[racket] planet security

From: Shriram Krishnamurthi (sk at cs.brown.edu)
Date: Sat Jan 29 16:19:58 EST 2011

Code signing addresses a completely different concern.

For what the OP wanted, one solution is a language based on
capabilities.  When you load an FFT package from PLaneT, you give it
no other capability than the ability to use cycles, on the grounds
that it has no business accessing files or writing to the network.

If it wants a place to store intermediate data, you give it a
capability that provides access *only* to a limited part of the
filesystem, not the whole filesystem.

And so forth.

The list of capabilities it demands is part of its interface, and thus
part of your security audit and decision about whether or not to trust
the module.

Shriram


Posted on the users mailing list.