Re: 200alpha15 (security guards)

[Matthew Flatt <mflatt@cs.utah.edu>]

At Mon, 25 Mar 2002 16:57:42 -0500, "Neil W. Van Dyke" wrote:
> 1. Complementing the ability to restrict access to file and network
>    resources would be the ability to limit access to memory and CPU
>    resources. 

Limiting CPU use is easy, though not yet implemented.

Limiting memory use is difficult, but we're experimenting with an
initial implementation.

> 2. It seems that, for a lot of situations in which we'd have untrusted
>    code running in a thread, there would be other code in the same
>    "mzscheme"/"mred"/etc. process from which we'd want to restrict
>    references.

This pretty much works, already, through lexical scope and carefully
designed APIs (supported by procedures like `call-in-nested-thread').

Programs running in DrScheme, for example, cannot get access to any
part of the DrScheme implementation, even though they're running on the
same Scheme machine.

As you know, we've been sloppy with the protocol for executing code
embedded in web pages (so it's disabled for web-based pages). That's
probably worth revisiting after we gain some confidence using security
guards.

> 3. I haven't looked into how the the installable ".plt" add-on
>    collection packages work, but a few simple safeguards there would be
>    helpful.

Agreed, and your suggestions seem like a good start.

Thanks,
Matthew