English version
Accueil     À propos     Téléchargement     Ressources     Contactez-nous    

Ce site est rarement mis à jour. Pour les informations les plus récentes, rendez-vous sur le nouveau site OCaml à l'adresse ocaml.org.

Browse thread
Sandboxing in ocaml
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: 2005-03-19 (23:57)
From: Jacques Garrigue <garrigue@m...>
Subject: Re: [Caml-list] Sandboxing in ocaml
> Is this possible in ocaml to dynamically load some (bytcode) OCaml file 
> and run it in a safe environment, that is only using a small subset of 
> selected functions instead of the whole Pervasives?

This is the intent of Dynlink.allow_only.
Not however that allowing is done on a unit base, so if you want to
allow only some functions in a unit, you must create a new one
containing only those, and compile your file against those (otherwise you
won't be able to load it).
This is the way MMM applets are made safe.

Also, there is no bytecode verifier. That is, a hand-crafted bytecode
file could break the above safety. In this respect, the bytecode
interpreter does not provide real sandboxing. If you want to protect
yourself, you have to use other ways, like a certified signature
scheme. The following paper explains this strategy to safety:
 Xavier Leroy and Francois Rouaix. Security properties of typed
 applets. In J. Vitek and C. Jensen, editors, Secure Internet
 Programming - Security issues for Mobile and Distributed Objects,
 volume 1603 of  Lecture Notes in Computer Science, pages
 147-182. Springer-Verlag, 1999. 

Jacques Garrigue