[Haskell-cafe] Compiling arbitrary Haskell code
Johan Tibell
johan.tibell
Fri Oct 11 23:19:04 UTC 2013
Whatever guarantees GHC offers (e.g. using Safe Haskell), I would always
run things like these in a sandbox. It's much better for security to
dissallow everything and then whitelist some things (e.g. let the sandbox
communicate with the rest of the world in some limited way) than the other
way around.
Same goes for running untrusted code.
On Fri, Oct 11, 2013 at 1:30 PM, Christopher Done <chrisdone at gmail.com>wrote:
> Is there a definitive list of things in GHC that are unsafe to
> _compile_ if I were to take an arbitrary module and compile it?
>
> E.g. off the top of my head, things that might be dangerous:
>
> * TemplateHaskell/QuasiQuotes -- obviously
> * Are rules safe?
> * #includes ? I presume there's some security risk with including any old
> file?
> * FFI -- speaks for itself
>
> I'm interested in the idea of compiling Haskell code on lpaste.org,
> for core, rule firings, maybe even Th expansion, etc. When sandboxing
> code that I'm running, it's really easy if I whitelist what code is
> available (parsing with HSE, whitelisting imports, extensions). The
> problem of infinite loops or too much allocation is fairly
> straight-forwardly solved by similar techniques applied in mueval.
>
> SafeHaskell helps a lot here, but suppose that I want to also allow
> TemplateHaskell, GeneralizedNewtypeDeriving and stuff like that,
> because a lot of real code uses those. They only seem to be restricted
> to prevent cheeky messing with APIs in ways the authors of the APIs
> didn't want -- but that shouldn't necessarily be a security?in terms
> of my system?problem, should it? Ideally I'd very strictly whitelist
> which modules are allowed to be used (e.g. a version of TH that
> doesn't have runIO), and extensions, and then compile any code that
> uses them.
>
> I'd rather not have to setup a VM just to compile Haskell code safely.
> I'm willing to put some time in to investigate it, but if there's
> already previous work done for this, I'd appreciate any links.
>
> At the end of the day, there's always just supporting a subset of
> Haskell using SafeHaskell. I'm just curious about the more general
> case, for use-cases similar to my own.
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20131011/68393f27/attachment.html>
More information about the Haskell-Cafe
mailing list