Ability to limit

Posted 27 Jun 2002 at 23:10 UTC by Malx Share This

Could you point me to languages with ability to limit it's functionality?
Something like sandbox or just any tweak to do same thing?

Or may be this functionality must be created?

First of all - why I need it at all?
One of "fictional" applications of this idea is ability to run a foreign (possibly hostyle) program. Better to have something like "eval", but with no access to FS and half of standart objects.

Next thing is enforcement of some administrative rules or codig style for a project. (For example "not to use goto()". If you do, you'll get error or warning "this function/oper/object is not allowed in this project, see URL".

Now about language examples:
- It is Java of course (applets).

- JavaScript - it is already limited to web-browser objects, but (IMHO) you could limit it even more by creating object "limits" with all top level objets in it "limits.window=null, limits.navigator=null, ...." and calling "with (limits) { eval (script)} }.

- C - you could remember #warning about gets. Actually you could re#Defing anything to #error to disable it (#define goto BAD_THING)

- PHP - there is some trends to limit time/mem/file operations/etc.

- there is suexec for apache (for CGI-s)

You could guess this language must not have "functional" operators such as "echo" or "print" and must be free of special variables (just like JavaScript :).

Anything else? Could some scripting language allow me to ask user write simple program to <textarea name=prog> and "eval" it , but to be shure it will not erase half of files from HDD or just it will not result in infinit loop :)
Ok some str_replace("unlink", "DO_NOT_USE",$prog) could help a little, but it is not a good solution.

Will there be ever age of mobile intellegent agents? Or IRC bots, which could run themselfs inside ircd....


python has a restricted execution framework, posted 28 Jun 2002 at 00:35 UTC by splork » (Master)

look at python's rexec and Bastion modules. You can restrict the code from doing just about other than a memory or cpu usage attack. To prevent memory/cpu usage attacks launch the restricted task in seperate processes with hard limits enforced by the OS set using setrlimit().

A language-neutral solution also exists, posted 28 Jun 2002 at 00:43 UTC by tk » (Observer)

User Mode Linux limits the possible actions of applications running it, by trapping all attempts at syscalls.

The problem is, posted 28 Jun 2002 at 04:04 UTC by johnnyb » (Journeyer)

The problem is doing things like being able to sandbox extensions. For example, being able to sandbox downloaded Word macros vs. Word macros I make myself. The same for GIMP plugins and scripts. With GIMP, I can only sandbox the "application" with any success. I cannot sandbox any individual script or plugin.

And no, I have no idea how one would do this. But it's probably just a matter of defining the barrier you want and then implementing it.

parrot , posted 28 Jun 2002 at 08:18 UTC by ask » (Master)

parrot is planned to get that kind of functionality too; and it's relatively simple to make a new parrot with a different set of opcodes.

- ask

I have had an idea, posted 28 Jun 2002 at 09:13 UTC by Malx » (Journeyer)

Some time ago I was got by idea, that permissions in OS should be granted not per-user, but per-software bit.

If you are not programmer, you couldn't be expected to know what whould be possible programm action. So it is independent entity. So you need a way to secure (say) mail-client of reading/writing files of (say)text processor.

Same thing with plugins - Gimp must have a way to limit it's plugins to certain functionality not to let them do all they want (especially for foreign plugins).

It is something like private/public methods in OOP, but on OS/files/processes level.

So it whould be just great to assign every pice of software own UID.Which still could be managed by some real-user UID (some local root for his own sub-UIDs)

Is there something like it?

Tcl, posted 28 Jun 2002 at 10:46 UTC by thomasd » (Journeyer)

Tcl has had a safe mode for some time now (at least since version 8.0). You start out by creating a `safe' interpretter, which just contains the core language commands -- no I/O, etc. To this, you can add extra commands to give the sandboxed script access to the rest of the world.

Ideal for allowing sandboxed plugins to a trusted core application.

Ruby, posted 28 Jun 2002 at 13:25 UTC by Guillaume » (Master)

Ruby is your friend : see Locking Ruby in a Safe.

You just have to set the $SAFE global variable.

What about trust?, posted 28 Jun 2002 at 15:54 UTC by mslicker » (Journeyer)

Isn't free software largely distributed and used in trust? For example, I use debian. It downloads binary packages which run natively on my hardware. There is no way I can examine all the source, or even know the binary is compiled with the source I examine. The reason I can use this software in confindence is due to my high degree of trust in debian, and other free software developers.

Perl, posted 28 Jun 2002 at 16:00 UTC by gwolf » (Journeyer)

In Perl, you can use Safe, which creates a restricted compartment. In there, you can restrict access to any simbols located in other namespaces, you can restrict sets of opcodes to be allowed/disallowed.

