SlideShare a Scribd company logo

Thinking Outside The [Sand]Box

Download as PPTX, PDF
Michael Genkin
Michael Genkin

A 40 minute talk about sandboxes, Python, creating Python in process sandboxes, and defeating them. (Based in part on PySandbox).

Technology
1 of 25
Thinking Outside the [Sand]Box
>>> dir(self) • Michael Genkin • A computer engineer • A researcher • A jack of many trades • And a master of some • Prefers Python [2.7] to your favorite programming language since 2008. • Isn’t afraid of the bytecode.
Outline • Sandboxes – how & why? • A bit of Python • Code execution • __builtins__ • Python Sandbox – HowTo & Examples • Blacklisting • Whitelisting • Modifying __builtins__ • If time allows • CPython implementation details • Code objects
What’s a Sandbox? “A security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websites. The sandbox typically provides a tightly controlled set of resources for guest programs to run in…” [Wikipedia]
Why a Sandbox? • UNTRUSTED CODE? Why we’d ever want to execute untrusted code? • Learning platform • A certain challenge site • Development environment as a Service
How to Sandbox? OS Level • Linux seccomp • PyPy Sandboxing Language Level/In-Process* • PySandbox • rexec Don’t use those examples @Home/Production
A Bit of Python… Quick detour
Code Execution in Python • How does one execute untrusted code? • Or simply dynamically generated code… • A few ways… • exec(file) – compile & execute a statement (or a file). • eval – compile & execute an expression. • if you really need eval – try using ast.literal_eval() • os.exec* – create & execute a new shell • subprocess... • pickle – a minefield • Don’t do this at home..! • Really. Don’t. Ever.
Shit Can Happen… • Resource exhaustion – DoS • Information disclosure • Server takeover
Tools of Chaos • file/open • Though we might need those… • eval/exec(file) • exit/quit • pickle/os/subprocess • We might need those as well
Nice to Meet You __builtins__ >>> print dir(__builtins__) ['ArithmeticError', 'AssertionError', 'AttributeError', 'BaseException', 'BufferError', 'BytesWarning', 'DeprecationWarning', 'EOFError', 'Ellipsis', 'EnvironmentError', 'Exception', 'False', 'FloatingPointError', 'FutureWarning', 'GeneratorExit', 'IOError', 'ImportError', 'ImportWarning', 'IndentationError', 'IndexError', 'KeyError', 'KeyboardInterrupt', 'LookupError', 'MemoryError', 'NameError', 'None', 'NotImplemented', 'NotImplementedError', 'OSError', 'OverflowError', 'PendingDeprecationWarning', 'ReferenceError', 'RuntimeError', 'RuntimeWarning', 'StandardError', 'StopIteration', 'SyntaxError', 'SyntaxWarning', 'SystemError', 'SystemExit', 'TabError', 'True', 'TypeError', 'UnboundLocalError', 'UnicodeDecodeError', 'UnicodeEncodeError', 'UnicodeError', 'UnicodeTranslateError', 'UnicodeWarning', 'UserWarning', 'ValueError', 'Warning', 'ZeroDivisionError', '_', '__debug__', '__doc__', '__import__', '__name__', '__package__', 'abs', 'all', 'any', 'apply', 'basestring', 'bin', 'bool', 'buffer', 'bytearray', 'bytes', 'callable', 'chr', 'classmethod', 'cmp', 'coerce', 'compile', 'complex', 'copyright', 'credits', 'delattr', 'dict', 'dir', 'divmod', 'enumerate', 'eval', 'execfile', 'exit', 'file', 'filter', 'float', 'format', 'frozenset', 'getattr', 'globals', 'hasattr', 'hash', 'help', 'hex', 'id', 'input', 'int', 'intern', 'isinstance', 'issubclass', 'iter', 'len', 'license', 'list', 'locals', 'long', 'map', 'max', 'memoryview', 'min', 'next', 'object', 'oct', 'open', 'ord', 'pow', 'print', 'property', 'quit', 'range', 'raw_input', 'reduce', 'reload', 'repr', 'reversed', 'round', 'set', 'setattr', 'slice', 'sorted', 'staticmethod', 'str', 'sum', 'super', 'tuple', 'type', 'unichr', 'unicode', 'vars', 'xrange', 'zip']
