How to protect the python interpreter call stack against tampering?

[masomel]

The stack tracer thread is a means to ensure that the interpreter does not lie about the call stack, but a malicious library could still tamper with the callstack before the SI thread collects the information to send back to the LSM.

Questions that need to be answered to solve this problem:

• Can we use type safety as our main protection method? Idea: prevent native code from getting pointers to stack frame objects
• Can we use memory protection domains to only allow the interpreter itself to modify the stack frame?

[masomel]

Can we use type safety as our main protection method? Idea: prevent native code from getting pointers to stack frame objects

No, this is insufficient since it is also possible for Python code to tamper with the callstack.

Can we use memory protection domains to only allow the interpreter itself to modify the stack frame?

Yes, memory domains can help us guarantee that only the interpreter itself can modify the call stack. In response to this, memory domain support is being added to the kernel (https://github.com/masomel/pyronia-linux/pull/19) and the corresponding userspace library being integrated (#5).