How to modify GHC internals?
Hi.
<Aim> To guarantee security of a Haskell program so it can be used as an applet. </Aim>
<Method> Over-ride GHC's code generator to produce an assembly language that I specify. Also disable program access to system calls and foreign functions, except for a single trusted library that I specify. </Method>
I think more info is needed about your goals. For example, if you can accept some loss of performance, you could write an interpreter (or a very simple compiler) for CoreHaskell (ghc has a flag which will dump out optimized, typed lambda calculus). This would reduce the size of your trusted computing base because: 1) You wouldn't use the GHC runtime system (garbage collector, threads, etc.) which has been written with performance in mind rather than ease of performing a security audit. 2) Your interpreter or code generator would be very much smaller than the combined size of GHC's code generator and gcc and the infamous assembly mangler because it could skip a number of optimization opportunities. 3) CoreHaskell is strongly typed so any safety derived from type safety still holds at this level too but would be absent from assembly code. But, you'd probably see a slowdown by a factor of 2-10 (depending on whether you interpret or compile) so this might not suit your needs. -- Alastair Reid
<Aim> To guarantee security of a Haskell program so it can be used as an applet. </Aim>
<Method> Over-ride GHC's code generator to produce an assembly language that I specify. Also disable program access to system calls and foreign functions, except for a single trusted library that I specify. </Method>
Since all effects that you worry about (if you trust GHC's code generation, and I think you should) happen in the IO monad, you only need to limit what's available as libraries, and outlaw unsafePerformIO. You could also make your own version of the IO monad to get better control. -- Lennart
participants (3)
-
Alastair Reid -
Ali Anvari -
Lennart Augustsson