I don't know of any programming languages out there that have the ability to restrict the functionality of a running program.
OpenBSD has pledge (man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2?query=pledge). pledge(2) is a system call that irrevocably restricts the abilities of a running process and any of its descendants and prevents them from accessing certain families of system calls. Any program that attempts to perform a prohibited system call after pledging it away will crash and produce a core dump, allowing the developer to investigate the problem. Evidently, there are future plans to allow a whitelist of paths that can be referred to in system calls.
It would certainly be interesting if you had a high-level language like Lisp or Python with similar capabilities. If you could wall off certain bits of functionality dynamically, then it would be easier to verify assumptions you've made about libraries that your code doesn't use. Support for privilege revocation inside the language runtime can also be more fine-grained than the pledge(2) interface and allow the programmer to revoke access to individual modules or functions, or to perform additional checks before running a potentially unsafe function. Sticking this kind of functionality inside the runtime for a high-level language also allows the ability to get informative stack traces or even an interactive prompt with potential handlers like Common Lisp has.
So, my question is, why don't we already have languages with support for privilege revocation and would even it be a good idea?
You seem to have confused Sup Forums with a technology board and not a consumer electronics board.
Bentley Lee
I haven't posted here in a while... What happened?
Samuel Powell
teenagers with smartphones
Ryan Baker
Isn't Common Language Runtime all about that? It certainly doesn't run anything directly.
Jonathan Phillips
OP samefagging so obviously
was going to reply seriously but I won't now desu (to be honest)
Matthew Watson
Are you retarded? >5 replies >5 posters
Juan Hill
>It would certainly be interesting if you had a high-level language like Lisp or Python with similar capabilities.
As far as I remember, Perl, Mono/.Net and JVM have this capabilities somehow, though you might want to do your own research here.
Python was always a fuckup if it comes to being a useful interpreter and Lisp was always about hurrdurr muh complete immerse environment.
James Wilson
How often is pledge actually used?
Christian Cox
Uneducated guess: Probably not often, maybe a couple of system tools or VMs use that stuff, but most software doesn't require exotic stuff like this, in particular on the OS level.
It's still a good thing to have special APIs for everything, otherwise your OS ends up not being supported. Compare for Linux with PyParallel.
Caleb Richardson
it's used in most of the OS it's from
Charles Powell
Sounds like you basically want static linking / inlining, user? Code that you don't use won't end up in the binary, and therefore can't be called by your program
Camden Edwards
Even c fizz buzzers and lis memers were replaced by kids.
Every technical thread and especially threads that involve some kind of math makes those people really angry and Sup Forums is consumerist safe space so you shall not trigger their diginity.
Jonathan Fisher
>Any program that attempts to perform a prohibited system call after pledging it away will crash and produce a core dump
Because trojan writers will pledge away system calls?
Right?
LAUGHTER OL
Nathan Nelson
The problem with a security tool that isn't guaranteed to be used by programs is that the programs with all the security flaws in them will be the ones not using these tools either.
That's why I much prefer the SELinux/MAC approach, which uses a whitelist instead of a blacklist - unless you specifically *enabled* a system call, it's blocked by default.
Much safer in practice than OpenBSD's blacklist monkey patch approach where they try to stomp out all of the weeds as they pop up.
Angel Reyes
How effective is pledge and chroot compared to freebsd jails?
Ayden Morales
You're missing the point. The moment you install a trojan you are fucked no matter what fancy security mechanism you have. No mechanism can fix stupidity.
The point is making your own programs survive being exploited. You don't want a stack overflow turning into RCE. If you prevent your program from doing anything other than accessing its own files, then at best an RCE could subvert your program's database or whatever - but not install a trojan on the system itself.
Cooper Rodriguez
Sounds more like linking of plugins with options to forbid the plugin to call certain stdlib functions to me...
Lucas Rogers
>whitelist instead of a blacklist sounds like /thread
Parker Bailey
I don't really follow. Can you provide a more concrete scenario?
Julian Stewart
You have a software and you want to provide a C plugin interface and manager. Since those plugins come from the interwebs/otherwise untrusted sources you can't validate, you don't want to allow them too much.
Evan Richardson
I prefer grsecurity's rbac MAC
Juan Wright
>I don't know of any programming languages out there that have the ability to restrict the functionality of a running program. Tcl/Tk
Justin Lee
Apples to Oranges Pledge is a syscall that tells the OS what I(the program) shouldn't be doing, jails are more comparable to linux containers, which are more of telling the OS what is the environment I live in. Chroot is a way of changing your root, not designed from the ground up as a security feature but people used them as a means to trap exploiters into an environment which is much easier to break out of.
Leo Flores
Maybe you could post this question in OpenBSD Misc?
Easton Adams
You could do this in Haskell if IO were implemented differently, say in terms of the operational monad with a coproduct of different sets of actions (e.g. console actions, disk actions, network actions)
Ah, makes sense. That doesn't so much seem like something that would be part of a language though as much as it would seem like some kind of virtualization/jail solution in general.
I mean the mechanism is totally there, x86 has virtualization primitives which is what enables stuff like KVM to run at near native speeds when it comes to code execution (not I/O).
You could totally build some kind of plugin wrapper that executes plugin code through something like KVM or Xen. Erlang can basically do this (look up xenling)
Jackson Morris
I guess that is how the chrome sandbox native API works, whatever it was called again.
People usually go the lazy way through scripting languages.
Jayden Thompson
This would have been unnecessary if modern CPUs inherited hardware bounds and type checking from Burroughs and Lisp machines.
