Re: modify environments to make sandboxes

guile-user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: modify environments to make sandboxes

From:	Ludovic Courtès
Subject:	Re: modify environments to make sandboxes
Date:	Thu, 22 Jun 2006 14:34:10 +0200
User-agent:	Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

Hi,

Neil Jerram <address@hidden> writes:

> address@hidden (Ludovic Courtès) writes:
>
>> Code confinement is indeed an interesting feature.  Fortunately, Guile
>> offers various ways to do it (AFAIK, there's no standard way to do this
>> in R5RS Scheme).  :-) [...]
>
> That's a very nice explanation.  Is there a good place for it
> somewhere in the manual?  (If not, perhaps we should start a "How can
> I do XXX" section.)

(Sorry, I think I had skipped this message.)

We don't have "how to" sections in the manual, but for this specific
topic, perhaps we could add a subsection under "The Guile module
system"?

Note that control over a module's name space (as described in my post)
is not the only thing needed to safely evaluate untrusted code.  The
user would also need finer control over all the resources used by the
code at hand (in order to prevent DoS attacks), particularly memory
(heap and stack) and CPU.

Unfortunately, I don't think this can be realized using Guile, except
maybe by running the untrusted code in a separate process and relying on
the OS' resource accounting mechanisms (e.g., `setrlimit' --- but Guile
core doesn't provide bindings for it).  However, running untrusted code
in a separate process would preclude, practically, resource sharing with
the user's trusted code (e.g., an Xchat Scheme plug-in would be useless
as a separate process because it would be unable to access the data
structures of the "real" Xchat).

The "ideal" solution would imply things like:

  * changing the evaluator so that several evaluators with different
    `eval-options' can be instantiated (pretty much like the
    `guile-reader' approach); this way, untrusted code could be
    evaluated with an evaluator that has custom stack limits;

  * having, roughly, a `current-heap' fluid that would be referred to
    anytime heap is allocated (hmm...);

  * similarly, have CPU time slice capabilities that would be passed
    to `eval' either explicitly or via a fluid.

But, well, going back to the documentation issue at hand, perhaps we can
just mention that Guile lacks certain features to allow for really safe
execution of untrusted code.  ;-)

Thanks,
Ludovic.

[Prev in Thread]

Current Thread

[Next in Thread]

modify environments to make sandboxes, Mildred, 2006/06/12
- Re: modify environments to make sandboxes, Ludovic Courtès, 2006/06/12
  - Re: modify environments to make sandboxes, Neil Jerram, 2006/06/12
    - Re: modify environments to make sandboxes, Ludovic Courtès <=
    - Re: modify environments to make sandboxes, Alan Grover, 2006/06/22
    - Re: modify environments to make sandboxes, Ludovic Courtès, 2006/06/23
- Re: modify environments to make sandboxes, Jon Wilson, 2006/06/28

Prev by Date: Re: guile profiling tools?
Next by Date: timezone offsets
Previous by thread: Re: modify environments to make sandboxes
Next by thread: Re: modify environments to make sandboxes
Index(es):
- Date
- Thread