[plt-scheme] Copying bindings between namespaces

From: Timo Lilja (tlilja at niksula.cs.hut.fi)
Date: Fri Sep 13 11:58:02 EDT 2002

Matthew Flatt <mflatt at cs.utah.edu> writes:

>  For list-related administrative tasks:
>    http://list.cs.brown.edu/mailman/listinfo/plt-scheme
>At Thu, 22 Aug 2002 14:02:46 +0300, Timo Lilja wrote:
>> I'm trying to write a safe sandbox to run untrusted code with
>> MzScheme. The general idea is to have an empty namespace and copy
>> certain bindings from MzScheme's normal namespace to it. I would leave
>> all I/O-primitives and other unnecessary (and possibly dangerous)
>> primitives out. 
>Shriram mentioned the `module' system. If you're willing to pick by
>hand every primitive and form for your language, that may well be the
>right path.

I looked into this module system and couldn't really figure out how to
use it. I tried something like this:

First let's create a module which contains the forms I want:

(module my-primitives mzscheme
  (provide +)
  (provide #%module-begin)
  (provide #%app)
  (provide #%datum)
  (provide #%top)
  (provide define)
  (provide provide))

And this has to be required:

(require my-primitives)

Now I can create another module which uses 'my-primitives' and thus
contains only the needed forms and primitives:

(module my-eval-module my-primitives
  (define result <untrusted code here>)
  (provide result))

After this, I require 'my-eval-module' and get the evalution result
from the variable 'result'. So it seems that this would need a macro
wrapped to the code above but I I can't do this because module
declarations can appear only at the top level or am I missing
something here?

>Another possibility is to leave the language alone, use security gaurds
>for protecting files and network connetions, and use custodians to
>limit resource usage. Controlling memory use is the hard part in this
>case. If you're running in Unix, then you can build an experimental
>variant of MzScheme/MrEd that associates memory limits with custodians;
>run `configure' with --account.

Well, I could try that, too.

Timo Lilja

Posted on the users mailing list.