From mboxrd@z Thu Jan  1 00:00:00 1970
Received: (from majordomo@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id LAA29222; Thu, 21 Feb 2002 11:59:57 +0100 (MET)
X-Authentication-Warning: pauillac.inria.fr: majordomo set sender to owner-caml-list@pauillac.inria.fr using -f
Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id LAA29031 for <caml-list@pauillac.inria.fr>; Thu, 21 Feb 2002 11:59:56 +0100 (MET)
Received: from pauillac.inria.fr (pauillac.inria.fr [128.93.11.35])
	by concorde.inria.fr (8.11.1/8.11.1) with ESMTP id g1LAxtj16976;
	Thu, 21 Feb 2002 11:59:55 +0100 (MET)
Received: (from xleroy@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id LAA28034; Thu, 21 Feb 2002 11:59:55 +0100 (MET)
Date: Thu, 21 Feb 2002 11:59:55 +0100
From: Xavier Leroy <xavier.leroy@inria.fr>
To: Martin Jambon <m.jambon@ibcp.fr>
Cc: caml-list@inria.fr
Subject: Re: [Caml-list] Safe Caml for online teaching
Message-ID: <20020221115955.A28344@pauillac.inria.fr>
References: <Pine.LNX.4.33L2.0202201448590.1320-100000@pc-bioinfo1.ibcp.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.LNX.4.33L2.0202201448590.1320-100000@pc-bioinfo1.ibcp.fr>; from m.jambon@ibcp.fr on Wed, Feb 20, 2002 at 04:15:32PM +0100
Sender: owner-caml-list@pauillac.inria.fr
Precedence: bulk

> The insertion of Caml-toplevel forms in Caml online HTML manuals could be
> attractive for beginners since it doesn't require the installation of Caml
> on the local machine.
> 
> This would require a strict control over the code that the user will want
> to be compiled and executed on the server.

François Rouaix did something along these lines to allow safe
execution of Caml applets in the MMM Web browser.  See
   http://pauillac.inria.fr/~xleroy/publi/sip-typed-applets.ps.gz
and skip the first 20 pages of maths :-)

Module thinning (removing "dangerous" functions and making "dangerous"
types abstract via signature constraints) goes a long way towards
securing the execution environment, but you are correct that some
language features, most notably "external" declarations, must be
turned off.  (In MMM, we did that via special options on the dynamic
linker Dynlink.)  

Generally speaking, language-based security is truly hard.  Even Java,
which was designed from the grounds up with security in mind, didn't
get it 100% right, as shown by the various exploits published (or
unpublished :-) in the last 5 years.

An alternate or complementary approach is systems-based security: run
the toplevel in a chroot()-ed environment, on a read-only file system,
after disabling most kernel capabilities (recent versions of Linux
lets you do this), etc.  No small work either.

- Xavier Leroy
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners