On Sat, 29 Sep 2001, Buggs wrote:
> Hoi,
>
> talking about security must be designed from ground up,
> will Parrot natively provide a sandbox mechanism
> (protected mode or whatever) or would that be the problem
> of the bytecode producers?
Yes, it'll provide a sandbox. There'll be a few components to it:
*) The opcode functions will be mildly different. The branch opcodes, for
example, will double-check that the destination of the branch is legal.
*) Some opcodes will just not be available depending on the
characteristics you assign to the interpreter. File opens might be
forbidden, or code loading, or socket ops, or something. Settable as
needed by the interpreter creating the compartment.
*) There'll be optional resource limits--CPU, memory usage, I/O ops or
total I/O usage, stuff like that.
*) I've been thinking about having some sort of privilege system, but I'm
not sure it's appropriate. Might, though, if you want restricted
compartments to be able to create other restricted compartments.
I won't claim it'll be bullet-proof--as long as you can call out to C code
it's ultimately unsafe--but we'll do our best to make sure things are as
secure as a bunch of non-security folks can make it.
FWIW we'll probably steal heavily from VMS' security and quota
system. It's well-developed, well-thought out, and something I'm familiar
with.
Dan
