Sandboxing (Was: Behaviors vs Modules)

David Simmons David.Simmons at smallscript.com
Sat Feb 23 20:39:38 UTC 2002


> -----Original Message-----
> From: squeak-dev-admin at lists.squeakfoundation.org [mailto:squeak-dev-
> admin at lists.squeakfoundation.org] On Behalf Of Daniel Joyce
> Sent: Friday, February 22, 2002 9:06 PM
> To: squeak-dev at lists.squeakfoundation.org
> Subject: Re: Behaviors vs Modules
> 
> On Friday 22 February 2002 08:11 pm, you wrote:
> > Anthony Hannan <ajh18 at cornell.edu> writes:
> > > What do you guys think?  I'm thinking of making this my next
project.
> >
> > "Oh Yes Please" :)
> >
> > Anthony and David in one thread, this is great. I think I may be
> starting
> > to see what is meant by "selector namespaces".
> >
> > Regards
> > --Simon
> 
> 	Someone posted a reference to a paper on "layers" which was very
> interesting too. It's somewhere in the list within the last 1-2 weeks.
The
> notion of layers also solves modules, and namespaces, and could be
used
> for
> sandboxing too.

SmallScript includes virtual sandboxes. They are a next step beyond
selector namespaces. They require introduction of the notion of
"tainted" and "untainted" namespace scopes. Where a "trusted" method is
required for a "tainted" scope to access "untainted" scope behavior.
Thus, a "trusted" method is thunk for crossing between the worlds.

Here is an example from SmallScript:

    """"""""""""""""""""""""""""
    "" Sandbox.sts source file
    """"""""""""""""""""""""""""
    Compiler cmds: '-target:dll'.
    Module name: Sandbox version: 1.0.0.0.
    
    "" Uncomment out the following one at a time,
    "" rebuilding the sandbox.dll after each time,
    "" and re-trying/re-running the tainted.sts
    "" script sample.
    <!--
    Method behavior: PoolVariable [<$trusted>
    value
        ^value()
    ]
    Method behavior: StdOutStream [<$trusted>
    cr
        ^cr()
    ]
    Method behavior: StdOutStream [<$trusted>
    << v
        ^self << v
    ]
    -->

    """"""""""""""""
    "" Tainted.sts
    """"""""""""""""
    Compiler cmds: '-safe:no'.
    Requires module: Sandbox.
    
    Module name: UnsafeCode.
    Eval [stdout cr << 'Tainted code'] 
============

In practice, you would not have the "Compiler cmds: '-safe:no'." in the
script file itself (I just did that for convenience). 

You would more typically invoke an "untrusted" script as:

    AMLCompiler cmds: '-safe:no ' + scriptPathName.

===

-- Dave S. [SmallScript Corp]

SmallScript for the AOS & .NET Platforms
David.Simmons at SmallScript.com | http://www.smallscript.org

> 
> 	Daniel





More information about the Squeak-dev mailing list