|
| From: | Roberto Baleno |
| Subject: | Re: Embedding Guile with sandboxing |
| Date: | Mon, 23 Nov 2015 00:50:24 +0000 |
I think there's nothing in Guile that provides sandboxing currently.Matthew Keeter writes:
> I’m currently embedding Python in a C / C++ application that evaluates
> user-provided scripts.
>
> Obviously, this is terribly unsafe: user-provided scripts can execute
> arbitrary malicious actions, and there’s no good way to sandbox Python
> in a desktop context.
>
> If I were to replace Python with Guile, is there a way to sandbox it
> so that arbitrary (perhaps malicious) user-provided scripts can be run
> safely?
>
> Regards,
> Matt
A path towards it is possible though: a limited subset of guile in a
capability security based environment could probably provide the
features desired. See the Rees Thesis:
http://mumble.net/~jar/pubs/secureos/secureos.html
Wingo has written about it with respect to Guile:
http://wingolog.org/archives/2011/03/19/bart-and-lisa-hacker-edition
I have thought about how this could be achieved in the Guile-verse. My
suspicion is that the best way to achieve it is to provide a new
language layer on the compiler tower which is "mostly scheme", but only
exposes a number of deemed-safe operators by default, and provides a
mechanism to add further procedures to the default environment.
Everything from there on out takes the "capability security through
lexical scope and the labmda calculus" approach described in the Rees
Thesis.
However, this doesn't exist in Guile at present. I'd love to see it
exist, though.
- Chris
| [Prev in Thread] | Current Thread | [Next in Thread] |