We Need a Sandbox… A Builder & Breaker How-To
An Optimal [Python] Sandbox class Sandbox(object): def __make_secure(self, unsafecode): """ Black Magic """ return safecode def execute(self, code): exec self.__make_secure(code) if __name__ == '__main__': s = Sandbox() s.execute("print 'Hello World!'") # Hello World! s.execute("*bad stuff*") # RuntimeException • How does this *black magic* really looks like?
Blacklisting __builtins__ def __make_secure(self, unsafecode): keyword_blacklist = ["file", "quit", "eval", "exec", "execfile", "exit"] for keyword in keyword_blacklist: if keyword in unsafecode: raise ValueError("Blacklisted") return unsafecode
Circumventing a Blacklist • The problem with blacklist is that they’re always incomplete… • What isn’t in the blacklist? s.execute(""" __builtins__.__dict__["ZXZhbA==".decode("base64")](*bad stuff*) """) • Lesson learned… • If we can get a reference to something – we can invoke it.
Whitelisting __builtins__ import sys def __make_secure(self, unsafecode): # Blacklisting code main = sys.modules["__main__"].__dict__ orig_builtins = main["__builtins__"].__dict__ builtins_whitelist = set(( 'ArithmeticError', 'AssertionError', 'AttributeError', ... # Exceptions 'False', 'None', 'True', ... # Constants 'basestring', 'bytearray', 'bytes', 'complex', 'dict', ... # Types '__import__', 'abs', 'all', 'any', 'apply', 'bin', 'bool', ... # Functions # Block: eval, execfile, file, quit, exit, reload, etc. )) for builtin in orig_builtins.keys(): if builtin not in builtins_whitelist: del orig_builtins[builtin] return unsafecode # No way to do bad stuff now... s.execute('__builtins__.__dict__["ZXZhbA==".decode("base64")](*bad stuff*)') # NameError
I brought This Little Something… • The whitelist insures we don’t have anything useful in scope… • But, can we bring more stuff into the scope? s.execute(""" import os os.exec("python -c '*something bad*'") """) • Lesson learned… • Whitelisting __builtins__ isn’t enough if the attacker can just import stuff
Whitelisting Imports • Ever wondered how do Python imports work? importer = __builtins__.__dict__.get('__import__') os = importer('os') • And how to roll your own?
Whitelisting Imports def safe_importer(module_name, globals={}, locals={}, fromlist=[], level=-1): print "You can't import anything bad now..." good_modules = ['string', 're', ...] # Doesn't include os, subprocess, or pickle! if module_name in good_modules: return __import__(module_name, globals, locals, fromlist, level) else: raise ImportError('You can't import this!') def __make_secure(self, unsafecode): # Blacklisting code # Whitelisting code orig_builtins['__import__'] = safe_importer s.execute(""" import os os.exec("python -c '*something bad*'") """) # ImportError
I Know I Left This Somewhere… • What do we have left? • Do we have anything useful left? • We have some types… let’s check them out • If we have a class – why not have a metaclass as well? • PEP 0253 - __bases__ & __subclasses__()
I Know I Left This Somewhere…
If We Have a Reference… s.execute(""" __builtins__.__dict__['__import__'] = ().__class__.__bases__[0].__subclasses__()[59]()._module.__builtins__['__import__'] import os os.exec("python -c '*something bad*'") """)
Questions Time! How many interactive Python interpreters were harmed while preparing this talk?
Thanks for listening! misha.genkin@gmail.com

