Capabilities and sandboxed sublanguages.

From: Gavin Mendel-Gleason (plywn_at_yahoo.com)
Date: 03/29/04 

Date: 29 Mar 2004 13:32:31 -0800

Some interesting responses came out of a previous post asking how to
make a safe sublanguage that could be made available to a an untrusted
user.

I would like to continue with a question in the same vein, but with
slightly more clarified goals.

I want a CLish language that has the following properties.

1. The capabilities that the CL-sublanguage has should be controlled
by restricting and extending the environment of the user as needed. A
more detailed description of of what I'm thinking of is given in "A
Security Kernel Based on the Lambda-Calculus" by Jonathan Rees.

2. Time and Space given to the user should be limited. By this I mean
that there would be strict bounds on the amount of time over which the
code would be executed, and the amount of consing that would be
allowed.

The suggestions that were given in the previous thread (as I read it)
for creating a safe sub-language were as follows.

1. Create an interpreter.

Of course this can be made to work with all of the above requirements,
but it may end up being a fairly extensive project. The time issue is
can be solved fairly easily by introducing threads to the interpreter
and having a special scheduler that does checkup. Someone also
mentioned only allowing programs that can be shown to halt. This is
really more restictive then I would like as it rejects many programs
which may in fact halt. However the solution to the consing problem
seems extremely difficult to solve.

2. Modify an existing lisp, (probably by making a modified reader?)

This is also tricky. It probably can't be done portably (as far as I
can tell) in that one would need to make use of threads. Also the
situation with consing looks bad here.

Is there some way that the space problem can be delt with?

Additionally I don't care to much about the issue of portability, so
I'm also interested in platform specific solutions.