From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <Alain.Frisch@inria.fr>
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on yquem.inria.fr
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled 
	version=3.1.3
X-Original-To: caml-list@yquem.inria.fr
Delivered-To: caml-list@yquem.inria.fr
Received: from discorde.inria.fr (discorde.inria.fr [192.93.2.38])
	by yquem.inria.fr (Postfix) with ESMTP id 1BFFABC69
	for <caml-list@yquem.inria.fr>; Tue, 29 May 2007 07:12:17 +0200 (CEST)
Received: from smtp3-g19.free.fr (smtp3-g19.free.fr [212.27.42.29])
	by discorde.inria.fr (8.13.6/8.13.6) with ESMTP id l4T5CG28025009
	for <caml-list@inria.fr>; Tue, 29 May 2007 07:12:16 +0200
Received: from [192.168.0.1] (rke75-3-82-229-183-156.fbx.proxad.net [82.229.183.156])
	by smtp3-g19.free.fr (Postfix) with ESMTP id A83575A263;
	Tue, 29 May 2007 07:12:15 +0200 (CEST)
Message-ID: <465BB62F.1060900@inria.fr>
Date: Tue, 29 May 2007 07:12:15 +0200
From: Alain Frisch <Alain.Frisch@inria.fr>
User-Agent: Thunderbird 2.0.0.0 (X11/20070326)
MIME-Version: 1.0
To: pierre chambart <pierre.chambart@laposte.net>
Cc: caml-list@inria.fr
Subject: Re: [Caml-list] Sand-boxing
References: <200705290301.42600.jon@ffconsultancy.com> <465B93D5.2060207@laposte.net>
In-Reply-To: <465B93D5.2060207@laposte.net>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Miltered: at discorde with ID 465BB630.003 by Joe's j-chkmail (http://j-chkmail . ensmp . fr)!
X-Spam: no; 0.00; frisch:01 frisch:01 dynlink:01 model:01 ocamlc:01 well-typed:01 bytecode:01 wrote:01 caml-list:01 unsafe:01 alain:01 alain:01 modules:02 modules:02 pierre:02 

pierre chambart wrote:
> You can use the dynlink library.
> When you load module with that, you can specify the modules that can't
> be accessed from the loaded code.

This can catch some errors, but it is not a real security
mechanism! The "security model" relies on the assumption that the loaded
modules have been produced by ocamlc from well-typed programs that don't
use unsafe features. The bytecode interpreter does not try to protect
itself against ill-behaved code at all.

  Alain