpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722970670; x=1723575470; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pDxA8IqFYBNIPN2PIZtEyjGQzUIuAr1MtlVDzl1l358=; b=NP1DkLJuWu9Hvz/p9zlrHgoyf39fmFuhiGkLdHK/xWFhagGO9M9LO4mis3uqYhmeCt LfQ7+O5fU2N0AOAZig6e14983OzGv4GPCUhLZZoqC0ffYUXAo6DqzLFZYKOjyOYGRwvg 4IpxVu4tdbwEYL9CqBkvIB8f+px7i+HmYyLfpZM/io7HfznPsfpK742XPAkgLzixC+oU b2ABUY2NWVYJvrQavJq/qpdYKGETQH5fh4cL0YQrv/+hLirfS8RjZWW52v1ubodc2A6b 6uUf4g+7U5GS+DPzZYJSaH9WdCQOX8mQG7G5B47pgpu5xJIX6AY2KhADq/5L6x42ujxZ OJrQ== X-Gm-Message-State: AOJu0YwFT0/FmQ9iAMiJ56HtTJy0HTEwGmTbGyWWUR2/E7anWi3AlIb4 HplwNUV1a0ElRx2ELAFjMGlhjazpaKVc51bYnOcbtvVFialzLNKkJ8o/uvev X-Google-Smtp-Source: AGHT+IHGcpItFci2j2KnNHNxVz9+9SQCGI9NIgy/1K/7JR52/VLbMZtAwNZtEQfP/YqbPVZte7XZtg== X-Received: by 2002:a2e:2416:0:b0:2ef:20ae:d11c with SMTP id 38308e7fff4ca-2f15aa84ed2mr104553661fa.8.1722970669244; Tue, 06 Aug 2024 11:57:49 -0700 (PDT) Received: from [192.168.0.104] (178-117-134-240.access.telenet.be. [178.117.134.240]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-428e6e3ef10sm196975215e9.24.2024.08.06.11.57.48 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 06 Aug 2024 11:57:49 -0700 (PDT) Message-ID: <7d9a9752-a202-4099-a60a-2686d4265d96@gmail.com> Date: Tue, 6 Aug 2024 20:59:03 +0200 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] [Discussion] Sandbox API To: internals@lists.php.net References: Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit From: dossche.niels@gmail.com (Niels Dossche) On 06/08/2024 10:41, Nick Lockheart wrote: > > Sandbox: Security > > A SandBox has two use cases: > > 1. Unit Testing of code with mocks or stubs, and also, allowing testing > with different environments. > > 2. The secure running of 3rd party code inside a 1st party application. > The use-case of securely running 3rd party code inside your application is impossible at this moment, and will still be impossible after a sandbox API is introduced. The reason is that the PHP interpreter as it is today is not memory safe. It is relatively easy to cause memory corruption by only using PHP code by abusing things like custom error handlers set from userland. This in turn can be used to gain arbitrary read/write primitives which has been shown to circumvent disable_functions & open_basedir, and some PoCs can even run arbitrary commands. It would be doable to extend these tricks to circumvent a sandboxing API. As such, a sandboxing API for securely executing 3rd party code is only possible after the interpreter has become memory safe. Although some work has been done in PHP 8.3 to plug many of these memory safety bugs in the VM, much more work remains and would likely require complicated changes. So therefore I propose to only focus on the mocking functionality of your proposal for now, until the time comes that the interpreter is memory safe. I would therefore also not call it "sandbox". Introducing a sandbox API for security also opens up a can of worms for the security policy. Right now we are assuming an attacker model of a remote attacker, and that the code running on your server is trusted. But that would change when an official sandbox API is introduced. Kind regards Niels