> On Fri, Aug 29, 2014 at 8:30 AM, Alexander Burger <a...@software-lab.de>
> > I didn't announce it much. I've never put it into a publicly accessible
> > application or demo, for the obviously HUGE security reasons.
> Just an idea I have to tell. I guess this idea I'll describe here is delicate
> to implement and time consuming, with no real need for now (except
> for showcase purposes), but interesting nonetheless.
Yes, indeed very delicate ;-)
The 'repl' in the PicoLisp release has about the same security as an SSH
session (if it is used via an SSL session). With the standard role and
permission system, you have a good control about who is allowed to use
Then, the most glaring security risks are the 'call' and 'pipe'
functions, and the pipe functionalities of 'in', 'out' and 'load'. They
allow a REPL user to directly access the interlying system. If these
were disabled (can probably done on the Lisp level in the 'repl'
function itself), attackers cannot call external commands or processes
any more (can they?).
But then an attacker could still read many files. So perhaps disable all
I/O functions? How far it makes sense to go? But in any case it doesn't
seem too difficult to me.
The easiest would be to let the server run in a minimal virtual machine.