Recommended

Unleash your inner console cowboy
Unleash your inner console cowboyUnleash your inner console cowboy
Unleash your inner console cowboy
Kenneth Geisshirt
 
Node.js
Node.jsNode.js
Node.js
Mat Schaffer
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Larry Cashdollar
 
wwc start-launched
wwc start-launchedwwc start-launched
wwc start-launched
Mat Schaffer
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and new
Larry Cashdollar
 
Down the Rabbit Hole
Down the Rabbit HoleDown the Rabbit Hole
Down the Rabbit Hole
Charles Nutter
 
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Charles Nutter
 
Обзор фреймворка Twisted
Обзор фреймворка TwistedОбзор фреймворка Twisted
Обзор фреймворка Twisted
Maxim Kulsha
 

Recommended

Unleash your inner console cowboy
Unleash your inner console cowboyUnleash your inner console cowboy
Unleash your inner console cowboy
Kenneth Geisshirt
 
Node.js
Node.jsNode.js
Node.js
Mat Schaffer
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Larry Cashdollar
 
wwc start-launched
wwc start-launchedwwc start-launched
wwc start-launched
Mat Schaffer
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and new
Larry Cashdollar
 
Down the Rabbit Hole
Down the Rabbit HoleDown the Rabbit Hole
Down the Rabbit Hole
Charles Nutter
 
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Charles Nutter
 
Обзор фреймворка Twisted
Обзор фреймворка TwistedОбзор фреймворка Twisted
Обзор фреймворка Twisted
Maxim Kulsha
 
Ansible inside
Ansible insideAnsible inside
Ansible inside
Ideato
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
Taro Matsuzawa
 
Bootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bootstrap your Cloud Infrastructure using puppet and hashicorp stackBootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bram Vogelaar
 
Testing For Unicorns
Testing For UnicornsTesting For Unicorns
Testing For Unicorns
Alex Soto
 
Fast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible JavaFast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible Java
Charles Nutter
 
Stanford Hackathon - Puppet Modules
Stanford Hackathon - Puppet ModulesStanford Hackathon - Puppet Modules
Stanford Hackathon - Puppet Modules
Puppet
 
Lets make better scripts
Lets make better scriptsLets make better scripts
Lets make better scripts
Michael Boelen
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricks
bcoca
 
Beyond JVM - YOW! Brisbane 2013
Beyond JVM - YOW! Brisbane 2013Beyond JVM - YOW! Brisbane 2013
Beyond JVM - YOW! Brisbane 2013
Charles Nutter
 
Getting started with DataStax .NET Driver for Cassandra
Getting started with DataStax .NET Driver for CassandraGetting started with DataStax .NET Driver for Cassandra
Getting started with DataStax .NET Driver for Cassandra
Luke Tillman
 
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day JobAlex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Elixir Club
 
Mastering Java ByteCode
Mastering Java ByteCodeMastering Java ByteCode
Mastering Java ByteCode
Ecommerce Solution Provider SysIQ
 
Live Updating Swift Code
Live Updating Swift CodeLive Updating Swift Code
Live Updating Swift Code
Bartosz Polaczyk
 
Process Doppelgänging
Process Doppelgänging Process Doppelgänging
Process Doppelgänging
KarlFrank99
 
Integrating icinga2 and the HashiCorp suite
Integrating icinga2 and the HashiCorp suiteIntegrating icinga2 and the HashiCorp suite
Integrating icinga2 and the HashiCorp suite
Bram Vogelaar
 
Building Windows Images with Packer
Building Windows Images with PackerBuilding Windows Images with Packer
Building Windows Images with Packer
Matt Wrock
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matter
Dawid Weiss
 
Adding ES6 to Your Developer Toolbox
Adding ES6 to Your Developer ToolboxAdding ES6 to Your Developer Toolbox
Adding ES6 to Your Developer Toolbox
Jeff Strauss
 
Ansible for beginners ...?
Ansible for beginners ...?Ansible for beginners ...?
Ansible for beginners ...?
shirou wakayama
 
Social Media Analytics
Social Media AnalyticsSocial Media Analytics
Social Media Analytics
korzay
 
Customer analytics fast facts v3
Customer analytics fast facts v3Customer analytics fast facts v3
Customer analytics fast facts v3
Absolutdata Analytics
 

More Related Content

What's hot

Ansible inside
Ansible insideAnsible inside
Ansible inside
Ideato
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
Taro Matsuzawa
 
Bootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bootstrap your Cloud Infrastructure using puppet and hashicorp stackBootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bram Vogelaar
 
Testing For Unicorns
Testing For UnicornsTesting For Unicorns
Testing For Unicorns
Alex Soto
 
Fast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible JavaFast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible Java
Charles Nutter
 
Stanford Hackathon - Puppet Modules
Stanford Hackathon - Puppet ModulesStanford Hackathon - Puppet Modules
Stanford Hackathon - Puppet Modules
Puppet
 
Lets make better scripts
Lets make better scriptsLets make better scripts
Lets make better scripts
Michael Boelen
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricks
bcoca
 
Beyond JVM - YOW! Brisbane 2013
Beyond JVM - YOW! Brisbane 2013Beyond JVM - YOW! Brisbane 2013
Beyond JVM - YOW! Brisbane 2013
Charles Nutter
 
Getting started with DataStax .NET Driver for Cassandra
Getting started with DataStax .NET Driver for CassandraGetting started with DataStax .NET Driver for Cassandra
Getting started with DataStax .NET Driver for Cassandra
Luke Tillman
 
