[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Restricting Guile: a Guile-based sandbox.

From: Alejandro Forero Cuervo
Subject: Restricting Guile: a Guile-based sandbox.
Date: Tue, 11 Sep 2001 15:53:12 -0500
User-agent: Mutt/1.2.5i

Hello. :)

I am currently designing a web-portal application called HBZones.
It's goal is to let anybody post content to the web-portal's it
manages through HTML forms.  It is designed on top of HB
<>, which already provides functionality to create
dynamic web-content using Guile.

I want to let HBZones' users submit ``programmable'' content.  For
instance, I want to let HBZones' users submit certain Scheme functions
that evaluate either to true or to false, and use Scheme to evaluate
them.  Actually, it is more complex than that: I want to let the users
submit ``content'' (in the form of Scheme code) that does certain
checks on the users and displays different information depending on
their results.  This Scheme code comes through HTML forms from
different potentially malicious users.

I want to use Guile for this, rather than code my own tiny-lisp
secure interpreter.  For this, I need to do the following things
(hopefully from C code):

1. Restrict the maximum time a given call to gh_eval_call might take.
   Hopefully without using alarm(2).  The restriction might be based
   on the number of cycles or total number of function calls or
   something along those lines.  I just need to make sure a malicious
   user can't take control of the server process through here.

2. Restrict the maximum memory a given call to gh_eval_call might

3. Restrict the functions/symbols provided in the environment that the
   gh_eval_call evaluates in to a specific set, so only functions I
   explicitly list can be executed.

4. Reset the environment after executing the user's code, so that if
   it defined symbols, they will be lost and the memory they used will
   be freed.  This is necessary so the users won't be able to corrupt
   the environment in any way.

I would appreciate any information you can send me on how to do any of
these things, so I can use Guile rather than be forced to create my
own tiny Lisp interpreter.  I would also appreciate any other
suggestions you might have: am I overlooking things?

Creating a different Unix account for each user is, unfortunately, not
an option.

Thank you very much for your help.


The mere formulation of a problem is far more essential than its solution.
      -- Albert Einstein.

$0='!/sfldbi!yjoV0msfQ!sfiupob!utvK'x44;print map{("\e[7m \e[0m",chr ord
"219CC1CCC033E7E660198CCE4E66798303873CCE60F3387$F"#Don't you love Perl?

Attachment: pgp2S4YaPnMrn.pgp
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]