[Haskell-cafe] Safe Haskell?
Joachim Durchholz
jo at durchholz.org
Wed Apr 21 13:52:20 UTC 2021
Am 21.04.21 um 15:36 schrieb Sven Panne:
> That's not totally correct: You can use anything you like when you have
> a sandbox while executing it. This is even much more safe than relying
> on a language (which can have conceptual and/or implementation bugs)
> alone.
Actually Sandboxes have a just as complicated attack surface as languages.
I also believe they are different domains.
Secure languages deal with making guarantees about what a program does
and, more importantly, what it does not do. So you can control things
like IO effects, Capabilities, and the language can even make these
guarantees statically.
A sandbox deals more with API objects. This is a much more complicated
surface because today's APIs tend to be large, complex, and interact in
unexpected fashions; on the other hand, it is much nearer to the actual
objects being protected.
I.e. I believe the two approaches, while they have some overlap, they
serve different purposes and need to complement each other.
> The attack surface of any non-trivial language,
> its implementation and its runtime is just too big for anything serious.
> Sandboxes are complex, too, but less so,
I believe the opposite is true.
APIs change over time. Languages do that, too, but to a much lesser
extent, and type system guarantees tend to hold for decades.
Even filesystem APIs are less stable than that (think NFS, or
filesystem-dependent ACLs).
Regards,
Jo
More information about the Haskell-Cafe
mailing list