[CM] sandboxing

Elijah Stone elronnd at elronnd.net
Wed Jul 27 20:06:20 PDT 2022

I need to effect some rudimentary sandboxing.

Environments seem like a suitable tool for this, as they cannot be forged.  So 
I put all my untrusted code in one environment, all my trusted code and data 
in another, put a pointer to the untrusted environment in the trusted one, but 
never the other way around.

And this works until I need them to talk to one another.

What I want is to make a 'safe interface', whereby the untrusted code may make 
its desires known to the trusted code, and pass it to the former.  But because 
everything is first-class and introspectible, the untrusted code can just peek 
inside the closures it's given and find things it shouldn't.

The only scheme I can think of which will work generally is something like 
monadic i/o; the untrusted code returns a request, and a continuation, to the 
trusted code.  While this does work, it is not so convenient.

Have I missed anything?  If not, may we have a mechanism for 'sealing' a 
procedure, to prevent prying eyes from peeking inside?


More information about the Cmdist mailing list