Serg Koren wrote:
---snip---
> However, it does bring up the possibility of nasty squeak viruses infecting
> your machine.  Some thought should be given regarding a security mechanism
> to limit or prevent such things if Squeak/web applets are to be produced.

This is one of those projects that has not yet gotten attention. Ted
Kaehler posted this spec and challenge last year for a file-safe VM for
Squeak:

""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
  Subject:           File-safe Squeak VM
     Date:           Mon, 8 Sep 1997 18:16:28 -0700
     From:           "Ted K." <tedk at wdi.disney.com>

Folks,
        We have discussed servers written in Squeak that evaluate an
arbitrary Smalltalk expression, or serve up HTML.  These serves are
vulnerable to any Smalltalk virus that overwrites the server's hard
disk.
        Mark Lentczner and I have been thinking about this issue for
several years, and have written up the way we made Codeworks(tm) be
file-safe.  See
http:www.glyphic.com/glyphic/papers/safehelperapps/title.html  (Glyphic
Codeworks is a prototype-based Smalltalk-like system available for the
Mac for free at www.glyphic.com)

        For Squeak, I've come up with the following spec for a File-Safe
VM.  The idea is that user code can wreck havoc within the Squeak image,
but can only do limited damage on the host's disk.  With these
restrictions, in each session, only files in one folder can be read and
written, only a limited number of new files can be opened, and only a
limited number of bytes can be written.  In addition, we want a user who
accidentally runs into the limits to be able to save his work one last
time before the system refuses to write anymore.  Only servers and other
special applications would use this VM.  Normal operation of the server
would not trigger these limits.

        The File-Safe VM proposal:

1) A new flag "NoVirus" in the C translator. False for the normal Squeak
VM, and true for the File-Safe VM.

2) At Squeak startup, init some counters in C.  Put 100 into
SessionNewFiles, put 10,000,000 in SessionBytesWrt.

3) Code in the File primitive: If NoVirus, file prim will not read or
write outside the Squeak folder.  That folder is found by some fixed
path from either the .image location or the .exe location.  Writing in
the .image is also allowed (used to save a modified image after sys
updates).  Served pages must be in a folder within the Squeak folder.

4) If NoVirus, no file types may be written except those of .sqo, text,
and image (Mac).  No files ending in suffixes other than .sqo, .img, or
..txt may be written (PC) (This is to block out .exe, and other special
suffixes.) No aliases may be written.

5) If NoVirus, every file rename or file creation decrements
SessionNewFiles. When zero, do the primitive, but also return an error
code.  The Squeak file code puts up the message "More than 100 files
were created this session.  To prevent viruses, we do not allow more.  
After this write is complete, quit Squeak."  When less than zero, just
fail the primitive. (How check for a code when the primitive succeeds? 
In the File info block??)

6) If NoVirus, all bytes witten decrement SessionBytesWrt.    When 1 meg
or less, do the primitive, but also return an error code.  The Squeak
file code puts up the message "More than 9 megs were written on the disk
this session.  To prevent viruses, we do not allow more.   After this
write is complete, quit Squeak."  When less than zero, just fail the
primitive.

7) No Apple Events or ActiveX interprocess events are allowed.  (Don't
allow another app to do the file writing for us.)

8) If NoVirus, disable the escape to user-supplied C code, or to direct
OS calls (when we have these in Squeak).

        Creating this new VM would not only help Squeak web servers, but
also any end-user Squeak applications that involve blindly downloading
Squeak code over the web.  Would you like to do it?

--Ted Kaehler.
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""