Re: Lisp code security

From: Chris Capel (ch.ris_at_iba.nktech.net)
Date: 12/07/04 

Date: Mon, 06 Dec 2004 23:22:10 -0600

Wade Humeniuk wrote:

> Chris Capel wrote:
>> Hi everyone,
>>
>> I'm interesting in defining a subset of Lisp that is safe in the sense
>> that any arbitrary code written in the subset can be executed without
>> fear of the code compromising the security of the system, or taking down
>> the lisp image (absent impl. bugs), or accessing certain protected
>> information in the lisp image, or hanging the lisp image in a tight loop,
>> or doing other malicious things. The code would have to be verified to
>> exist in that subset with a function that reads in the code from text
>> (with read-time evaluation disabled, of course) and returns whether it's
>> safe. Is it possible to define such a subset?
>
> I think this problem is exactly equivalent to running any arbitrary
> Program
> within an Operating System. Even the best Operating Systems can get
> compromised by either oversight, malice or pure random chance (say a
> cosmic ray randomly
> mutating memory). The general problem is so hard that no OS can handle it
> fully. Perhaps you could narrow down your scope in what you
> specifically want to do?

I'm not exactly sure the scope can be narrowed. What I'm planning on using
it for is a Terrarium-like[1] server process that communicates with other
servers over the internet automatically exchanging bits of creature AI code
and running them in a simulation. So I want to define a subset of CL that
can be verified so that the code that's exchanged can be guaranteed not to
do bad things, but can still be used to define a sophisticated and
efficient creature AI.

Terrarium itself was built by Microsoft as an example of the sort of
security built into the .NET framework. I don't know that it's exactly fair
to compare Lisp on this count, though, because the sort of code security
necessary to do this thing was one of the major goals of .NET, and it never
has been for Lisp. So Terrarium was built to showcase that aspect of .NET.
One might say it's a language designed for the application.

Of course, end the end, it's just a novelty. Maybe it would be more
important if a *real* application needed to do this sort of thing.

Chris Capel

[1]
http://www.windowsforms.net/Applications/application.aspx?PageID=30&tabindex=8

Relevant Pages

  • Re: free lisp
    ... > Which free implementation of LISP is safe for my system? ... - LispWorks, a commercial implementation with a limited ... - Allegro CL, a cmmercial implementation with a limited ... All of these are safe; none of them will melt your processor ...
    (comp.lang.lisp)
  • Re: Lisp code security
    ... > the code compromising the security of the system, or taking down the lisp ... > the lisp image, or hanging the lisp image in a tight loop, or doing other ... of course) and returns whether it's safe. ... > the only symbols the code has access to are those that the controlling ...
    (comp.lang.lisp)
  • Re: Lisp code security
    ... > the code compromising the security of the system, or taking down the lisp ... > the lisp image, or hanging the lisp image in a tight loop, or doing other ... of course) and returns whether it's safe. ... offered by various systems as well - *BSD jails or Solaris containers ...
    (comp.lang.lisp)
  • Re: Lisp code security
    ... > the code compromising the security of the system, or taking down the lisp ... > the lisp image, or hanging the lisp image in a tight loop, or doing other ... of course) and returns whether it's safe. ... within an Operating System. ...
    (comp.lang.lisp)
  • Re: Brainstorm -- Uses for a small construction shack in 28deg LEO
    ... > Suppose the 'safe haven' were built to handle post-Hubble human missions ... > What sort of commercial opportunities does this enable? ... You could use it for anything you're not allowed to do at ISS. ... your safe haven may be getting rather old. ...
    (sci.space.policy)