[Jscheme-user] Re: patch to Jscheme

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks, we sshould provid something like this.

k
At 02:12 PM 11/19/2004 -0500, Alan Donovan wrote:
>On Fri, Nov 19, 2004 at 01:12:36PM -0500, Ken Anderson wrote:
>> >Obviously, it's important that the evaluator not stop the host process
>> >by accident.  (By redefining init.scm and imposing a policy on
>> >imported Java names, you could actually enforce a secure sandbox, but
>> >I don't need this.)
>> 
>> Tell me more about how you would do the sandbox.  We have at least
>> one JScheme application in an above top secret facility, though the
>> application and data are unclassified.
>
>By a sandbox, I mean an environment where the scheme program only has
>limited access to names.  For example, if the only visible names are
>the R4RS Scheme library, minus I/O and 'exit', then the scheme program
>cannot do anything except computation: it can't stop the host process,
>read the disk, or leak information.  Typically you want to have some
>domain-specific operators available to the scheme program, so that it
>can do its job.  e.g. in an window manager, you want X11 window
>primitives; in a GUI, I want widget primitives, etc.
>
>So, all you need to do is ensure that only a subset of Java names are
>visible via the javadot notation.  For example, perhaps only names
>defined in one particular package are needed for your application.
>
>In general, however, deciding on a subset of Java names that is
>sufficient to get the job done, but not enough to break whatever
>security policy you're interested in, is a rather labor-intensive
>task.  You would have to manually inspect each class to determine
>whether it appears to be "safe" or whether it might break your
>abstraction.  You might also need to wrap some essential but unsafe
>things to provide a safe interface.
>
>It would be easy to provide an implementation though; you just need to
>allow JScheme clients to (a) filter the list of scheme primitives
>initially available in the toplevel environment, and (b) provide a
>policy object which decides which Java names are available through
>javadot notation; it would have one method:
>
>  boolean isJavaNameVisible(String name);
>
>That's the basic idea anyway.
>
>cheers
>alan