[e-lang] E research topics

David Wagner daw at cs.berkeley.edu
Fri Apr 13 17:52:30 CDT 2007


Zooko writes:
>Really?  I'm surprised that you think so.  Jon Leonard has already suggested
>ptrace (a la Systrace [1])) and selinux.  To this list I add "separate user
>account a la Polaris [2] and plash [3]" and "various forms of virtualization
>a la Jail [4], Xen [5], and Solaris Zones [6]".
[...]
>There may be all sorts of practical problems with this approach, but it doesn't
>appear to be a priori impossible to me.  Can you tell us more about why you
>think it is near-impossible?  Is it just the preponderance of practical hurdles
>or is there some theoretical hole in the very idea?

It might work.  I was thinking mainly of the practical challenges,
which seem formidable.  It'd take a lot of time to write policies
for all of the libraries one might want to use.  The policies might
be more coarse-grained than you'd want.  A sandbox won't prevent the
library from inappropriately exposing authority that is granted to it
to the application that calls it.  Legacy libraries won't be written
with capability discipline, so they'd have to tamed, and that's a lot
of work.  Retrofitting legacy code to a capabilities paradigm is a
chore if you're lucky, and practically impossible if you're unlucky.
I suspect it is common in practice for library code to open files based
on the arguments passed to the library, and to provide authority to its
caller; these violate capability rules, and a sandbox can't help you
with these challenges.  It's also common for libraries to trust their
callers; if you pass in maliciously constructed arguments, I bet you can
frequently take control of the library (e.g., by exploiting an internal
buffer overflow or something).  The lack of memory safety makes this risk
more serious for native code than for Java.  Likewise, libraries often
aren't defensively consistent, so one client of the library may be able
to use the library to attack other clients of the library by causing
the library to behave incorrectly when servicing those other client's
requests.  With enough effort, it might work, though I doubt you'd ever
be able to have much confidence that you've covered all the bases.

With enough thrust, even pigs can fly. :-)


More information about the e-lang mailing list