Re: try picolisp
Hi All, Is it hard to implement minimalist version of minipicolisp in browser ? Like http://tryclj.com/ ? In addition to the proposed solutions involving JavaScript versions of PicoLisp: Perhaps not many people are aware that standard PicoLisp comes with a REPL in the browser GUI since many years. It is the 'repl' function in @lib/form.l. To try it, put this into a script: #!/usr/bin/pil (load @lib/http.l @lib/xhtml.l @lib/form.l) (de home () (app) (action (html 0 REPL @lib.css NIL (repl) ) ) ) (server 8080 !home) (wait) Point your browser to http://localhost:8080 (or, better, start httpGate and point to http://localhost). You can type arbitrary expressions into the text field below, and hit Enter or press the eval button. Then see the output in the text area above. Works with and without JavaScript, also in a text browser like w3m. I didn't announce it much. I've never put it into a publicly accessible application or demo, for the obviously HUGE security reasons. ♪♫ Alex -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: try picolisp
Hi, On 29. aug. 2014, at 06:27, H. Hirzel hannes.hir...@gmail.com wrote: On 8/28/14, Christophe Gragnic christophegrag...@gmail.com wrote: On Thu, Aug 28, 2014 at 9:32 PM, Jon Kleiser jon.klei...@fsat.no wrote: Thanks to suggestions from Christophe, I have re-structured the code, And removed some trailing whitespace! (more to come (crossing fingers)). corrected some errors, and implemented a few new functions (more coming). Some say OOP will come before Christmas. Christophe’s github repo has what I now call EmuLisp v.2. URL for EmuLisp v.2. repo? Right now I have no real repo for v.2. You can find my .js files referenced from this console: https://dl.dropboxusercontent.com/u/48186945/web/pico/emulisp-console2.html /Jon-- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: try picolisp
Thanks a lot Alex. PicoLisp already has everything except ease of learning!
Re: try picolisp
Hi Christophe, On Fri, Aug 29, 2014 at 8:30 AM, Alexander Burger a...@software-lab.de wrote: I didn't announce it much. I've never put it into a publicly accessible application or demo, for the obviously HUGE security reasons. Just an idea I have to tell. I guess this idea I'll describe here is delicate to implement and time consuming, with no real need for now (except for showcase purposes), but interesting nonetheless. Yes, indeed very delicate ;-) The 'repl' in the PicoLisp release has about the same security as an SSH session (if it is used via an SSL session). With the standard role and permission system, you have a good control about who is allowed to use it. Then, the most glaring security risks are the 'call' and 'pipe' functions, and the pipe functionalities of 'in', 'out' and 'load'. They allow a REPL user to directly access the interlying system. If these were disabled (can probably done on the Lisp level in the 'repl' function itself), attackers cannot call external commands or processes any more (can they?). But then an attacker could still read many files. So perhaps disable all I/O functions? How far it makes sense to go? But in any case it doesn't seem too difficult to me. The easiest would be to let the server run in a minimal virtual machine. ♪♫ Alex -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: try picolisp
Alexander Burger a...@software-lab.de writes: Hi Alex, Is it hard to implement minimalist version of minipicolisp in browser ? Like http://tryclj.com/ ? In addition to the proposed solutions involving JavaScript versions of PicoLisp: Perhaps not many people are aware that standard PicoLisp comes with a REPL in the browser GUI since many years. [...] just tried it out, its neat! Imagine the interactive PicoLisp web tutorials that could be written if there would actually be a safe PicoLisp interpreter as proposed - thats a nice idea. Or would it suffice to define the tutorial functions and start a server that only allows these functions and nothing else? -- cheers, Thorsten -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: try picolisp
Imagine the interactive PicoLisp web tutorials that could be written if there would actually be a safe PicoLisp interpreter as proposed - thats a nice idea. Or would it suffice to define the tutorial functions and start a server that only allows these functions and nothing else? check out http://tryruby.org to see how such a thing is properly done (GUI wise). I find it really clever made. Would surely be a huge boost to have something similar for our beloved picolisp :) -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: try picolisp
