[e-lang] Unsafe code in capability languages

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Tue Aug 29 21:46:20 CDT 2006 

Kevin Reid wrote:
> On Aug 29, 2006, at 17:17, David Hopwood wrote:
> 
>>... and now I'm even less clear on what is the best practice for  
>>writing single-file E scripts where trusted code is clearly separated
>>from untrusted code.
> 
> Directly, there isn't one, because there can always be a reference to  
> a privileged-environment name buried within 'safe' code.
> 
> I haven't been able to think of a solution that doesn't require tools  
> to safely inspect such code.
> 
> 1. Placing all the code in one file (expression).
[...]
> 2. A new script format, essentially an archive, which consists of a  
> privileged ".e" section followed by an unprivileged ".emakers"  
> section, which the privileged section can load from.
[...]
> 3. Quoting the safe code within the privileged.
[...]

The drawbacks of these approaches suggest that it may be preferable to
adopt something similar to Constantine's idea after all: evaluate the whole
script starting with the safe scope, and then evaluate "powerBox(<unsafe>)"
or similar in the resulting scope.

(Actually the powerbox might not be given the user's full authority, but
let's start assuming that it is.)

rune *almost* has the needed functionality already, with its --confine and
-src arguments. Command arguments don't work on a shebang line (except on
Solaris, according to some Googling), so we'll just use rune from the shell.

----
def helloWorld
def powerBox(<world>) {
   def javaStdout := <world:java.lang.System>.getOut()
   def std_out {
      to println(text :String) :void {
         javaStdout."println(String)"("HelloWorld: " + text)
      }
   }
   helloWorld(std_out)
}

bind helloWorld(out) {
   out.println("Hello, World!")
}
----

$ rune --confine helloWorld.e

No output, as expected.

$ rune --confine helloWorld.e --src "powerBox(<unsafe>)"

Still no output. Drat.

Check that adding "powerBox(<unsafe>)" to the end of helloWorld.e works without
--confine, and fails with --confine. OK.

$ rune --src "<unsafe:java.lang.System>.getOut().\"println(String)\"(\"hello\")"
hello

Arrgh. So near, and yet so far.


Pretty please, can we have 'rune --confine ... --src "..."' do the right thing?

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the e-lang mailing list