[Caml-list] language-based permissions?

[Caml-list] language-based permissions?

[Josh Burdick]

    I noticed that as of OCaml 3.05, there was a new option, 
"-nostdlib".  It seems superficially like with this, and the 
"-nopervasives" option, you could do language-based security (as in the 
MMM web browser of yore, Java, and Perl's Safe module, among many others.)
    In the attached three files, it seems like "foo.ml" should only be 
allowed to see, and use, the primitives in "fileworld.ml" (which aren't 
much; this is a toy example.)  If "foo.ml" tries to use anything else 
(as in the commented-out "print_string" line), it gets "Unbound value" 
errors in compiling, and can't.
    My question: could "foo.ml" call other primitives somehow, even 
though they're not linked in?  Using the preprocessor, or "external" 
functions", maybe?  (Assuming that you don't use the  "-unsafe" option, 
of course...)

    Thanks,
    Josh Burdick
    jburdick@gradient.cis.upenn.edu

==> fileworld.ml <==
open Pervasives
 
let (+) = (+)
let print_int = print_int
 
==> foo.ml <==
open Fileworld
 
let _ =
(*  print_string "test\n" *)
  print_int (2+2)
 
==> makescript.sh <==
#!/bin/bash
 
ocamlc -c fileworld.ml
 
# now, this should only allow primitives in fileworld.ml to be used...
ocamlc -c -nopervasives -nostdlib foo.ml
 
# to build the final object, need to allow Pervasives to be linked in
ocamlc fileworld.cmo foo.cmo


-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] language-based permissions?

[Nicolas Cannasse]

>     I noticed that as of OCaml 3.05, there was a new option,
> "-nostdlib".  It seems superficially like with this, and the
> "-nopervasives" option, you could do language-based security (as in the
> MMM web browser of yore, Java, and Perl's Safe module, among many others.)
>     In the attached three files, it seems like "foo.ml" should only be
> allowed to see, and use, the primitives in "fileworld.ml" (which aren't
> much; this is a toy example.)  If "foo.ml" tries to use anything else
> (as in the commented-out "print_string" line), it gets "Unbound value"
> errors in compiling, and can't.
>     My question: could "foo.ml" call other primitives somehow, even
> though they're not linked in?  Using the preprocessor, or "external"
> functions", maybe?  (Assuming that you don't use the  "-unsafe" option,
> of course...)

About security :
Primitive calling is not the only way to compromise security in a virtual
machine, there is also buffer overflows, among others. Currently the Ocaml
bytecode VM is not performing any check, and then is relying on a
well-formed bytecode (means : correct structure, and passed through the
type-checker). Even if you forbid the use of all "dangerous" primitives they
might still be a lot of security holes involving malicious-formed bytecode.
One hope : since the ocaml GC-allocated memory is not on the C heap, it's
then a lot more difficult to exploit.

The bad news is that if you want a perfect secure VM, you should check most
of the primitives arguments types at runtime, thus giving back the speedup
you got from type checking at compile time.

Nicolas Cannasse

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners