[Haskell-cafe] More on the random idea

Isaac Dupree isaacdupree at charter.net
Sat May 26 12:27:36 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Donald Bruce Stewart wrote:
> isaacdupree:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Donald Bruce Stewart wrote:
>>> Lambdabot uses 1) type guarantee of no-IO at the top level, along with
>>> 2) a trusted module base (pure module only, that are trusted to not
>>> export evil things), as well as 3) restricting only to H98-language only
>>> (things like TH can, and have been, exploited, for example).
>> And lambdabot's only allowing _expressions_, so GHC's (former?)
>> vulnerability to instances of Ix that return out-of-bounds indexes did
>> not affect it.
> 
> Oh yes, it only allows expressions (how could I forget that?), meaning
> also that, for example, crafty newtype recursion is disallowed. And of
> course, no evil Ix instances.

and no imports of course... not even renamings like "import Data.Map as
Map" or so.

> Oh, also, there's another exploit using a variety crafty expressions
> that trigger pathological type inference behaviour, causing the type
> checker to effectively lock up the system. (One is particularly easy to
> come up with...). There's really a lot of things to watch out for,
> actually.
> 
> We should document all the interesting exploits that have been found
> over the years!

Ok, I'm making
http://haskell.org/haskellwiki/Safely_running_untrusted_Haskell_code

>> There are some extensions that are safe... explicit forall, rank-N
>> types, etc... which can be enabled on an "opt-in" basis so that only
>> safe ones are chosen?
> 
> We could do that (explicit forall is probably the most requested).
> Currently we only allow -fextended-defaulting, (giving ghci like
> defaulting).

At least to the extent that separately enabling extensions is presently
supported in GHC.

> The security mechanisms were briefly described in the 2004 hs-plugins
> paper, if I recall, but otherwise, I don't think we've documented the
> techniques.

You could put a reference (link) to that paper if it's worth it

Isaac
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGWF/3HgcxvIWYTTURAkP0AKDSAiJz2kYTe54cipOZOxVZCl+engCfX4Kq
Q+3dwkNf5JkjMHqVERHcegA=
=9LZ6
-----END PGP SIGNATURE-----


More information about the Haskell-Cafe mailing list