[e-lang] Unsafe code in capability languages

Dean Tribble dtribble at gmail.com
Wed Aug 30 01:23:52 CDT 2006 

On 8/29/06, David Hopwood <david.nospam.hopwood at blueyonder.co.uk> wrote:
>
> Kevin Reid wrote:
> > On Aug 29, 2006, at 17:17, David Hopwood wrote:
> >
> >>... and now I'm even less clear on what is the best practice for
> >>writing single-file E scripts where trusted code is clearly separated
> >>from untrusted code.


My first reaction was that trying to draw the security distinctions within
that start up module is dangerous, but the same issues arise in lots of
other modules (thus driving the Author[izer] pattern), so it's a good
requirement or a "module" system.


> > Directly, there isn't one, because there can always be a reference to
> > a privileged-environment name buried within 'safe' code.


Which sounds supiciously like "ambient authority", at least wthin the
module.

> I haven't been able to think of a solution that doesn't require tools
> > to safely inspect such code.


I think that would be a syntactic failure :)  This i important to be able to
express naturally.


> The drawbacks of these approaches suggest that it may be preferable to
> adopt something similar to Constantine's idea after all: evaluate the
> whole
> script starting with the safe scope, and then evaluate
> "powerBox(<unsafe>)"
> or similar in the resulting scope.


This fits with my theory about a module system:  instead of having the
unsafe__uriGetter in scope in ".e" files, the ".e" file should specify a
fucntion to be called with the unsafe__uriGetter.  That function can then
divvy out the contents, but other functions in the module would not
ambiently have the authority.  This looks a lot like the Author[izer]
pattern, which I find syntactically cumbersome, but semantically sound (or
at least secure :-).  I just want syntactic support for it!

I will reconstruct your example to see if it can be made sufficiently clean
without special syntax

def helloWorld(out) {
  out.println("Hello, World!")
}

# unsafe
def javaStdout

def std_out {
   to println(text :String) :void {
      javaStdout."println(String)"("HelloWorld: " + text)
   }
}

def powerBox(<world>) {
  bind javaStdout := <world:java.lang.System>.getOut()

  helloWorld(std_out)
}

? powerBox(<unsafe>)
HelloWorld: Hello, World!

It's interesting that I almost entirely reversed the order of your
operations, with the safe part at the top, the unsafe declarations, and
finally return the powerBox function.  This is because to avoid nesting
scopes, I want to just declare something at the outer level, which puts it
in scope for the rest of the file (order is sort of implicit nesting).  I'm
going to have to think about that, since I was assuming for a module system
you'd want to have "imports" declared at the top.  Perhaps an easy syntax
for non-indenting blocks....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/e-lang/attachments/20060829/d5755e65/attachment.html

More information about the e-lang mailing list