From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (from majordomo@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id GAA22675; Mon, 8 Dec 2003 06:39:10 +0100 (MET) X-Authentication-Warning: pauillac.inria.fr: majordomo set sender to owner-caml-list@pauillac.inria.fr using -f Received: from nez-perce.inria.fr (nez-perce.inria.fr [192.93.2.78]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id GAA23033 for ; Mon, 8 Dec 2003 06:39:09 +0100 (MET) Received: from smtp.siren.ocn.ne.jp (siren.ocn.ne.jp [211.129.13.170]) by nez-perce.inria.fr (8.11.1/8.11.1) with ESMTP id hB85d8101814 for ; Mon, 8 Dec 2003 06:39:08 +0100 (MET) Received: from PWARP (p5037-ipad03kyoto.kyoto.ocn.ne.jp [61.214.55.37]) by smtp.siren.ocn.ne.jp (Postfix) with SMTP id CE892181E; Mon, 8 Dec 2003 14:39:05 +0900 (JST) Message-ID: <005d01c3bd4d$95f811e0$0274a8c0@PWARP> From: "Nicolas Cannasse" To: "Josh Burdick" , References: <3FD40837.20203@gradient.cis.upenn.edu> Subject: Re: [Caml-list] language-based permissions? Date: Mon, 8 Dec 2003 14:39:01 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Loop: caml-list@inria.fr X-Spam: no; 0.00; cannasse:01 warplayer:01 caml-list:01 permissions:01 3.05,:01 -nostdlib:01 perl's:01 foo:01 foo:01 -unsafe:01 buffer:01 overflows:01 runtime:01 speedup:01 cannasse:01 Sender: owner-caml-list@pauillac.inria.fr Precedence: bulk > I noticed that as of OCaml 3.05, there was a new option, > "-nostdlib". It seems superficially like with this, and the > "-nopervasives" option, you could do language-based security (as in the > MMM web browser of yore, Java, and Perl's Safe module, among many others.) > In the attached three files, it seems like "foo.ml" should only be > allowed to see, and use, the primitives in "fileworld.ml" (which aren't > much; this is a toy example.) If "foo.ml" tries to use anything else > (as in the commented-out "print_string" line), it gets "Unbound value" > errors in compiling, and can't. > My question: could "foo.ml" call other primitives somehow, even > though they're not linked in? Using the preprocessor, or "external" > functions", maybe? (Assuming that you don't use the "-unsafe" option, > of course...) About security : Primitive calling is not the only way to compromise security in a virtual machine, there is also buffer overflows, among others. Currently the Ocaml bytecode VM is not performing any check, and then is relying on a well-formed bytecode (means : correct structure, and passed through the type-checker). Even if you forbid the use of all "dangerous" primitives they might still be a lot of security holes involving malicious-formed bytecode. One hope : since the ocaml GC-allocated memory is not on the C heap, it's then a lot more difficult to exploit. The bad news is that if you want a perfect secure VM, you should check most of the primitives arguments types at runtime, thus giving back the speedup you got from type checking at compile time. Nicolas Cannasse ------------------- To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/ Beginner's list: http://groups.yahoo.com/group/ocaml_beginners