I have been working on collaborative and interactive software development for the past year. I can build a particular solution for PicoLisp (I had been working with Common Lisp and newLISP). The safe execution environment is achieved by running the code in a Docker container. I could modify a little my software to have the functionality of a Try PicoLisp. If you're interested, I could work on this, but it'll take me a while because I'm working on finishing my thesis. I could also release a collaborative and interactive platform for the development of PicoLisp projects. At first I was thinking on releasing it for the Common Lisp community, but I'm always scared of presenting something to them because they're... not as nice as you guys. El ago 29, 2014 7:36 AM, andr...@itship.ch escribió: Imagine the interactive PicoLisp web tutorials that could be written if there would actually be a safe PicoLisp interpreter as proposed - thats a nice idea. Or would it suffice to define the tutorial functions and start a server that only allows these functions and nothing else? check out http://tryruby.org to see how such a thing is properly done (GUI wise). I find it really clever made. Would surely be a huge boost to have something similar for our beloved picolisp :) -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: try picolisp
How do I quote someone? (I'm not that social and I've never participated in a mailing list before, do I just copy and paste and add the ?) Christophe Gragnic, If you use Docker containers, as with my proposed solution, you can do whatever you want with the container (a mini virtual machine) and if everything gets destroyed for example, you can just build a new container in less than a second. The containers are isolated from the host machine, so everything is safe. El ago 29, 2014 9:32 AM, Christophe Gragnic christophegrag...@gmail.com escribió: On Fri, Aug 29, 2014 at 10:40 AM, Alexander Burger a...@software-lab.de wrote: The 'repl' in the PicoLisp release has about the same security as an SSH session (if it is used via an SSL session). With the standard role and permission system, you have a good control about who is allowed to use it. The idea here is not access to the REPL, but (quote from the Tcl ref): «safe to execute an arbitrary script from your worst enemy without fear of that script damaging the enclosing application or the rest of your computing environment.» Then, the most glaring security risks are the 'call' and 'pipe' functions, and the pipe functionalities of 'in', 'out' and 'load'. They allow a REPL user to directly access the interlying system. If these were disabled (can probably done on the Lisp level in the 'repl' How would you disable them? Would this be ok? (de annihilate @ (mapcar '((sym) (set sym NIL)) (rest))) Then call it this way (I think that I understand now why low level functions should evaluate their args): (annihilate 'call 'pipe ...) function itself), attackers cannot call external commands or processes any more (can they?). This is the delicate/time consuming part: testing, trying to crack a «safe» interp. But then an attacker could still read many files. So perhaps disable all I/O functions? How far it makes sense to go? No idea, but the Tcl guys may have think about this a lot. From the ref: ««« The following commands are hidden by interp create when it creates a safe interpreter: cd encoding exec exit fconfigure file glob load open pwd socket source These commands can be recreated later as Tcl procedures or aliases, or re-exposed by interp expose. The following commands from Tcl's library of support procedures are not present in a safe interpreter: auto_exec_ok auto_import auto_load auto_load_index auto_qualify unknown »»» I also thought about resources. For showcase purposes, a computation running more than 5 seconds should be killed. What do you think? I'm also asking the question in the context of Emulisp. If ever there is a platform like http://jsbin.com/ supporting PicoLisp, what «in browser» operations will be safe to allow? chri -- http://profgra.org/lycee/ (site pro) http://delicious.com/profgraorg (liens, favoris) https://twitter.com/profgraorg http://microalg.info -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subjectUnsubscribe
Re: try picolisp
On Fri, Aug 29, 2014 at 6:45 PM, Amaury Hernández Águila amhe...@gmail.com wrote: How do I quote someone? (I'm not that social and I've never participated in a mailing list before, do I just copy and paste and add the ?) It's just what email clients do (including gmail, be it online, android app…). Note that you just quoted me at the end. Maybe you just have to click somewhere to avoid what is called «top posting» (posting a message with the answer before the email where the question is). Funny that you master quite complex systems with Docker and don't know how to quote an email! Christophe Gragnic, If you use Docker containers… Thanks for your proposal. I'm just a (maths teacher) and ((computer science and dev) hobbyist and teacher). I try to build things that are as simple as possible. Building, (and even only maintaining if already built) something like: - web site - triggering VMs or jails - to run code - that will output results to the user frightens me as hell. chri --- http://profgra.org/lycee/ (site pro) http://delicious.com/profgraorg (liens, favoris) https://twitter.com/profgraorg http://microalg.info -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: try picolisp
