Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124813
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
by qa.php.net (Postfix) with ESMTPS id 249F21A00B7
for <internals@lists.php.net>; Tue, 6 Aug 2024 19:06:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
t=1722971267; bh=ReL7MGPmQOYK2owpIU1mWD4aWDwcaK+d9ZvPra1q2C8=;
h=Date:From:To:In-Reply-To:References:Subject:From;
b=fIvH2/Nsp7c3Eakm8AYfCLGBLDBDR/4WOKxehWOyt5Hi+UkxI3heyh55iEG2qAcDR
ijY1ipCFRdD958vj9/KAI6jZxjzDf5hZVmWrsDrQik+12P3ENMwLHaUv1RUUF/aJrh
oZv7JiieKAWFvESIFJFXPgiFkaGj5k5jF/+VviSMgqH5yI/WIMFDOfo2sPqh6yMkze
IFh+9YouZ+5IpB4IRfQzcvu83yXgrwJoy9ok/QFtCeLFomoRgG5hcfvqB5kYQWtP70
Dzlg44P/1ZKqYPTXyp5UvcuuhR6MRBK0UPdCKfmKo10iWPW82LQd7AL2eouukfrZXA
iI1puOqdDe64g==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
by php-smtp4.php.net (Postfix) with ESMTP id 0F4FA1801DB
for <internals@lists.php.net>; Tue, 6 Aug 2024 19:07:45 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level:
X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE,
RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,
SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <rob@bottled.codes>
Received: from fhigh2-smtp.messagingengine.com (fhigh2-smtp.messagingengine.com [103.168.172.153])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by php-smtp4.php.net (Postfix) with ESMTPS
for <internals@lists.php.net>; Tue, 6 Aug 2024 19:07:42 +0000 (UTC)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
by mailfhigh.nyi.internal (Postfix) with ESMTP id E5C3F114888B
for <internals@lists.php.net>; Tue, 6 Aug 2024 15:06:00 -0400 (EDT)
Received: from imap49 ([10.202.2.99])
by compute3.internal (MEProxy); Tue, 06 Aug 2024 15:06:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes;
h=cc:content-type:content-type:date:date:from:from:in-reply-to
:in-reply-to:message-id:mime-version:references:reply-to:subject
:subject:to:to; s=fm1; t=1722971160; x=1723057560; bh=ReL7MGPmQO
YK2owpIU1mWD4aWDwcaK+d9ZvPra1q2C8=; b=E+aRq4p8dxcJHRANReh9PxuPjV
GUT82CG58zeDEqF174AiiTVyEdDp98RvfrJvO6c/HAVp5CnMijR/3AZ+HpxIQ5EI
e2lDpqC6Xe7aJJ9wzQ1Uh4puBZqo1cPt0GhGgHy6MIl3oactl67qWq/T8efmeLmu
Wg98y+uAHBLOUcfNJooUzGNGB09GAIb8ZYZ6lznx3gMQIKr+3Pgxg0V1rGvzjzye
JxeufzBj2ow16PNRUan91kUZknlqr7ed17rIBY6ni1x1nP+DEhv4a4BwF4mZjuCj
cCdJYe+5fkgHn1MHMIWclAozyITuHWO2HME63xbsS/HoFmYu/CyDTK/PymzA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:content-type:content-type:date:date
:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
:message-id:mime-version:references:reply-to:subject:subject:to
:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
fm3; t=1722971160; x=1723057560; bh=ReL7MGPmQOYK2owpIU1mWD4aWDwc
aK+d9ZvPra1q2C8=; b=qPPa4ILsgtypHQNvzxaaNna8xnvstY+9KsrDRkxVJQAe
