Suppose I wanted to set up a website where people could upload
untrusted .ml files and have them be compiled and run on my server.
(This would be used as an OCaml teaching tool).  The uploaded
"untrusted.ml" source files would be compiled on the server by
"ocamlc", then loaded using:

  Dynlink.init ();
  Dynlink.allow_only ["SafeAPI"];
  Dynlink.loadfile_private "untrusted.cmo"

where SafeAPI is a module which defines a safe, trusted subset of the
API where only Good Things are allowed.

I don't want the modules to be able to do Bad Things, where Bad Things
is stuff like:

* Reading and writing local files.
* Corrupting memory.
* Inserting executable code into memory.
* Executing arbitrary functions from the server.
* Denial of service (infinite loops, unlimited resource allocation).
* Making arbitrary network connections.
* (and so on ...)

To prevent unlimited resource allocation, I'm thinking of using
setrlimit(2) to limit the size of the server process (it would be a
pre-forked Apache server, so causing one process to hit its memory
limit does not constitute a denial of service attack).

To prevent infinite loops, starting an alarm(2) before loading the
module should kill the Apache process if it uses too much CPU time.

I'm fairly sure that the method above should cope with everything
barring bugs in the compiler and bugs in SafeAPI.

Am I thinking right?

Rich.

-- 
Richard Jones, CTO Merjis Ltd.
Merjis - web marketing and technology - http://merjis.com
Team Notepad - intranets and extranets for business - http://team-notepad.com