sandboxing doIts

Lex Spoon lex at cc.gatech.edu
Fri Feb 21 09:39:24 UTC 2003


If you are thinking about the extreme restriction of disabling all
globals, then I suggest you use Islands.  It does allow globals, along
with a lot of basic facilities like strings, symbols, blocks, and so on
that may cause trouble even in your ultra-restricted model.  Islands is
not complicated for you, because it exists already and you can just load
and use it.  You "only" have to pay the price of spending a day or two
loading it, and of working in Squeak 2.8 (I believe that's the version).

There is even a preloaded image at Disney, but maybe that is
inaccessible now that Squeak Central is no longer there.  I sure wish I
had figured out a way to grab a copy before I left!!

Islands is absolutely the simplest I could figure out how to make it.  I
wasn't trying to extnend the state of the art of security, but instead
to do the simplest thing that could get secure execution of Squeak
projects.  In fact, I think Islands is pretty simple.  The bulk of the
code is not in the capability restrictions, but in  modifying various
basic utilities like symbols.


I don't believe any scheme based on having a list of globals and methods
is going to work out.  You need to make blocks be read-only to user
code.  You need to make literals be read-only.    You have to trace the
entire chain of methods callable by any of the methods you allow, and
make sure those are safe.  And you really do have to supply *some* sort
of objects for the user to start with, because surely just playing with
numbers and strings will not be enough.

Islands is principled and minimal.  I've gone down this path that you
are talking about, and believe me I've only included things that are
necessary.  Give it a try!

-Lex

PS -- or, don't bother with security.  Too many computer projects get
bogged down in preventing bad things, when they could be focussed on
making good things.



Avi Bryant <avi at beta4.com> wrote:
> I'm playing with building some tools for interactive online tutorials
> (sort of a GeeMailMorph in Seaside), in which I would ideally like users
> to be able to edit certain methods from their web browser and see the
> effects.  Obviously this is a security hole, but it seems like it ought to
> be possible to restrict the compilation of the method so that it was safe.
> Since being restrictive is the point here, and also since you can very
> tightly control the context in which this method is called, it also seems
> like the solution will be simpler than a full Islands or Squeak-E system.
> Am I kidding myself?
>



More information about the Squeak-dev mailing list