Q1fwkcbw4Oa9Vaxawma7C0oKOfsNZlmMHWyPyRxjNfuiCROGvZlYjvEqb7pzGJ9y
T5f0J+svUkZNpe9ylv4m5Fms73Pu+IWe532Khx35aBKFSnDGnettQIGqRHye/PMZ
8DJFgFZ3JaTQD6MmHcQQM7Mi0DPzQNWoPHGQQ2UqcbymzOr6guxQn2+iLVNtbyvt
3dp2N7N4r69GDi51wSerfaAXOQo+5gBwkftX0+Snk45iYkkXyGiLFP+aivIyTUn1
gJTvDmd7xEYolsPQqRmyBddOM9B0sG+hL2P1TLe1cA==
X-ME-Sender: <xms:GHSyZkbNp_ETmDebTwDdtn5WeHJlaoCNJbc6ViHfOsSkGxLDhRCoqw>
<xme:GHSyZvZmXd-NiWTlasNu0edB4-CfEKxXFVNaucLbEoBoDJzxo9S9hKTByqWuCfETI
y6VLNp6vqtrHOjAwZI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrkeekgddufeefucetufdoteggodetrfdotf
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
uceurghilhhouhhtmecufedttdenucenucfjughrpefoggffhffvkfgjfhfutgesrgdtre
erredtjeenucfhrhhomhepfdftohgsucfnrghnuggvrhhsfdcuoehrohgssegsohhtthhl
vggurdgtohguvghsqeenucggtffrrghtthgvrhhnpedtueejtdethfeulefhtdeliedute
elffdtudelheffgedtieehhfelieejgfevgeenucevlhhushhtvghrufhiiigvpedtnecu
rfgrrhgrmhepmhgrihhlfhhrohhmpehrohgssegsohhtthhlvggurdgtohguvghspdhnsg
gprhgtphhtthhopedt
X-ME-Proxy: <xmx:GHSyZu8ybjsgBFbJjdGu4qRmsuDRdzcFvZ8aqzTXSrszG1F8e8rSNw>
<xmx:GHSyZurV5cqTPHK-qgR48iHl9uIYMxs4XMDnZESvkgsq0Z2SSZouKA>
<xmx:GHSyZvoUCD7P3bobYeTJiSxMRu3XSzYH31JukF24CRIHWgB1BWPX2g>
<xmx:GHSyZsQmqE-gFuttRAYs8McN8Dpz0G8FOS8kcwJm2qqIZYcXHqWAWg>
<xmx:GHSyZuQerxAb3vq-b3D2GfU-oUDsTrci5HcQOHCa2dgse_yanMMR8Wjy>
Feedback-ID: ifab94697:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
id BA20D15A0092; Tue, 6 Aug 2024 15:06:00 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Date: Tue, 06 Aug 2024 21:05:40 +0200
To: internals@lists.php.net
Message-ID: <ffc9c850-06f1-4937-be55-b9e2cc614dfb@app.fastmail.com>
In-Reply-To: <7d9a9752-a202-4099-a60a-2686d4265d96@gmail.com>
References: <e08f6af322dcc5b4e4dd5e772f28be07ffa07ba4.camel@ageofdream.com>
<c510eb675bd0038efbbe5489bebd42ff7438e967.camel@ageofdream.com>
<7d9a9752-a202-4099-a60a-2686d4265d96@gmail.com>
Subject: Re: [PHP-DEV] [Discussion] Sandbox API
Content-Type: multipart/alternative;
boundary=66733e70d0d6453fbd131b7fa716961c
From: rob@bottled.codes ("Rob Landers")
--66733e70d0d6453fbd131b7fa716961c
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On Tue, Aug 6, 2024, at 20:59, Niels Dossche wrote:
> On 06/08/2024 10:41, Nick Lockheart wrote:
> >=20
> > Sandbox: Security
> >=20
> > A SandBox has two use cases:
> >=20
> > 1. Unit Testing of code with mocks or stubs, and also, allowing test=
ing
> > with different environments.
> >=20
> > 2. The secure running of 3rd party code inside a 1st party applicati=
on.
> >=20
>=20
> The use-case of securely running 3rd party code inside your applicatio=
n is impossible at this moment, and will still be impossible after a san=
dbox API is introduced.
