Ticket #1114 (new proposed-project)
|Reported by:||benja.fallenstein@…||Owned by:||none|
Description (last modified by xelxebar) (diff)
hs-plugins can dynamically compile and load Haskell code, but does not prevent plugins from using unsafePerformIO or unsafeCoerce#. I would like to be able to use hs-plugins to execute untrusted code. As far as I can see, two pieces of infrastructure are missing:
- A way to ensure that a dynamically compiled program does not use any unsafe primitives.
- A way to limit the resources (clock cycles and RAM) used by an untrusted computation.
It seems to me that the best way to achieve the first goal is to make GHC keep track during compilation of which functions are safe (do not call unsafe primitives, or, I suppose, are declared to be safe by a pragma in a trusted library). However, I know only very little about GHC internals.
One project I want to use this for would be a web server that lets users create Haskell-based web applications without having to set up their own Unix account etc. If this project is accepted, I'll build a prototype of this that can be used to test "sandboxed haskell" (no matter whether the project ends up being assigned to me or somebody else).
- Benja Fallenstein (benja.fallenstein@…) -- I'm not familiar with the internals of GHC at this point, but I'm willing to learn. :-) A knowledgable mentor would be good if I end up doing this project.
- Brandon Wilson (xelxebar) <[bmw.stx@…]>