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day JobAlex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Elixir Club
 
Mastering Java ByteCode
Mastering Java ByteCodeMastering Java ByteCode
Mastering Java ByteCode
Ecommerce Solution Provider SysIQ
 
Live Updating Swift Code
Live Updating Swift CodeLive Updating Swift Code
Live Updating Swift Code
Bartosz Polaczyk
 
Process Doppelgänging
Process Doppelgänging Process Doppelgänging
Process Doppelgänging
KarlFrank99
 
Integrating icinga2 and the HashiCorp suite
Integrating icinga2 and the HashiCorp suiteIntegrating icinga2 and the HashiCorp suite
Integrating icinga2 and the HashiCorp suite
Bram Vogelaar
 
Building Windows Images with Packer
Building Windows Images with PackerBuilding Windows Images with Packer
Building Windows Images with Packer
Matt Wrock
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matter
Dawid Weiss
 
Adding ES6 to Your Developer Toolbox
Adding ES6 to Your Developer ToolboxAdding ES6 to Your Developer Toolbox
Adding ES6 to Your Developer Toolbox
Jeff Strauss
 
Ansible for beginners ...?
Ansible for beginners ...?Ansible for beginners ...?
Ansible for beginners ...?
shirou wakayama
 

What's hot (20)

Ansible inside
Ansible insideAnsible inside
Ansible inside
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
 
Bootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bootstrap your Cloud Infrastructure using puppet and hashicorp stackBootstrap your Cloud Infrastructure using puppet and hashicorp stack
Bootstrap your Cloud Infrastructure using puppet and hashicorp stack
 
Testing For Unicorns
Testing For UnicornsTesting For Unicorns
Testing For Unicorns
 
Fast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible JavaFast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible Java
 
Stanford Hackathon - Puppet Modules
Stanford Hackathon - Puppet ModulesStanford Hackathon - Puppet Modules
Stanford Hackathon - Puppet Modules
 
Lets make better scripts
Lets make better scriptsLets make better scripts
Lets make better scripts
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricks
 
Beyond JVM - YOW! Brisbane 2013
Beyond JVM - YOW! Brisbane 2013Beyond JVM - YOW! Brisbane 2013
Beyond JVM - YOW! Brisbane 2013
 
Getting started with DataStax .NET Driver for Cassandra
Getting started with DataStax .NET Driver for CassandraGetting started with DataStax .NET Driver for Cassandra
Getting started with DataStax .NET Driver for Cassandra
 
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day JobAlex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day Job
 
Mastering Java ByteCode
Mastering Java ByteCodeMastering Java ByteCode
Mastering Java ByteCode
 
Live Updating Swift Code
Live Updating Swift CodeLive Updating Swift Code
Live Updating Swift Code
 
Process Doppelgänging
Process Doppelgänging Process Doppelgänging
Process Doppelgänging
 
Integrating icinga2 and the HashiCorp suite
Integrating icinga2 and the HashiCorp suiteIntegrating icinga2 and the HashiCorp suite
Integrating icinga2 and the HashiCorp suite
 
Building Windows Images with Packer
Building Windows Images with PackerBuilding Windows Images with Packer
Building Windows Images with Packer
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matter
 
Adding ES6 to Your Developer Toolbox
Adding ES6 to Your Developer ToolboxAdding ES6 to Your Developer Toolbox
Adding ES6 to Your Developer Toolbox
 
Ansible for beginners ...?
Ansible for beginners ...?Ansible for beginners ...?
Ansible for beginners ...?
 

Viewers also liked

Social Media Analytics
Social Media AnalyticsSocial Media Analytics
Social Media Analytics
korzay
 
Customer analytics fast facts v3
Customer analytics fast facts v3Customer analytics fast facts v3
Customer analytics fast facts v3
Absolutdata Analytics
 
E contracts busines law
E contracts busines lawE contracts busines law
E contracts busines law
Babasab Patil
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
Juniper Networks
 
BCG matrix-Market Growth Share Matrix
BCG matrix-Market Growth Share MatrixBCG matrix-Market Growth Share Matrix
BCG matrix-Market Growth Share Matrix
Navneet Dwivedi
 
BCG matrix by gamal arafa
BCG matrix by gamal arafaBCG matrix by gamal arafa
BCG matrix by gamal arafa
Gamal Arafa
 