> The reason is that the PHP interpreter as it is today is not memory sa=
fe. It is relatively easy to cause memory corruption by only using PHP c=
ode by abusing things like custom error handlers set from userland. This=
in turn can be used to gain arbitrary read/write primitives which has b=
een shown to circumvent disable_functions & open_basedir, and some PoCs =
can even run arbitrary commands. It would be doable to extend these tric=
ks to circumvent a sandboxing API.
> As such, a sandboxing API for securely executing 3rd party code is onl=
y possible after the interpreter has become memory safe.
> Although some work has been done in PHP 8.3 to plug many of these memo=
ry safety bugs in the VM, much more work remains and would likely requir=
e complicated changes.
> So therefore I propose to only focus on the mocking functionality of y=
our proposal for now, until the time comes that the interpreter is memor=
y safe.
> I would therefore also not call it "sandbox".
>=20
> Introducing a sandbox API for security also opens up a can of worms fo=
r the security policy.
> Right now we are assuming an attacker model of a remote attacker, and =
that the code running on your server is trusted.
> But that would change when an official sandbox API is introduced.
>=20
> Kind regards
> Niels
>=20
Hey Niels,
I find this assertion kind of scary from a shared hosting perspective or=
even from a 3v4l kind of perspective. How do these services protect the=
mselves if php is inherently insecure?
=E2=80=94 Rob
--66733e70d0d6453fbd131b7fa716961c
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html><html><head><title></title><style type=3D"text/css">p.Mso=
Normal,p.MsoNoSpacing{margin:0}</style></head><body><div><br></div><div>=
<br></div><div>On Tue, Aug 6, 2024, at 20:59, Niels Dossche wrote:<br></=
div><blockquote type=3D"cite" id=3D"qt" style=3D""><div>On 06/08/2024 10=
:41, Nick Lockheart wrote:<br></div><div>> <br></div><div>> S=
andbox: Security<br></div><div>> <br></div><div>> A SandBox h=
as two use cases:<br></div><div>> <br></div><div>> 1. Unit Te=
sting of code with mocks or stubs, and also, allowing testing<br></div><=
div>> with different environments.<br></div><div>> <br></div>=
<div>> 2. The secure running of 3rd party code inside a 1st party app=
lication.<br></div><div>> <br></div><div><br></div><div>The use-=
case of securely running 3rd party code inside your application is impos=
sible at this moment, and will still be impossible after a sandbox API i=
s introduced.<br></div><div>The reason is that the PHP interpreter as it=
is today is not memory safe. It is relatively easy to cause memory corr=
uption by only using PHP code by abusing things like custom error handle=
rs set from userland. This in turn can be used to gain arbitrary read/wr=
ite primitives which has been shown to circumvent disable_functions &=
; open_basedir, and some PoCs can even run arbitrary commands. It would =
be doable to extend these tricks to circumvent a sandboxing API.<br></di=
v><div>As such, a sandboxing API for securely executing 3rd party code i=
s only possible after the interpreter has become memory safe.<br></div><=
div>Although some work has been done in PHP 8.3 to plug many of these me=
mory safety bugs in the VM, much more work remains and would likely requ=
ire complicated changes.<br></div><div>So therefore I propose to only fo=
cus on the mocking functionality of your proposal for now, until the tim=
e comes that the interpreter is memory safe.<br></div><div>I would there=
fore also not call it "sandbox".<br></div><div><br></div><div>Introducin=
g a sandbox API for security also opens up a can of worms for the securi=
ty policy.<br></div><div>Right now we are assuming an attacker model of =
a remote attacker, and that the code running on your server is trusted.<=
br></div><div>But that would change when an official sandbox API is intr=
oduced.<br></div><div><br></div><div>Kind regards<br></div><div>Niels<br=
></div><div><br></div></blockquote><div>Hey Niels,<br></div><div><br></d=
iv><div>I find this assertion kind of scary from a shared hosting perspe=
ctive or even from a 3v4l kind of perspective. How do these services pro=
tect themselves if php is inherently insecure?</div><div><br></div><div =
id=3D"sig121229152">=E2=80=94 Rob<br></div></body></html>
--66733e70d0d6453fbd131b7fa716961c--