Alright, let me try: It's just what email clients do (including gmail, be it online, android app…). Note that you just quoted me at the end. Maybe you just have to click somewhere to avoid what is called «top posting» (posting a message with the answer before the email where the question is). Funny that you master quite complex systems with Docker and don't know how to quote an email! I don't use emails that much :( but yeah, I'm ashamed for not knowing about it. Christophe Gragnic, If you use Docker containers… Thanks for your proposal. I'm just a (maths teacher) and ((computer science and dev) hobbyist and teacher). I try to build things that are as simple as possible. Building, (and even only maintaining if already built) something like: - web site - triggering VMs or jails - to run code - that will output results to the user frightens me as hell. Well, then you teach me about quoting an email and I take care about the system :D
Re: try picolisp
Hi Amaury, Amaury Hernández Águila amhe...@gmail.com writes: [...] The safe execution environment is achieved by running the code in a Docker container. what do you mean by safe? It's certainly not secure. Using VM like Alex suggests is better. Cheers, Tomas -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: try picolisp
Hi Christophe Christophe Gragnic christophegrag...@gmail.com writes: The idea here is not access to the REPL, but (quote from the Tcl ref): «safe to execute an arbitrary script from your worst enemy without fear of that script damaging the enclosing application or the rest of your computing environment.» that is impossible, and even contradictory! You can't allow arbitrary functionality and disallow some functionality at the same time. Cheers, Tomas -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: try picolisp
On Fri, Aug 29, 2014 at 9:43 PM, Tomas Hlavaty t...@logand.com wrote: that is impossible, and even contradictory! You can't allow arbitrary functionality and disallow some functionality at the same time. Executing a script doesn't mean every line will work as expected! `rm -fr /` can be executed, but doesn't always work ;) -- http://profgra.org/lycee/ (site pro) http://delicious.com/profgraorg (liens, favoris) https://twitter.com/profgraorg http://microalg.info -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: try picolisp
The safe execution environment is achieved by running the code in a Docker container. what do you mean by safe? It's certainly not secure. Okay, there's a Host machine that is running all the Docker containers (also called Jails). When a user starts a session, a Container gets created. This user will send all his PicoLisp code through the website to a Container that is running a PicoLisp server. The PicoLisp server executes the code, and the result is returned to the user. If the user ever tries (delete-all-files) or whatever, that Container will get affected, but not the host machine. If the user wants to continue with his session, the Host can create another Container. A professor I know was working on a system that automatically creates and destroys the containers as needed. For this approach, we could have several PicoLisp servers (5, for example) running inside a single Container. If someone runs malicious code inside of the container, the container gets automatically destroyed and re-created. The bad thing about this solution is that the other users would lose their sessions. Something that could get implemented is to save all the PicoLisp sessions (their source code) in a Redis database, and that way the users wouldn't lose their sessions. It looks too complicated, but most of this has already be done in my University. It was tested with Python, though. Also, the system resources required for a container are minimal. Around 5 Mb of RAM per container. We could have 20 containers running 5 PicoLisp servers, for a total of 100 users running Try PicoLisp simultaneously. Anyway, the advantage of this approach is users would have 100% the functionality of PicoLisp, not a watered down version, or a restricted version. Using VM like Alex suggests is better. A Container is basically a VM, but cheaper. The downsides negligible, like the limitation of running only a single Linux kernel for all the containers, or not being able to run other operating systems (if the host machine is a Linux with a kernel version X.X.X, all the containers will be Linux X.X.X). Cheers, Tomas -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subjectUnsubscribe