Bcg matrix
Bcg matrixBcg matrix
Bcg matrix
Gia Tri Tien
 
Latest trends in Business Analytics
Latest trends in Business AnalyticsLatest trends in Business Analytics
Latest trends in Business Analytics
Puneet Bhalla
 
BCG Matrix
BCG MatrixBCG Matrix
BCG Matrix
SlideShop.com
 
Fact or Question: Analytics for UX
Fact or Question: Analytics for UXFact or Question: Analytics for UX
Fact or Question: Analytics for UX
Julie Strothman
 
Top 6 Business Intelligence & Analytics Trends for 2016
Top 6 Business Intelligence & Analytics Trends for 2016Top 6 Business Intelligence & Analytics Trends for 2016
Top 6 Business Intelligence & Analytics Trends for 2016
TARGIT
 
Business analytics
Business analyticsBusiness analytics
Business analytics
Silla Rupesh
 
12 Interesting Facts about Big Data
12 Interesting Facts about Big Data12 Interesting Facts about Big Data
12 Interesting Facts about Big Data
Datamatics Global Services Limited
 
Boston Consulting Group Matrix
Boston Consulting Group MatrixBoston Consulting Group Matrix
Boston Consulting Group Matrix
Amit Pramanik
 
BCG Matrix
BCG MatrixBCG Matrix
BCG Matrix
Vishal Wadekar
 
Lean Analytics Cycle
Lean Analytics CycleLean Analytics Cycle
Lean Analytics Cycle
Hiten Shah
 
BCG matrix with example
BCG matrix with exampleBCG matrix with example
BCG matrix with example
Mayur Narole
 

Viewers also liked (17)

Social Media Analytics
Social Media AnalyticsSocial Media Analytics
Social Media Analytics
 
Customer analytics fast facts v3
Customer analytics fast facts v3Customer analytics fast facts v3
Customer analytics fast facts v3
 
E contracts busines law
E contracts busines lawE contracts busines law
E contracts busines law
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
BCG matrix-Market Growth Share Matrix
BCG matrix-Market Growth Share MatrixBCG matrix-Market Growth Share Matrix
BCG matrix-Market Growth Share Matrix
 
BCG matrix by gamal arafa
BCG matrix by gamal arafaBCG matrix by gamal arafa
BCG matrix by gamal arafa
 
Bcg matrix
Bcg matrixBcg matrix
Bcg matrix
 
Latest trends in Business Analytics
Latest trends in Business AnalyticsLatest trends in Business Analytics
Latest trends in Business Analytics
 
BCG Matrix
BCG MatrixBCG Matrix
BCG Matrix
 
Fact or Question: Analytics for UX
Fact or Question: Analytics for UXFact or Question: Analytics for UX
Fact or Question: Analytics for UX
 
Top 6 Business Intelligence & Analytics Trends for 2016
Top 6 Business Intelligence & Analytics Trends for 2016Top 6 Business Intelligence & Analytics Trends for 2016
Top 6 Business Intelligence & Analytics Trends for 2016
 
Business analytics
Business analyticsBusiness analytics
Business analytics
 
12 Interesting Facts about Big Data
12 Interesting Facts about Big Data12 Interesting Facts about Big Data
12 Interesting Facts about Big Data
 
Boston Consulting Group Matrix
Boston Consulting Group MatrixBoston Consulting Group Matrix
Boston Consulting Group Matrix
 
BCG Matrix
BCG MatrixBCG Matrix
BCG Matrix
 
Lean Analytics Cycle
Lean Analytics CycleLean Analytics Cycle
Lean Analytics Cycle
 
BCG matrix with example
BCG matrix with exampleBCG matrix with example
BCG matrix with example
 

Similar to Thinking Outside The [Sand]Box

FI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsFI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS Basics
Petr Dvorak
 
MFF UK - Introduction to iOS
MFF UK - Introduction to iOSMFF UK - Introduction to iOS
MFF UK - Introduction to iOS
Petr Dvorak
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with Golang
Chris McEniry
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
Django at Scale
Django at ScaleDjango at Scale
Django at Scale
bretthoerner
 
Intro to Python
Intro to PythonIntro to Python
Intro to Python
Daniel Greenfeld
 
Why Every Tester Should Learn Ruby
Why Every Tester Should Learn RubyWhy Every Tester Should Learn Ruby
Why Every Tester Should Learn Ruby
Raimonds Simanovskis
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
Yen-Chin Lee
 
