[Caml-list] Safe Caml for online teaching

[Caml-list] Safe Caml for online teaching

[Martin Jambon]

Is the following proposal completely crazy or could it be done (or both?):

The insertion of Caml-toplevel forms in Caml online HTML manuals could be
attractive for beginners since it doesn't require the installation of Caml
on the local machine.

This would require a strict control over the code that the user will want
to be compiled and executed on the server.
(we already discussed such things last week on the beginners' list
http://groups.yahoo.com/group/ocaml_beginners/messagesearch?query=interactive%20learning)

Now I think the following extensions to Caml could provide a way to
achieve a sufficient level of safety:

- every value is either "safe" or "unsafe" (independently from its type)
- 2 compilation modes would be available:
   + unsafe mode: allows to make safe values of unsafe ones
   + safe mode: prohibits the use of unsafe values (in the current module)
   + safe-compiled and unsafe-compiled modules may be linked freely
- inheritance:
   + imported values (using keyword "external") are unsafe
   + every piece of code that uses unsafe data is unsafe, otherwise it is
     safe.
- compatibility: default mode = unsafe mode
- syntax examples (for unsafe-mode-designed modules):
   .mli and .ml:
     safe external <ident> : <type> = ...
   .mli:
     safe val <ident> : <type>
   .ml:
     let safe <ident> = ...

- requirements:
   + additions to the compiler...
   + addition of safety annotations at least in the standard library


Well, this would require a non-negligible amount of concertation,
expertise and coding. It seems to me much cleaner than deleting parts of
the standard library (and others) and suppressing the "external" construct
by some syntaxic preprocessing.

An interactive Caml book would also require a strong and brave HTTP
server :-)


Martin


-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Safe Caml for online teaching

[Alain Frisch]

On Wed, 20 Feb 2002, Martin Jambon wrote:

> Is the following proposal completely crazy or could it be done (or both?):
>
> The insertion of Caml-toplevel forms in Caml online HTML manuals could be
> attractive for beginners since it doesn't require the installation of Caml
> on the local machine.
>
> This would require a strict control over the code that the user will want
> to be compiled and executed on the server.
> (we already discussed such things last week on the beginners' list
> http://groups.yahoo.com/group/ocaml_beginners/messagesearch?query=interactive%20learning)

What you describe seems to be overkill for the purpose. You could simply
build a toplevel with a restricted standard library (without interaction
with the OS and without unsafe operations like Obj), disabled directives,
and use a wrapper to kill the toplevel when some timeout expires.

What's wrong with this ?


-- Alain

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Safe Caml for online teaching

[james woodyatt]

On Wednesday, February 20, 2002, at 07:53 , Alain Frisch wrote:
> On Wed, 20 Feb 2002, Martin Jambon wrote:
>>
>> The insertion of Caml-toplevel forms in Caml online HTML manuals could 
>> be
>> attractive for beginners since it doesn't require the installation of 
>> Caml
>> on the local machine.
>
> What you describe seems to be overkill for the purpose. You could simply
> build a toplevel with a restricted standard library (without interaction
> with the OS and without unsafe operations like Obj), disabled 
> directives,
> and use a wrapper to kill the toplevel when some timeout expires.

Another option is to give up on trying to make the interactive Caml book 
into a web service.  If, instead, it were a standalone web application, 
then I could download it and install it on my own local web server.  No 
changes to Caml necessary.


--
j h woodyatt <jhw@wetware.com>
"...the antidote to misinformation is more information, not less."
                                                      --vinton cerf

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Safe Caml for online teaching

[Martin Jambon]

On Wed, 20 Feb 2002, Alain Frisch wrote:

> What you describe seems to be overkill for the purpose. You could simply
> build a toplevel with a restricted standard library (without interaction
> with the OS and without unsafe operations like Obj), disabled directives,
> and use a wrapper to kill the toplevel when some timeout expires.
>
> What's wrong with this ?

Nothing's wrong with this in fact.
The only difference is that the user wouldn't know which values are really
unbound and which are simply discarded for security purposes.


Martin

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Safe Caml for online teaching

[Martin Jambon]

On Wed, 20 Feb 2002, james woodyatt wrote:

> Another option is to give up on trying to make the interactive Caml book
> into a web service.  If, instead, it were a standalone web application,
> then I could download it and install it on my own local web server.  No
> changes to Caml necessary.

Sure, but I think that the installation of any software on a local machine
requires a certain amount of trust: even if the application is easy
to install and uninstall (which is the case of precompiled Caml
distributions), the user cannot be sure of this in advance - and won't be
unless everybody already uses it.

The other advantage (and danger) of a public interactive book is that it
would be really provocative. That could be a good way to promote Caml.


Martin

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Safe Caml for online teaching

[Remi VANICAT]

Martin Jambon <m.jambon@ibcp.fr> writes:

> On Wed, 20 Feb 2002, Alain Frisch wrote:
> 
> > What you describe seems to be overkill for the purpose. You could simply
> > build a toplevel with a restricted standard library (without interaction
> > with the OS and without unsafe operations like Obj), disabled directives,
> > and use a wrapper to kill the toplevel when some timeout expires.
> >
> > What's wrong with this ?
> 
> Nothing's wrong with this in fact.
> The only difference is that the user wouldn't know which values are really
> unbound and which are simply discarded for security purposes.

you could replace all discarded function by a

failwith "unsafe";;


-- 
Rémi Vanicat
vanicat@labri.u-bordeaux.fr
http://dept-info.labri.u-bordeaux.fr/~vanicat
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Safe Caml for online teaching

[Christophe Raffalli]

You could also run full Caml in a virtual linux machine provided by VMWare (or
similar product) with a non persistent disk
(disk operation are made only in a cache and are discarder when you poweroff
the virtual machine). It is quite safe (you can say to VMware 
that it is not allowed to write on any physical partition) and the user can
play with full Caml.

-- 
Christophe Raffalli
Université de Savoie
Batiment Le Chablais, bureau 21
73376 Le Bourget-du-Lac Cedex

tél: (33) 4 79 75 81 03
fax: (33) 4 79 75 87 42
mail: Christophe.Raffalli@univ-savoie.fr
www: http://www.lama.univ-savoie.fr/~RAFFALLI
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Safe Caml for online teaching

[Xavier Leroy]

> The insertion of Caml-toplevel forms in Caml online HTML manuals could be
> attractive for beginners since it doesn't require the installation of Caml
> on the local machine.
> 
> This would require a strict control over the code that the user will want
> to be compiled and executed on the server.

François Rouaix did something along these lines to allow safe
execution of Caml applets in the MMM Web browser.  See
   http://pauillac.inria.fr/~xleroy/publi/sip-typed-applets.ps.gz
and skip the first 20 pages of maths :-)

Module thinning (removing "dangerous" functions and making "dangerous"
types abstract via signature constraints) goes a long way towards
securing the execution environment, but you are correct that some
language features, most notably "external" declarations, must be
turned off.  (In MMM, we did that via special options on the dynamic
linker Dynlink.)  

Generally speaking, language-based security is truly hard.  Even Java,
which was designed from the grounds up with security in mind, didn't
get it 100% right, as shown by the various exploits published (or
unpublished :-) in the last 5 years.

An alternate or complementary approach is systems-based security: run
the toplevel in a chroot()-ed environment, on a read-only file system,
after disabling most kernel capabilities (recent versions of Linux
lets you do this), etc.  No small work either.

- Xavier Leroy
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners