From mboxrd@z Thu Jan  1 00:00:00 1970
Path: main.gmane.org!not-for-mail
From: David Allouche <david@allouche.net>
Newsgroups: gmane.lisp.guile.user
Subject: Re: Secure evaluation
Date: Mon, 14 Jul 2003 17:34:20 +0200
Sender: guile-user-bounces+guile-user=m.gmane.org@gnu.org
Message-ID: <20030714153420.GC29847@nemesis.xlii.org>
References: <Pine.GSO.4.33.0307141131320.10446-100000@sunanh>
NNTP-Posting-Host: main.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: main.gmane.org 1058197105 3873 80.91.224.249 (14 Jul 2003 15:38:25 GMT)
X-Complaints-To: usenet@main.gmane.org
NNTP-Posting-Date: Mon, 14 Jul 2003 15:38:25 +0000 (UTC)
Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Mon Jul 14 17:38:22 2003
Return-path: <guile-user-bounces+guile-user=m.gmane.org@gnu.org>
Original-Received: from monty-python.gnu.org ([199.232.76.173])
	by main.gmane.org with esmtp (Exim 3.35 #1 (Debian))
	id 19c5PC-0000zt-00
	for <guile-user@m.gmane.org>; Mon, 14 Jul 2003 17:38:22 +0200
Original-Received: from localhost ([127.0.0.1] helo=monty-python.gnu.org)
	by monty-python.gnu.org with esmtp (Exim 4.20)
	id 19c5Pr-0005qv-19
	for guile-user@m.gmane.org; Mon, 14 Jul 2003 11:39:03 -0400
Original-Received: from list by monty-python.gnu.org with tmda-scanned (Exim 4.20)
	id 19c5Ni-000563-Kv
	for guile-user@gnu.org; Mon, 14 Jul 2003 11:36:50 -0400
Original-Received: from mail by monty-python.gnu.org with spam-scanned (Exim 4.20)
	id 19c5LU-0004fl-U2
	for guile-user@gnu.org; Mon, 14 Jul 2003 11:34:33 -0400
Original-Received: from nemesis.xlii.org ([62.4.23.172])
	by monty-python.gnu.org with esmtp (Exim 4.20) id 19c5LL-0004VD-1D
	for guile-user@gnu.org; Mon, 14 Jul 2003 11:34:23 -0400
Original-Received: from david by nemesis.xlii.org with local (Exim 3.35 #1 (Debian))
	id 19c5LI-0000S5-00
	for <guile-user@gnu.org>; Mon, 14 Jul 2003 17:34:20 +0200
Original-To: guile-user@gnu.org
Mail-Followup-To: guile-user@gnu.org
Content-Disposition: inline
In-Reply-To: <Pine.GSO.4.33.0307141131320.10446-100000@sunanh>
User-Agent: Mutt/1.5.4i
X-BeenThere: guile-user@gnu.org
X-Mailman-Version: 2.1.2
Precedence: list
List-Id: General Guile related discussions  <guile-user.gnu.org>
List-Unsubscribe: <http://mail.gnu.org/mailman/listinfo/guile-user>,
	<mailto:guile-user-request@gnu.org?subject=unsubscribe>
List-Archive: <http://mail.gnu.org/pipermail/guile-user>
List-Post: <mailto:guile-user@gnu.org>
List-Help: <mailto:guile-user-request@gnu.org?subject=help>
List-Subscribe: <http://mail.gnu.org/mailman/listinfo/guile-user>,
	<mailto:guile-user-request@gnu.org?subject=subscribe>
Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org
Xref: main.gmane.org gmane.lisp.guile.user:2078
X-Report-Spam: http://spam.gmane.org/gmane.lisp.guile.user:2078

On Mon, Jul 14, 2003 at 11:36:28AM +0200, Joris van der Hoeven wrote:
> 
> I would like to use Guile Scheme for scripts inside documents,
> a bit like Javascript in Html. Does there exist any mechanism which
> forbids the use of dangerous instructions like (system "rm -rf /")
> or maybe even instructions which may lead to infinite loops?

In case you do not get a more specific answer by more knowledgeable
people here:

I remember there was some discussion about EVAL in latter versions of
GUILE (see the compat.scm file in texmacs) taking an "environment"
parameter (which is how R5RS specifies EVAL).

I believe it is possible to create an empty environment in which only
the desired functions are imported; and there is a relationship
between modules and environments (modules can be used as
environments).

Probably you could try searching the archives for "module environment
eval" and maybe "sandbox" keywords.

A quick googling yielded this thread in the archive:
http://mail.gnu.org/archive/html/guile-user/2001-09/msg00055.html

In a nutshell, that seems to be possible with guile 1.6.

This other post from Marius Vollmer mentions a "safe-eval-string"
procedure which uses such a "safe" environment.
http://mail.gnu.org/archive/html/guile-user/2003-06/msg00036.html

This one mentions the "make-safe-module" procedure which is probably
used internally with safe-eval-string.
http://mail.gnu.org/archive/html/guile-user/2001-05/msg00193.html

Another related thread:
http://mail.gnu.org/archive/html/guile-user/2001-03/msg00081.html

It also seems there are special provisions to be made for glue
functions:
http://mail.gnu.org/archive/html/guile-user/2002-10/msg00078.html

I think the main problems you would have are:

 -- The cost of building the module for each evaluation. Maybe not
    such a big deal.

 -- Protecting the included modules from changes caused by SET! from
    the sandbox module.

The latter problem is the most difficult, because to get a useful safe
environment you are going to import a bunch of utility modules in it.
However, a malevolent (or buggy) script should not be allowed to break
havoc in other modules.

But maybe I am misunderstanding how SET! interacts with modules (I
have not tested) and maybe it is not possible to modify another module
by SET!ing an imported binding.

-- 
                                                            -- ddaa


_______________________________________________
Guile-user mailing list
Guile-user@gnu.org
http://mail.gnu.org/mailman/listinfo/guile-user