elronnd at elronnd.net
Wed Jul 27 20:06:20 PDT 2022
I need to effect some rudimentary sandboxing.
Environments seem like a suitable tool for this, as they cannot be forged. So
I put all my untrusted code in one environment, all my trusted code and data
in another, put a pointer to the untrusted environment in the trusted one, but
never the other way around.
And this works until I need them to talk to one another.
What I want is to make a 'safe interface', whereby the untrusted code may make
its desires known to the trusted code, and pass it to the former. But because
everything is first-class and introspectible, the untrusted code can just peek
inside the closures it's given and find things it shouldn't.
The only scheme I can think of which will work generally is something like
monadic i/o; the untrusted code returns a request, and a continuation, to the
trusted code. While this does work, it is not so convenient.
Have I missed anything? If not, may we have a mechanism for 'sealing' a
procedure, to prevent prying eyes from peeking inside?
More information about the Cmdist