[Haskell-cafe] Safe Haskell?

Joachim Durchholz jo at durchholz.org
Wed Apr 21 13:52:20 UTC 2021


Am 21.04.21 um 15:36 schrieb Sven Panne:
> That's not totally correct: You can use anything you like when you have 
> a sandbox while executing it. This is even much more safe than relying 
> on a language (which can have conceptual and/or implementation bugs) 
> alone.

Actually Sandboxes have a just as complicated attack surface as languages.

I also believe they are different domains.
Secure languages deal with making guarantees about what a program does 
and, more importantly, what it does not do. So you can control things 
like IO effects, Capabilities, and the language can even make these 
guarantees statically.
A sandbox deals more with API objects. This is a much more complicated 
surface because today's APIs tend to be large, complex, and interact in 
unexpected fashions; on the other hand, it is much nearer to the actual 
objects being protected.
I.e. I believe the two approaches, while they have some overlap, they 
serve different purposes and need to complement each other.

 > The attack surface of any non-trivial language,
> its implementation and its runtime is just too big for anything serious. 
> Sandboxes are complex, too, but less so,

I believe the opposite is true.
APIs change over time. Languages do that, too, but to a much lesser 
extent, and type system guarantees tend to hold for decades.
Even filesystem APIs are less stable than that (think NFS, or 
filesystem-dependent ACLs).

Regards,
Jo


More information about the Haskell-Cafe mailing list