From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from nez-perce.inria.fr (nez-perce.inria.fr [192.93.2.78]) by yquem.inria.fr (Postfix) with ESMTP id 295FCBC48 for ; Tue, 5 Apr 2005 16:36:56 +0200 (CEST) Received: from pauillac.inria.fr (pauillac.inria.fr [128.93.11.35]) by nez-perce.inria.fr (8.13.0/8.13.0) with ESMTP id j35Eatjc008693 for ; Tue, 5 Apr 2005 16:36:55 +0200 Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id QAA00216 for ; Tue, 5 Apr 2005 16:36:55 +0200 (MET DST) Received: from kurims.kurims.kyoto-u.ac.jp (kurims.kurims.kyoto-u.ac.jp [130.54.16.1]) by concorde.inria.fr (8.13.0/8.13.0) with ESMTP id j35EarPg015649 for ; Tue, 5 Apr 2005 16:36:54 +0200 Received: from localhost (suiren [130.54.16.25]) by kurims.kurims.kyoto-u.ac.jp (8.13.1/8.13.1) with ESMTP id j35EafqT012386; Tue, 5 Apr 2005 23:36:41 +0900 (JST) Date: Tue, 05 Apr 2005 23:36:31 +0900 (JST) Message-Id: <20050405.233631.126985691.garrigue@math.nagoya-u.ac.jp> To: rich@annexia.org Cc: alex@barettadeit.com, caml-list@inria.fr Subject: Re: [Caml-list] Securely loading and running untrusted modules From: Jacques Garrigue In-Reply-To: <20050405141744.GA11816@furbychan.cocan.org> References: <20050405131608.GB5103@furbychan.cocan.org> <42529C01.2080609@barettadeit.com> <20050405141744.GA11816@furbychan.cocan.org> X-Mailer: Mew version 4.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Miltered: at nez-perce with ID 4252A287.001 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)! X-Miltered: at concorde with ID 4252A285.000 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)! X-Spam: no; 0.00; caml-list:01 untrusted:01 pervasives:01 ocaml:01 dynlink:01 dynlink:01 pervasives:01 compiler:01 bug:01 compiler:01 securely:98 ...:98 compile:01 modules:01 jacques:01 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on yquem.inria.fr X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled version=3.0.2 X-Spam-Level: From: Richard Jones > A much more serious problem which I've just found is that _any_ module > (even the empty module) seems to require Pervasives. Thus it seems to > be impossible to create any OCaml code which could be loaded by > Dynlink where Dynlink.allow_only does not specify "Pervasives". This is why there is a compiler option named -nopervasives. Basically your approach is right. If you compile the .ml files yourself, this is safe, as long as there is no bug in the compiler. Since there are certainly some, you have to follow messages on the list and upgrade the compiler when needed, as for any security issue... Jacques Garrigue