in reply to Re: Re^2: Auditing BEGIN blocks?
in thread Auditing BEGIN blocks?

Taint is nice and needs to be expanded and should probably also be applied to pack/unpack data and formats but this doesn't really address the problem I'm thinking about. In general, the idea is to use objects that are only capable of gaining access to and/or altering things to which access has been specifically granted. So no modification of globals, perhaps no access to globals (though that is a really extreme vantage point), no access via the symbol table to other things, no encapsulation violations from printf/sprintf/pack/unpack with 'P', no globs. I think a simulation of this might look something like this (in pseudo code because I'm lazy). The really unfortunate thing is that current perl5 requires you to constantly keep recompiling everything you intend to keep compartmentalized. It's so painful I've just rejected it out of hand.

# Object manager code - privileged context
sub message
  {
    $object code = "perl code that defines the object behaviour";
    %object data = (all the object's member data)
    $compartment = Safe->new

    # pass in the object's data
    $compartment -> share(%object data)

    # pass in the method to execute
    $compartment -> share( $message )

    # Compile the object, execute the method and return
    # the 
    $compartment -> reval( $perl code )

    return $compartment -> return value
  }

[download]

In this case I'm trying to adapt an E vat to perl. The closest analogues is perl that just plays by the rules (so voluntarilly no violations of encapsulation), Safe like I just half-outlined and perl in different processes. The multiple-process model is probably the only really suitable way of making this happen but then because there are no internal guarantees on privacy it's a poor vat. If the vat could audit all the code being given to it and disallow various things then that goes a long way toward having strong vats and might eventually get perl to compete with E.

And why am I doing all this? Because I don't want to use E - a language I'd never heard of prior to this but want all the benefits. I gather that E uses the Java virtual machine as a base to operate in and that each vat (or compartment) is probably bounded at a single machine or process. E solves other problems related to mutually suspicious programs on distributed computers but along the way has a really nice security model. I'm stealing the security model.

Fun Fun Fun in the Fluffy Chair

In Section Seekers of Perl Wisdom