Author Archive

Securing python on Linux….

During the last few days I learned how to manage my way through the Python source code with some useful tools (IPython, DDD… – Thank you Jeff) and how to rebuild the new secured python interpreter.

After building Brett Cannon’s security work for securing the python interpreter on Linux, I got an error that cost me two days of debugging.

The error that I got from running the new “secure_python.exe” interpreter was: import of controlled_importlib failed!

Debugging the problem while stepping into python core functions started to look hopeless… So I decided that I should give a try and send an email to the one that actually wrote the code (make sense right?) but unfortunately I was answered that he has not touched that branch in about a year.

After googling the problem a while and reading some blogs I figured out that Brett Cannon actually used a Mac so why not giving a try and installing it on one. I headed to Keren Reid’s office and we tried together to install it on her machine. As expected it worked just fine…..

Trying to debug the error, and to understand from where the NULL that breaks everything is returned, started to seem like a trip to an infinite loop inside the deep Python source code of bytes set…… That why we decided to ask “the one that knows everyone”, Greg Wilson, what should we do next. Few seconds after asking him my mailbox had a new email waiting to be replied from David Wolever (that was staying in Brazil meanwhile…). David was so professional that in one hour he already analyzed the problem and told me what should be my next step. The problem was actually found where the functools library is imported (as the strace tool suggested) and an undefined symbol was found: PyExc_TypeError.

Meanwhile I didn’t notice that Jeff Balogh had tried to debug the problem himself and he actually got to the same conclusion but also to the solution.

Do you know the feeling of spending few days on a debugging a problem that could be solved in less than ten second?

Exactly, it is simpler than building Web-CAT:

Adding the “-Xlinker -export-dynamic” option while building secure_python.exe with gcc supplies system specific linker options which GCC does not know how to recognize. (sounds complicated? well, just add the option at the file where secure_python.exe is built)

So after a lot of hours, a lot of source code and a lot of computer scientists, I can proudly announce:

And the winner is…………..

Jeff Balogh !!!!

June 25, 2008 at 3:54 am 1 comment

Do we understand security?

I read as much material as I could so I could start to have more
knowledge about the structure and the ideas behind Brett Cannon’s

Jeff Balogh helped me a lot and introduced me to some tools for python
that made my life so easy in a second. Now I use IPython instead of the
regular python, it is a plugin that warps the regular distribution and
create new commands and much more features that makes a developers
life like heaven.

In addition I checked out two of Brett Cannon’s project from the python
svn reposatory: bcannon-objcap/, bcannon-sandboxing/.
Despite the names the sandboxing project actually deals with memory allocation
and usage and the objcap project is the security for python.

I spent some time also going over his personal blog and I found out some
post that are very interesting for us:

As you can see in one of the blog’s post nobody has tried the sandox except
Brett Cannon himself, although he mantioned that he finished the security work!

My plan for the next days is to continue to look at the code until I will understand
good enough the implementation.

Luke started to test the plug-in with some test cases that I transfered him and
also some of his own. Although he already found some bugs, all the bugs found are
currently not related to the plug-in but to Web-CAT. Everything will be recorded
but all the bugs that are not related to our work will currently remain unfixed.
If we will have additional time after the projects will be ready, we will go over the records
and fix the Web-CAT bugs (after talking to Stephen about it, of course).

June 20, 2008 at 2:34 pm Leave a comment

Blooming time!

First of all the python plugin for Web-CAT is ready to be tested!!!

(Luke will try to break it next week…)

A full feedback is generated including a colored html version of the student submissions!

Comments can be added to the files from the web browser by the TAs and instructors!

The html version of the student files is actually created so that Web-CAT will know how to refer to the data and  display it with all the inserted comments from the browser. That means that all the files submitted to Web-CAT servers will have to have the same structure.

Next week will be dedicated for research. I will need to learn more about how to sandbox python so that the files will be run in a secure environment on the servers.

Three major meetings had been held this week:

– The first one was with all the summer students/mentors and each one had 60 seconds to explain what he accomplished till know and what is his situation.

– The second meeting was with four TAs that used OLM in the past so that we could get a reasonable feedback for the usuability and interface problems.

– The third was with Gene Amdur, that generously came to give us some piece of advice. We figure out together a schedule for the rest of the project time so that we will be efficient as possible. In addition we got a lot of advice from the experience of a well known figure in the industry (As well stories about Gerg Wilson…).

June 13, 2008 at 9:07 pm 2 comments

Hard to see an Ant with all this sand…..

While trying to write an Ant script that will run python files, test them and return a coverage report I run into the following problems:

– Cannot pass a pattern of file types into exec task.

– Coverage report for the wanted file types return 0 percentage!

– Coverage execution of files can’t get a bunch of files in the command line but just one by one

– Nosetests coverage is not working

– Didn’t find a useful loop in ant (for, foreach are not recognized) for iterating over files passed to coverage.


exec needs to be thrown away in favour of the apply task! Apply task can get a set of files as an external command (filsets). By removing the file from /usr/bin the nosetests command with coverage (see nosetests -h for more details about options) works but give a different percentage result from the coverage tool. So by using the apply task with the tool and -x as an argument the tests files are executed. After that command, needs to be executed again with -r to gather all the reports saved before.

Now we have all the test results, all the coverage reports, Do we need something more or we found all the ants?

May 27, 2008 at 8:15 pm Leave a comment

Let the game begin!!!

To projects that we are working on and will be blogged here during 2008 summer:

– Web-CAT plugin for supporting python programs

– Eclipse plugin to support grading on Web-CAT server

For now on we installed Web-CAT on our machines and checked out the repository so we could go over the source code. First of all we have to be expert on the program so that we would be able to understand all the problems and questions that could rise during the next weeks. For this reason we spent a lot of time figuring out how to handle the program and  prepared a presentation that will be presented to our mentors this week.

May 14, 2008 at 5:51 pm Leave a comment

Time Machine

July 2017
« Aug    

RSS Qi’s Utterances

  • An error has occurred; the feed is probably down. Try again later.