[Openmcl-devel] modify lisp reader such that :: is disallowed
Robert Goldman
rpgoldman at sift.info
Thu Jun 11 11:07:18 PDT 2009
Taoufik Dachraoui wrote:
> On Jun 11, 2009, at 6:51 PM, mikel evins wrote:
>
>>
>> On Jun 11, 2009, at 11:14 AM, Taoufik Dachraoui wrote:
>>
>>> On Jun 11, 2009, at 5:56 PM, Ron Garret wrote:
>>>
>>>>
>>>> On Jun 11, 2009, at 8:09 AM, Taoufik Dachraoui wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> Users will not have access to intern, find-package, ...
>>>>>
>>>>> I implemented a loader that exports public symbols and shadow
>>>>> unwanted
>>>>> symbols
>>>>> so that users will not be able to use any private or shadowed
>>>>> symbols.
>>>>>
>>>>> the only problem I am facing today (as far as I can see right now)
>>>>> is to
>>>>> disallow users to access non exported symbols by using the double
>>>>> colons (::)
>>>>>
>>>> The "as far as I can see right now" is a very important disclaimer.
>>>> The main problem with security is that there's a very big gap
>>>> between appearing to be secure and actually being secure. People
>>>> make careers out of bridging that gap, and still very often they get
>>>> it wrong. Not that I really want to discourage you -- it's good
>>>> that you're being ambitious, but it's important that you understand
>>>> the magnitude of the problem you are attempting to solve.
>>>>
>>>>> I tried to use set-macro-character and set-dispatch-macro-character
>>>>> but failed, and
>>>>> the reason is that the lisp reader as soon as it finds a macro-
>>>>> character the previously
>>>>> read word will be considered as a token and there is no way to
>>>>> rollback.
>>>> Why is that a problem?
>>>>
>>>> Is there a reason you don't just pre-process the string to remove
>>>> all colons before reading it? Or simply reject any string
>>>> containing colons?
>>>>
>>>> rg
>>>>
>>>>
>>> I thought about processing the string before passing it to the reader
>>> but I
>>> think it is better to leave the lisp reader deal with it (faster);
>>> but
>>> it seems
>>> that there is no solution at sight right now; probably only by
>>> modifying
>>> (hacking) the ccl lisp reader.
>>>
>>> Another way is to create a set-macro-character for #\: and throw an
>>> error,
>>> but this will inhibit the use of keywords.
>>>
>>> About making lisp secure:
>>>
>>> Suppose you have access to a limited set of symbols (known as
>>> secure),
>>> and that the colons are forbidden, then how a user can access symbols
>>> in packages that he did not inherit?
>> (funcall (intern "LAUNCH-MISSILES" (find-package "TOP-SECRET-
>> PACKAGE")))
>>
>> (apply (symbol-function (find-symbol "DESTROY-THE-WORLD") (find-
>> package "THE-EVIL-PACKAGE")) '())
>>
>> (do-symbols (s (find-if (lambda (p) (member "WORLD-ENDING-
>> PACKAGE" (package-nicknames p))) (list-all-packages)))
>> (when (and (char= (elt (symbol-name s) 0) #\D)
>> (char= (elt (symbol-name s) 0) #\E)
>> (char= (elt (symbol-name s) 0) #\S)
>> (char= (elt (symbol-name s) 0) #\T)
>> (char= (elt (symbol-name s) 0) #\R)
>> (char= (elt (symbol-name s) 0) #\O)
>> (char= (elt (symbol-name s) 0) #\Y))
>> (funcall (symbol-function s))))
>>
>> (do-all-symbols (s) (when (test-symbol-for-function-that-produces-
>> hell-on-earth s)
>> (let ((my-evil-symbol (gensym))))
>> (setf (symbol-function my-evil-symbol)
>> (symbol-function s))
>> (pass-evil-symbol-to-function-calling-
>> macro my-evil-symbol)))
>>
>>
>> ...
>>
>>
>>
> As I said earlier, all symbols that allow users to access and/or
> modify data of other users will be
> shadowed (eg. intern, in-package, find-symbol, do-symbols, ...)
Possible alternative approach: make a package for each user by hand.
Do *not* (:use COMMON-LISP). Let individual symbols in if you feel they
can be trusted. Make sure you don't admit find-symbol, intern, and
their kin! Break the reader as you have already considered.
Cheers,
r
More information about the Openmcl-devel
mailing list