I'm looking for secure compile and run-time methods to ensure automatically that Haskell modules cannot perform particular IO operations. Therefore, I've got some questions that might be interesting for other people using GHC as well.
o There are functions like "unsafePerformIO". How many of these unsafe functions exist and what are their names? Is there a possibility to tell GHC to reject programs in which such functions occur? Concerning, e.g., the rewrite-rule system, how can we prevent that these functions are applied by some trick, invisible by an automatic inspection of the source code?
o Is the function "print" secure in the sense that all stuff it produces is restricted to go to stdout, even if strange sequences of control characters appear?
o Is there a way to tell the GHC run-time system to block file operations or system calls coming from the application program, while permitting input/output via stdin/stdout?
Security of a Haskell program is an interesting research area in itself. I suspect the folks at Galois Connections have something to say on the topic. My opinion would be that trying to approach the problem as you have, namely identifying the "unsafe" features and removing them, is likely to be difficult or impossible to verify. A better approach might be to start from a clean slate (ie. remove the IO monad altogether) and incrementally add in safe features separately. Cheers, Simon