I have (what feels like) very exciting news.  I finally sat down to code up my
sandboxing extension, based on what I've learned from Try Ruby.  This extension
is written in C and is designed to open a blank symbol table, fill it with the
basic boilerplate and eval a string within that environment.

The extension contains a whitelist of methods and classes to move into the blank
environment.  The code grabs the NODE for each method body and replants the
CFUNC in the sandbox.  Allocators and singletons and all that get copied.

So how does it actually eval the code?  Well, it swaps out rb_class_tbl and all
the rb_(m|c|e)\w+ variables just before eval.  Then, it rb_obj_instance_evals on
an anonymous object (sandbox's `main`) inheriting from the new sandbox->cObject.
I then rb_ensure and swap the normal vars back in.

Here is the code: 

  <http://code.whytheluckystiff.net/svn/sandbox/trunk>

For now, just compile the extension in ext/sand_table/.

  require './sand_table.so'
  p Sandbox.new.eval("'test' + ' strings'")
  p Sandbox.new.eval("Kernel.fork")

I am able to keep the entire sandbox self-contained.  I only have one issue:
I can't replace rb_global_tbl since it is static.  I need it to be extern, is
this possible?

If I cannot replace rb_global_tbl, this leaves an exploit:

  p Sandbox.new.eval("$0.class.ancestors.last.method(:p)")

So the globals can be used to get a handle to the unsafe Kernel.

Thanks for listening!  Any help stabilizing this intrepid effort is welcome, of
course!

_why