Paver: the build tool you missed
Paver: the build tool you missedPaver: the build tool you missed
Paver: the build tool you missed
almadcz
 
How Secure Are Docker Containers?
How Secure Are Docker Containers?How Secure Are Docker Containers?
How Secure Are Docker Containers?
Ben Hall
 
Intro
IntroIntro
Intro
Daniel Greenfeld
 
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
Unity Technologies Japan K.K.
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
snyff
 
iOS 2 - The practical Stuff
iOS 2 - The practical StuffiOS 2 - The practical Stuff
iOS 2 - The practical Stuff
Petr Dvorak
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformation
Lars Marius Garshol
 
DIY Java Profiling
DIY Java ProfilingDIY Java Profiling
DIY Java Profiling
Roman Elizarov
 
lesson03.ppt
lesson03.pptlesson03.ppt
lesson03.ppt
IraqReshi
 
Javascript done right - Open Web Camp III
Javascript done right - Open Web Camp IIIJavascript done right - Open Web Camp III
Javascript done right - Open Web Camp III
Dirk Ginader
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 

Similar to Thinking Outside The [Sand]Box (20)

FI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsFI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS Basics
 
MFF UK - Introduction to iOS
MFF UK - Introduction to iOSMFF UK - Introduction to iOS
MFF UK - Introduction to iOS
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with Golang
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Django at Scale
Django at ScaleDjango at Scale
Django at Scale
 
Intro to Python
Intro to PythonIntro to Python
Intro to Python
 
Why Every Tester Should Learn Ruby
Why Every Tester Should Learn RubyWhy Every Tester Should Learn Ruby
Why Every Tester Should Learn Ruby
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
 
Paver: the build tool you missed
Paver: the build tool you missedPaver: the build tool you missed
Paver: the build tool you missed
 
How Secure Are Docker Containers?
How Secure Are Docker Containers?How Secure Are Docker Containers?
How Secure Are Docker Containers?
 
Intro
IntroIntro
Intro
 
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
 
iOS 2 - The practical Stuff
iOS 2 - The practical StuffiOS 2 - The practical Stuff
iOS 2 - The practical Stuff
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformation
 
DIY Java Profiling
DIY Java ProfilingDIY Java Profiling
DIY Java Profiling
 
lesson03.ppt
lesson03.pptlesson03.ppt
lesson03.ppt
 
Javascript done right - Open Web Camp III
Javascript done right - Open Web Camp IIIJavascript done right - Open Web Camp III
Javascript done right - Open Web Camp III
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 

More from Michael Genkin

Web Information Extraction for the Database Research Domain
Web Information Extraction for the Database Research DomainWeb Information Extraction for the Database Research Domain
Web Information Extraction for the Database Research Domain
Michael Genkin
 
Summarizing short stories (without spoiling the fun)
Summarizing short stories (without spoiling the fun)Summarizing short stories (without spoiling the fun)
Summarizing short stories (without spoiling the fun)
Michael Genkin
 
Post-PC: Geolocation & Maps in the Android Ecosystem
Post-PC: Geolocation & Maps in the Android EcosystemPost-PC: Geolocation & Maps in the Android Ecosystem
Post-PC: Geolocation & Maps in the Android Ecosystem
Michael Genkin
 
The Road To The Semantic Web
The Road To The Semantic WebThe Road To The Semantic Web
The Road To The Semantic Web
Michael Genkin
 
Slideshows 101 (30 Mins)
Slideshows 101 (30 Mins)Slideshows 101 (30 Mins)
Slideshows 101 (30 Mins)
Michael Genkin
 
Computeron 2006
Computeron 2006Computeron 2006
Computeron 2006
Michael Genkin
 
Computeron 2005.1
Computeron 2005.1Computeron 2005.1
Computeron 2005.1
Michael Genkin
 
Computeron 2005.2
Computeron 2005.2Computeron 2005.2
Computeron 2005.2
Michael Genkin
 
Computeron 2004
Computeron 2004Computeron 2004
Computeron 2004
Michael Genkin
 

More from Michael Genkin (9)

Web Information Extraction for the Database Research Domain
Web Information Extraction for the Database Research DomainWeb Information Extraction for the Database Research Domain
Web Information Extraction for the Database Research Domain
 
Summarizing short stories (without spoiling the fun)
Summarizing short stories (without spoiling the fun)Summarizing short stories (without spoiling the fun)
Summarizing short stories (without spoiling the fun)
 
