IO security

Simon Marlow simonmar@microsoft.com
Mon, 14 Oct 2002 13:38:46 +0100


> I'm looking for secure compile and run-time methods to ensure=20
> automatically that Haskell modules cannot perform particular=20
> IO operations. Therefore, I've got some questions that might=20
> be interesting for other people using GHC as well.
>=20
>    o There are functions like "unsafePerformIO". How many of these
>      unsafe functions exist and what are their names? Is there
>      a possibility to tell GHC to reject programs in which
>      such functions occur? Concerning, e.g.,  the rewrite-rule system,
>      how can we prevent that these functions are applied by
>      some trick, invisible by an automatic inspection of the
>      source code?
> =20
>    o Is the function "print" secure in the sense that all stuff
>      it produces is restricted to go to stdout, even if strange
>      sequences of control characters appear?
>=20
>    o Is there a way to tell the GHC run-time system to block
>      file operations or system calls coming from the
>      application program, while permitting input/output
>      via stdin/stdout?

Security of a Haskell program is an interesting research area in itself.
I suspect the folks at Galois Connections have something to say on the
topic.

My opinion would be that trying to approach the problem as you have,
namely identifying the "unsafe" features and removing them, is likely to
be difficult or impossible to verify.  A better approach might be to
start from a clean slate (ie. remove the IO monad altogether) and
incrementally add in safe features separately.

Cheers,
	Simon