From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Delivered-To: caml-list@yquem.inria.fr Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by yquem.inria.fr (Postfix) with ESMTP id 825FDBC48 for ; Tue, 5 Apr 2005 14:15:01 +0200 (CEST) Received: from pauillac.inria.fr (pauillac.inria.fr [128.93.11.35]) by concorde.inria.fr (8.13.0/8.13.0) with ESMTP id j35CF1xl028837 for ; Tue, 5 Apr 2005 14:15:01 +0200 Received: from nez-perce.inria.fr (nez-perce.inria.fr [192.93.2.78]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id OAA28664 for ; Tue, 5 Apr 2005 14:15:00 +0200 (MET DST) Received: from furbychan.cocan.org (furbychan.cocan.org [80.68.91.176]) by nez-perce.inria.fr (8.13.0/8.13.0) with ESMTP id j35CF0Le021702 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Tue, 5 Apr 2005 14:15:00 +0200 Received: from rich by furbychan.cocan.org with local (Exim 3.35 #1 (Debian)) id 1DImxP-0008Tv-00 for ; Tue, 05 Apr 2005 13:14:59 +0100 Date: Tue, 5 Apr 2005 13:14:59 +0100 To: caml-list@inria.fr Subject: Securely loading and running untrusted modules Message-ID: <20050405121459.GA29378@furbychan.cocan.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i From: Richard Jones X-Miltered: at concorde with ID 42528145.001 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)! X-Miltered: at nez-perce with ID 42528144.000 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)! X-Spam: no; 0.00; untrusted:01 untrusted:01 ocaml:01 ocamlc:01 dynlink:01 dynlink:01 loadfile:01 cmo:01 defines:01 subset:01 api:01 inserting:01 compiler:01 notepad:01 securely:98 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on yquem.inria.fr X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled version=3.0.2 X-Spam-Level: Suppose I wanted to set up a website where people could upload untrusted .ml files and have them be compiled and run on my server. (This would be used as an OCaml teaching tool). The uploaded "untrusted.ml" source files would be compiled on the server by "ocamlc", then loaded using: Dynlink.init (); Dynlink.allow_only ["SafeAPI"]; Dynlink.loadfile_private "untrusted.cmo" where SafeAPI is a module which defines a safe, trusted subset of the API where only Good Things are allowed. I don't want the modules to be able to do Bad Things, where Bad Things is stuff like: * Reading and writing local files. * Corrupting memory. * Inserting executable code into memory. * Executing arbitrary functions from the server. * Denial of service (infinite loops, unlimited resource allocation). * Making arbitrary network connections. * (and so on ...) To prevent unlimited resource allocation, I'm thinking of using setrlimit(2) to limit the size of the server process (it would be a pre-forked Apache server, so causing one process to hit its memory limit does not constitute a denial of service attack). To prevent infinite loops, starting an alarm(2) before loading the module should kill the Apache process if it uses too much CPU time. I'm fairly sure that the method above should cope with everything barring bugs in the compiler and bugs in SafeAPI. Am I thinking right? Rich. -- Richard Jones, CTO Merjis Ltd. Merjis - web marketing and technology - http://merjis.com Team Notepad - intranets and extranets for business - http://team-notepad.com