Post-PC: Geolocation & Maps in the Android Ecosystem
Post-PC: Geolocation & Maps in the Android EcosystemPost-PC: Geolocation & Maps in the Android Ecosystem
Post-PC: Geolocation & Maps in the Android Ecosystem
 
The Road To The Semantic Web
The Road To The Semantic WebThe Road To The Semantic Web
The Road To The Semantic Web
 
Slideshows 101 (30 Mins)
Slideshows 101 (30 Mins)Slideshows 101 (30 Mins)
Slideshows 101 (30 Mins)
 
Computeron 2006
Computeron 2006Computeron 2006
Computeron 2006
 
Computeron 2005.1
Computeron 2005.1Computeron 2005.1
Computeron 2005.1
 
Computeron 2005.2
Computeron 2005.2Computeron 2005.2
Computeron 2005.2
 
Computeron 2004
Computeron 2004Computeron 2004
Computeron 2004
 

Recently uploaded

TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 

Recently uploaded (20)

TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 

Thinking Outside The [Sand]Box

  • 2. >>> dir(self) • Michael Genkin • A computer engineer • A researcher • A jack of many trades • And a master of some • Prefers Python [2.7] to your favorite programming language since 2008. • Isn’t afraid of the bytecode.
  • 3. Outline • Sandboxes – how & why? • A bit of Python • Code execution • __builtins__ • Python Sandbox – HowTo & Examples • Blacklisting • Whitelisting • Modifying __builtins__ • If time allows • CPython implementation details • Code objects
  • 4. What’s a Sandbox? “A security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websites. The sandbox typically provides a tightly controlled set of resources for guest programs to run in…” [Wikipedia]
  • 5. Why a Sandbox? • UNTRUSTED CODE? Why we’d ever want to execute untrusted code? • Learning platform • A certain challenge site • Development environment as a Service
  • 6. How to Sandbox? OS Level • Linux seccomp • PyPy Sandboxing Language Level/In-Process* • PySandbox • rexec Don’t use those examples @Home/Production
  • 7. A Bit of Python… Quick detour
  • 8. Code Execution in Python • How does one execute untrusted code? • Or simply dynamically generated code… • A few ways… • exec(file) – compile & execute a statement (or a file). • eval – compile & execute an expression. • if you really need eval – try using ast.literal_eval() • os.exec* – create & execute a new shell • subprocess... • pickle – a minefield • Don’t do this at home..! • Really. Don’t. Ever.
  • 9. Shit Can Happen… • Resource exhaustion – DoS • Information disclosure • Server takeover
  • 10. Tools of Chaos • file/open • Though we might need those… • eval/exec(file) • exit/quit • pickle/os/subprocess • We might need those as well
  • 11. Nice to Meet You __builtins__ >>> print dir(__builtins__) ['ArithmeticError', 'AssertionError', 'AttributeError', 'BaseException', 'BufferError', 'BytesWarning', 'DeprecationWarning', 'EOFError', 'Ellipsis', 'EnvironmentError', 'Exception', 'False', 'FloatingPointError', 'FutureWarning', 'GeneratorExit', 'IOError', 'ImportError', 'ImportWarning', 'IndentationError', 'IndexError', 'KeyError', 'KeyboardInterrupt', 'LookupError', 'MemoryError', 'NameError', 'None', 'NotImplemented', 'NotImplementedError', 'OSError', 'OverflowError', 'PendingDeprecationWarning', 'ReferenceError', 'RuntimeError', 'RuntimeWarning', 'StandardError', 'StopIteration', 'SyntaxError', 'SyntaxWarning', 'SystemError', 'SystemExit', 'TabError', 'True', 'TypeError', 'UnboundLocalError', 'UnicodeDecodeError', 'UnicodeEncodeError', 'UnicodeError', 'UnicodeTranslateError', 'UnicodeWarning', 'UserWarning', 'ValueError', 'Warning', 'ZeroDivisionError', '_', '__debug__', '__doc__', '__import__', '__name__', '__package__', 'abs', 'all', 'any', 'apply', 'basestring', 'bin', 'bool', 'buffer', 'bytearray', 'bytes', 'callable', 'chr', 'classmethod', 'cmp', 'coerce', 'compile', 'complex', 'copyright', 'credits', 'delattr', 'dict', 'dir', 'divmod', 'enumerate', 'eval', 'execfile', 'exit', 'file', 'filter', 'float', 'format', 'frozenset', 'getattr', 'globals', 'hasattr', 'hash', 'help', 'hex', 'id', 'input', 'int', 'intern', 'isinstance', 'issubclass', 'iter', 'len', 'license', 'list', 'locals', 'long', 'map', 'max', 'memoryview', 'min', 'next', 'object', 'oct', 'open', 'ord', 'pow', 'print', 'property', 'quit', 'range', 'raw_input', 'reduce', 'reload', 'repr', 'reversed', 'round', 'set', 'setattr', 'slice', 'sorted', 'staticmethod', 'str', 'sum', 'super', 'tuple', 'type', 'unichr', 'unicode', 'vars', 'xrange', 'zip']
