On Fri, Aug 29, 2014 at 10:40 AM, Alexander Burger <a...@software-lab.de> wrote:
> The 'repl' in the PicoLisp release has about the same security as an SSH
> session (if it is used via an SSL session). With the standard role and
> permission system, you have a good control about who is allowed to use
> it.

The idea here is not access to the REPL, but (quote from the Tcl ref):
«safe to execute an arbitrary script from your worst enemy without
fear of that script damaging the enclosing application or the rest of
your computing environment.»

> Then, the most glaring security risks are the 'call' and 'pipe'
> functions, and the pipe functionalities of 'in', 'out' and 'load'. They
> allow a REPL user to directly access the interlying system. If these
> were disabled (can probably done on the Lisp level in the 'repl'

How would you disable them? Would this be ok?
(de annihilate @ (mapcar '((sym) (set sym NIL)) (rest)))
Then call it this way (I think that I understand now why low level functions
should evaluate their args):
(annihilate 'call 'pipe ...)

> function itself), attackers cannot call external commands or processes
> any more (can they?).

This is the delicate/time consuming part: testing, trying to crack a
«safe» interp.

> But then an attacker could still read many files. So perhaps disable all
> I/O functions? How far it makes sense to go?

No idea, but the Tcl guys may have think about this a lot. From the ref:

The following commands are hidden by interp create when it creates a
safe interpreter:
cd encoding exec exit
fconfigure file glob load
open pwd socket source
These commands can be recreated later as Tcl procedures or aliases, or
re-exposed by interp expose.
The following commands from Tcl's library of support procedures are
not present in a safe interpreter:
auto_exec_ok auto_import auto_load
auto_load_index auto_qualify unknown

I also thought about resources. For showcase purposes, a computation
running more than 5 seconds should be killed. What do you think?

I'm also asking the question in the context of Emulisp. If ever there
is a platform like
http://jsbin.com/ supporting PicoLisp, what «in browser» operations will be
safe to allow?



http://profgra.org/lycee/ (site pro)
http://delicious.com/profgraorg (liens, favoris)
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Reply via email to