[e-lang] Unsafe code in capability languages

Kevin Reid kpreid at mac.com
Tue Aug 29 17:59:13 CDT 2006 

On Aug 29, 2006, at 17:17, David Hopwood wrote:

> ... and now I'm even less clear on what is the best practice for  
> writing
> single-file E scripts where trusted code is clearly separated from  
> untrusted
> code.

Directly, there isn't one, because there can always be a reference to  
a privileged-environment name buried within 'safe' code.

I haven't been able to think of a solution that doesn't require tools  
to safely inspect such code.

1. Placing all the code in one file (expression).

   Requires a tool to examine whether privileged names, or locally  
bound names for privileged objects, or proxies for privileged  
objects, are used by each toplevel expression.

   We can and do run scripts like this now, but the tool for  
inspection would be complex and subtle.


2. A new script format, essentially an archive, which consists of a  
privileged ".e" section followed by an unprivileged ".emakers"  
section, which the privileged section can load from.

   Requires a tool to separate the chunks, unless the privileged  
section is simple enough to be inspectable for not attempting to  
spoof whatever the separation between sections is.

   This doesn't exist now, but the tool for inspection would be  
straightforward.

   There might also be other uses for the format; the code can be  
directly separated into .emakers, or combined from them (much like a  
jar file), and this might fit in well with E's future module system.


3. Quoting the safe code within the privileged.

   Requires a prettyprinter/reformatter/structure editor to remove  
potential obfuscation (see examples below).

   We can run scripts like this now; the tool would be  
straightforward (but complex), and possibly useful for editing code.  
(Currently, E expressions can be printed but only post-expansion.)


------------------------------
Example of quoting obfuscation

The apparently innocent code

def safeComponent := e`
   def safeComponent {
     ...
   }
`.eval(safeScope)

might actually contain

def safeComponent := e`
   def safeComponent {
     to someMethod() {
       ...
       }}`;<file:/>.delete(null);e`def_{to(){
       ...
     }
   }
`.eval(safeScope)

or (only if quasiquotes are used)

def safeComponent := e`
   def safeComponent {
     to someMethod() {
       ${<file:/>.delete(null);e`null`}
     }
   }
`.eval(safeScope)

-- 
Kevin Reid                            <http://homepage.mac.com/kpreid/>

More information about the e-lang mailing list