  • 12. We Need a Sandbox… A Builder & Breaker How-To
  • 13. An Optimal [Python] Sandbox class Sandbox(object): def __make_secure(self, unsafecode): """ Black Magic """ return safecode def execute(self, code): exec self.__make_secure(code) if __name__ == '__main__': s = Sandbox() s.execute("print 'Hello World!'") # Hello World! s.execute("*bad stuff*") # RuntimeException • How does this *black magic* really looks like?
  • 14. Blacklisting __builtins__ def __make_secure(self, unsafecode): keyword_blacklist = ["file", "quit", "eval", "exec", "execfile", "exit"] for keyword in keyword_blacklist: if keyword in unsafecode: raise ValueError("Blacklisted") return unsafecode
  • 15. Circumventing a Blacklist • The problem with blacklist is that they’re always incomplete… • What isn’t in the blacklist? s.execute(""" __builtins__.__dict__["ZXZhbA==".decode("base64")](*bad stuff*) """) • Lesson learned… • If we can get a reference to something – we can invoke it.
  • 16. Whitelisting __builtins__ import sys def __make_secure(self, unsafecode): # Blacklisting code main = sys.modules["__main__"].__dict__ orig_builtins = main["__builtins__"].__dict__ builtins_whitelist = set(( 'ArithmeticError', 'AssertionError', 'AttributeError', ... # Exceptions 'False', 'None', 'True', ... # Constants 'basestring', 'bytearray', 'bytes', 'complex', 'dict', ... # Types '__import__', 'abs', 'all', 'any', 'apply', 'bin', 'bool', ... # Functions # Block: eval, execfile, file, quit, exit, reload, etc. )) for builtin in orig_builtins.keys(): if builtin not in builtins_whitelist: del orig_builtins[builtin] return unsafecode # No way to do bad stuff now... s.execute('__builtins__.__dict__["ZXZhbA==".decode("base64")](*bad stuff*)') # NameError
  • 17. I brought This Little Something… • The whitelist insures we don’t have anything useful in scope… • But, can we bring more stuff into the scope? s.execute(""" import os os.exec("python -c '*something bad*'") """) • Lesson learned… • Whitelisting __builtins__ isn’t enough if the attacker can just import stuff
  • 18. Whitelisting Imports • Ever wondered how do Python imports work? importer = __builtins__.__dict__.get('__import__') os = importer('os') • And how to roll your own?
  • 19. Whitelisting Imports def safe_importer(module_name, globals={}, locals={}, fromlist=[], level=-1): print "You can't import anything bad now..." good_modules = ['string', 're', ...] # Doesn't include os, subprocess, or pickle! if module_name in good_modules: return __import__(module_name, globals, locals, fromlist, level) else: raise ImportError('You can't import this!') def __make_secure(self, unsafecode): # Blacklisting code # Whitelisting code orig_builtins['__import__'] = safe_importer s.execute(""" import os os.exec("python -c '*something bad*'") """) # ImportError
  • 20. I Know I Left This Somewhere… • What do we have left? • Do we have anything useful left? • We have some types… let’s check them out • If we have a class – why not have a metaclass as well? • PEP 0253 - __bases__ & __subclasses__()
  • 21. I Know I Left This Somewhere…
  • 22. If We Have a Reference… s.execute(""" __builtins__.__dict__['__import__'] = ().__class__.__bases__[0].__subclasses__()[59]()._module.__builtins__['__import__'] import os os.exec("python -c '*something bad*'") """)
  • 23.
  • 24. Questions Time! How many interactive Python interpreters were harmed while preparing this talk?
  • 25. Thanks for listening! misha.genkin@gmail.com

Editor's Notes

  1. Continue just if you have more than 10 minutes…
  2. About everything there is to know about Python 2.7 sandboxes