For those who are interested (and I already chatted with Chris on IRC), I've implemented a pastebin that is able to (among some other things) to run arbitrary Haskell code: http://paste.hskll.org/ I've also developed a 'restricted-workers' library for managing processes that should run in secured environment. I've described some of my endeavors in a blog post: http://parenz.wordpress.com/2013/07/15/interactive-diagrams-gsoc-progress-re... Bottom line: proper restrictions are hard, the necessary tools operate on a low level, there are some caveats too On Sat, Oct 12, 2013 at 12:30 AM, Christopher Done wrote:

Is there a definitive list of things in GHC that are unsafe to _compile_ if I were to take an arbitrary module and compile it?

E.g. off the top of my head, things that might be dangerous:

* TemplateHaskell/QuasiQuotes -- obviously * Are rules safe? * #includes — I presume there's some security risk with including any old file? * FFI -- speaks for itself

I'm interested in the idea of compiling Haskell code on lpaste.org, for core, rule firings, maybe even Th expansion, etc. When sandboxing code that I'm running, it's really easy if I whitelist what code is available (parsing with HSE, whitelisting imports, extensions). The problem of infinite loops or too much allocation is fairly straight-forwardly solved by similar techniques applied in mueval.

SafeHaskell helps a lot here, but suppose that I want to also allow TemplateHaskell, GeneralizedNewtypeDeriving and stuff like that, because a lot of real code uses those. They only seem to be restricted to prevent cheeky messing with APIs in ways the authors of the APIs didn't want -- but that shouldn't necessarily be a security—in terms of my system—problem, should it? Ideally I'd very strictly whitelist which modules are allowed to be used (e.g. a version of TH that doesn't have runIO), and extensions, and then compile any code that uses them.

I'd rather not have to setup a VM just to compile Haskell code safely. I'm willing to put some time in to investigate it, but if there's already previous work done for this, I'd appreciate any links.

At the end of the day, there's always just supporting a subset of Haskell using SafeHaskell. I'm just curious about the more general case, for use-cases similar to my own. _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

-- Sincerely yours, -- Daniil