Re: [Gnu-arch-users] Re: arch roadmap 1 (and "what's tom up to")

[Anselm Lingnau]

Jeremy Shaw wrote:

> I think the basic model is, the VM will have someway to mark commands
> as safe or unsafe. There will also be a way to set which unsafe
> commands a program can run on a per program, per command basis. This
> would allow you to implement a large number of possible security
> policies...

Sandboxing at the VM level isn't easy to get right, as, e.g., the Java folks 
have found out to their chagrin.

Incidentally, the frequently-maligned language Tcl does sandboxing at what 
appears to amount to the Pika level in the proposed arch-itecture, which 
seems to work rather well. Too bad Tcl isn't politically acceptable for other 
reasons :^)

One of the lessons to learn from the sandbox feature in Tcl is that merely 
disallowing commands as »unsafe« doesn't quite cut it -- it is useful (and 
often necessary) to be able to execute nominally »unsafe« commands under 
carefully controlled circumstances (think of it as »user mode« vs. »kernel 
mode«). Tcl distinguishes between »safe interpreters« and »trusted 
interpreters«. In safe interpreters, potentially-dangerous commands are 
»hidden« and cannot be used in programs running in the safe interpreter; 
commands in a safe interpreter can »trap« into a trusted interpreter to do 
unsafe things (where the trusted interpreter will presumably check any 
arguments very carefully), and hidden commands in a safe interpreter can be 
invoked from a trusted interpreter.

Personally I would much rather see arch »librified« rather than endowed with a 
VM and programming language all of its own (a Tcl/Tk binding would be nice). 
However, since Tom says what will happen, I just hope that the VM changes 
will also indeed accelerate the librification.

Anselm
-- 
Anselm Lingnau ... Linup Front GmbH ... Linux-, Open-Source- & Netz-Schulungen
Linup Front GmbH, Robert-Bosch-Strasse 7, 64293 Darmstadt, Germany       
address@hidden, +49(0)6151-9068-852, Fax -854, www.linupfront.de