Take a look at perldoc Safe - And note that in there it states some things that Safe cannot limit, such as a process growing up to eating all your memory or CPU resources, snooping on your system, reacting to signals and state changes that affect the whole process (such as a chdir).

Perl, posted 28 Jun 2002 at 16:00 UTC by gwolf » (Journeyer)

In Perl, you can use Safe, which creates a restricted compartment. In there, you can restrict access to any simbols located in other namespaces, you can restrict sets of opcodes to be allowed/disallowed.

Take a look at perldoc Safe - And note that in there it states some things that Safe cannot limit, such as a process growing up to eating all your memory or CPU resources, snooping on your system, reacting to signals and state changes that affect the whole process (such as a chdir).

Capabilities, posted 28 Jun 2002 at 19:27 UTC by mlinksva » (Journeyer)

Malx, see What is a Capbability, Anyway?

terminology, posted 29 Jun 2002 at 00:05 UTC by mdanish » (Journeyer)

I'm not exactly sure where you come up with "echo" and "print" being "functional" operators. Both generate side-effects, so their operation is far from "functional" as understood in the programming language community. As far as "special" variables go, the only language to have them would be Common Lisp, where that is the name given to variables with dynamic extent. Somehow I don't think that is what you meant, given your reference to JavaScript.

Note that in order to limit a language's semantics entirely you would really have to reduce it below the level of Turing-completeness. I think you are referring to access-control to data, and mixing in the idea of a "pedantic source code filter" as well.

Thx!!!, posted 29 Jun 2002 at 00:39 UTC by Malx » (Journeyer)

I think I need to choose amoung Perl/Safe,TCL, JS or write my own simple language (with mem/cpu limits built in).

But.. there is no easy solution on limiting language for special coding style during development.

About trust - Ok. If you could trust Debian - it's great. But If you need plugin for GIMP from some page in Internet you couldn't really trust it.

Scheme48, posted 29 Jun 2002 at 03:27 UTC by chalst » (Master)

The scheme48 module system and virtual machine allows you to arbitrarily restrict the functionality either of a module or of the whole virtual machine. Its the most flexible approach to permissions functionality I know of, one of the authors, Jonathan Rees, wrote a nice paper `A security system based on the lambda calculus' on using variable scopes to control user permissions, available as AI Memo #1564 from publications.ai.mit.edu.

Tcl, posted 29 Jun 2002 at 05:46 UTC by davidw » (Master)

Tcl is great for writing 'mini' languages because it's syntax is so simple. Scheme would be good for this, too, but I'm less familiar with the implementation. Tcl's safe interpreter code has been out there for a number of years, and is well written.

Askemos, posted 30 Jun 2002 at 08:39 UTC by jerry » (Journeyer)

Askemos runs all application code in such a box.

Pliant include a real language level security mechanism, posted 30 Jun 2002 at 13:08 UTC by huberttonneau » (Master)

Pliant truely has the ability to limit what some code can do through providing only a subset of the overall language.
Basically, each module, when compiled, sees only the definitions about other modules it is linked with. One can restrict the set of modules some untrusted code is allowed to link with.

With other languages, the security mechanism tend to be defined once for all at language design level. So, secured languages (Java) fail to get efficiency because some low level tasks require to do unsecured things, and efficient languages (C) fail to restrict untrusted code (rather read not enough reviewed code) capabilities.

Pliant - precisions, posted 3 Jul 2002 at 11:42 UTC by pom » (Master)

Pliant capabilities allow to filter visibility of datas and codes, thus allowing to force the use of specific APIs. It also allows to set up a local parser to a specific syntax. These capabilities are used in some dynamic HTTP pages to avoid unsecure code generation.

Actually, locality goes further: the code generator and the code optimizer themselves may be tailored within a module.

So, the "standard" way to limit language expression in Pliant is to create a module, link it with a limiting module and then compile some program in it.

Pliant - precisions, posted 3 Jul 2002 at 11:42 UTC by pom » (Master)

Pliant capabilities allow to filter visibility of datas and codes, thus allowing to force the use of specific APIs. It also allows to set up a local parser to a specific syntax. These capabilities are used in some dynamic HTTP pages to avoid unsecure code generation.

Actually, locality goes further: the code generator and the code optimizer themselves may be tailored within a module.

So, the "standard" way to limit language expression in Pliant is to create a module, link it with a limiting module and then compile some program in it.

.NET / CLR, posted 6 Jul 2002 at 12:36 UTC by Toastie » (Master)

You can limit any CLR executable naturally, regardless of the language it was written in. Read http://msdn.microsoft.com/msdnmag/nettop.asp?page=/msdnmag/issues/02/06/rich/rich.asp&ad=ads.ddj.com/msdnmag/premium.htm

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

X
Share this page