monads, modules, sandboxes

Daniel Crealer dcrealer@hotmail.com
Mon, 29 Jul 2002 01:31:35 -0400 

Warning: pseudo-caml below since I don't know Haskell too well.  But in 
trying to learn I came across interesting concept of monad, and that is
what inspired the following idea.  I would just like to know if anyone 
thinks it's interesting and if someone has already developed it.



Inspired by monads, I had the following idea for controlled sandboxing of an 
application.  I'll give you a very concrete scenario, but maybe it isn't the 
most interesting use of idea.  I download a program
off the Internet that claims to do some interesting transformation on
my data.  But I don't trust the application not to send my secret data
back to the web site.  I could achieve this by running the program in a 
sandbox that doesn't allow it to send data over the Internet.  But maybe the 
program has legitimate reasons to send data, e.g., the company charges based 
on how much data I transform, so the program wants to periodically send 
messages to the web site saying it performed some units of work.

The idea is just that if my data has type t, instead of a program of type t 
-> t, the website provides a program of type m -> m written in a monadic 
style.  Actually m = t, and the bind operation (>>=) is trivial.  But it is 
run in the sandbox.  Here is pseudo-code, where MYDATA is thought of as a 
well-known signature of a well-known standard, like JPEG or something, with 
standard implementation MyData (though I could change MyData as long as I 
think my changes won't break the code I got off the web site) and 
DataTransformer is the untrusted code from the web site.  In some 
applications, probably you could get away with just bind and return, but for 
the example I give here, the untrusted code needs a way to find out if the 
data is done being transformed.  I implement that by providing an is_done 
function, but note that this could be a security hole.  A safer way might be 
to have really_do_100_steps throw an exception when it finishes that would 
be caught by bind.

module MyData =
    struct
      type t = ...
      type m = t
      let (>>=) mm f = try run_in_sandbox (fun _ -> f mm)
                      with _ -> failwith "gotcha"
      let return x = x
      (* functions that only run in the sandbox *)

      ...  things that take t's ...

      (* functions that can run outside the sandbox *)

      let is_done = ...
      ... other things that take m's ...
    end

module type MYDATA =
    sig
      type t = ...
      type m
      val (>>=) : m -> (t -> m) -> m
      val return : t -> m
      is_done : m -> bool
      ... other stuff ...
    end

module DataTransformer =
    struct
      let really_do_100_steps x = ...

      let do_100_steps x = x >>= (function y ->
                                  return (really_do_100_steps y))

      let rec doit x =
         bill_customer_for_100_steps ();
         let x' = do_100_steps x in
         if is_done x' then x' else doit x'
    end




_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com