3L Security

First Class Environments

thintz.com/slides/3ls

The 3L Project

Scheme based Operating System

3lproject.org

  • Secure
  • Extensible

Modes

  • Development
  • Secure (this talk)

Note:

  • High level
  • Simplified
  • WIP

Scheme (R7RS) compatibility

  • Extension of Scheme, not itself portable
    • Potentially portable but SLOW
  • R7RS programs work without modification

Environment

Collection of visible bindings

> (define foo 1)
> foo
1 ; foo is in the environment
> bar
error - bar not bound ; bar not in the environment

Example

> (define foo 10)
; undefined
> foo
10
> (eval 'foo (interaction-environment))
10
> (with-environment (interaction-environment)
    foo))
10
> (with-environment (make-environment (empty-environment))
    foo)
error - foo undefined

Same foo

> (define foo 10)
; undefined
> foo
10
> (eval 'foo (interaction-environment))
10
> (with-environment (interaction-environment)
    foo))
10
> (with-environment (make-environment (empty-environment))
    foo)
error - foo undefined

Same foo

> (define foo 10)
; undefined
> foo
10
> (eval 'foo (interaction-environment))
10
> (with-environment (interaction-environment)
    foo))
10
> (with-environment (make-environment (empty-environment))
    foo)
error - foo undefined

Same foo

> (define foo 10)
; undefined
> foo
10
> (eval 'foo (interaction-environment))
10
> (with-environment (interaction-environment)
    foo))
10
> (with-environment (make-environment (empty-environment))
    foo)
error - foo undefined

Same foo

> (define foo 10)
; undefined
> foo
10
> (eval 'foo (interaction-environment))
10
> (with-environment (interaction-environment)
    foo))
10
> (with-environment (make-environment (empty-environment))
    foo)
error - foo undefined

New environment - foo unbound

> (define foo 10)
; undefined
> foo
10
> (eval 'foo (interaction-environment))
10
> (with-environment (interaction-environment)
    foo))
10
> (with-environment (make-environment (empty-environment))
    foo)
error - foo undefined

Security through environments

> (with-input-from-file "passwords"
     (lambda () (read)))
all my passwords
> (print-file "untrusted-file-from-internets.scm")
_(define (run)
  _(with-input-from-file "passwords"
      (lambda () (read))))
> (with-environment/files (no-i/o-environment)
      '("untrusted-file-from-internets.scm")
    (run))
error - with-input-from-file not defined

interaction-env can read files

> (with-input-from-file "passwords"
     (lambda () (read)))
all my passwords
> (print-file "untrusted-file-from-internets.scm")
_(define (run)
  _(with-input-from-file "passwords"
      (lambda () (read))))
> (with-environment/files (no-i/o-environment)
      '("untrusted-file-from-internets.scm")
    (run))
error - with-input-from-file not defined

Untrusted internet program

> (with-input-from-file "passwords"
     (lambda () (read)))
all my passwords
> (print-file "untrusted-file-from-internets.scm")
_(define (run)
  _(with-input-from-file "passwords"
      (lambda () (read))))
> (with-environment/files (no-i/o-environment)
      '("untrusted-file-from-internets.scm")
    (run))
error - with-input-from-file not defined

error - no i/o bindings

> (with-input-from-file "passwords"
     (lambda () (read)))
all my passwords
> (print-file "untrusted-file-from-internets.scm")
_(define (run)
  _(with-input-from-file "passwords"
      (lambda () (read))))
> (with-environment/files (no-i/o-environment)
      '("untrusted-file-from-internets.scm")
    (run))
error - with-input-from-file not defined

Create environments

> (define (no-i/o-environment)
    (make-environment (empty-environment) (import (scheme base))))

Restricted imports

Code can only import packages it's environment has a reference to

i.e. no-i/o-environment can't import (scheme files) to get file i/o

Environments

  • Objects
    • Created
    • Referenced
    • Inherited
    • Bound
    • Queried
    • Modified

3L Project + references

3lproject.org

References (partial list):

  • Ron Garret - Lexicons, Locals
  • Robert Strandh - First-class Global Environments in Common Lisp
  • Jonathan A. Rees - A Security Kernel Based on the Lambda Calculus