SlideShare a Scribd company logo

Safe Haskell

D
dterei

Safe Haskell talk at Haskell Implementors Workshop 2011, Tokyo Japan.

TechnologyEducation
1 of 30
Download to read offline
SAFE HASKELL David Terei Simon Marlow David Mazières Simon Peyton Jones Stanford University Microsoft Research
MOTIVATION Haskell is a great language for building secure systems in: •Information flow control •Capabilities •Computations on encrypted data But all this work can’t secure untrusted code in the real world!
MOTIVATION Running Example: Build in Haskell a website that can run untrusted third-party plugins: •Users can upload plugins in source form •Any user can install an uploaded plugin against their account
MOTIVATION How? •Carefully craft plugin interface to restrict functions that a plugin can execute •e.g Only pure functions •Need type safety guarantees for this to work
MOTIVATION f :: a -> a
MOTIVATION f :: a -> a f a = unsafePerformIO $ do _ <- send_credit_card return a
SOLUTION?
SOLUTION? Safe Haskell !
SAFE HASKELL • Safe subset of Haskell that provides ‘enough’ guarantees •A safe import extension •A definition of trust that applies to modules and packages
SAFE LANGUAGE •Safe language (enabled with -XSafe) provides: •Type safety •Guaranteed module boundaries •Semantic consistency •These are the properties that we usually think about Haskell having •Safe language is a subset of Haskell
-XSAFE RESTRICTIONS • FFI imports must be in the IO monad • Can’t define RULES • No Template Haskell • No GeneralizedNewtypeDeriving • No hand crafted instances of Data.Typeable, only derived • Overlapping instances can only overlap instances defined in the same module • Can only import other ‘trusted’ modules
REVISITING THE EXAMPLE •So for untrusted plugins, compile with -XSafe •Can craft a plugin interface that uses types carefully to control functions a plugin can execute Done?
TURTLES ALL THE WAY DOWN • -XSafe compiled modules can only import trusted modules • So far -XSafe is only way to create trusted modules • What about modules like Data.ByteString? • Want to allow untrusted code to use Data.ByteString • Unsafe internals but safe API
-XTRUSTWORTHY Allows a module author to declare: ‘While module M may use unsafe functions internally, it only exposes a safe API’
-XTRUSTWORTHY • No restrictions on Haskell language • Marks a module as trusted though • Moduleauthor should assure that type safety can’t be violated by importing their module • Enables a small extension called safe imports
WHAT IS TRUST? • What determines if a module is considered ‘trusted’? • -XSafe compiled modules • What about -XTrustworthy modules?
WHAT IS TRUST? • -XTrustworthy allows a module author to mark any module as potentially ‘trusted’ • Very easy to abuse • So we require that the client (person running the compiler) assert that they trust the module author by stating they trust the package • For example: • Don Stewart marks Data.Bytestring as Trustworthy • Untrusted plugin author imports and uses Data.Bytestring • Website administrator marks the bytestring package as trusted
WHAT IS TRUST? • For -XSafe: • trust provided by compiler • For -XTrustworthy: • trust of module stated by module author • trust of module author provided by client by trusting the package the module resides in
TRUST IS TRANSITIVE {-# LANGUAGE Safe #-} •For A to be trusted package module A P must be trusted ... •An -XSafe module may bring in a package trust requirement Package P {-# LANGUAGE Trustworthy #-} module B ...
PACKAGE TRUST • ghc-pkg trust <pkg> • ghc-pkg distrust <pkg> • ghc -trust <pkg> ... • ghc -distrust <pkg> ... • ghc -distrust-all-packages ...
SAFE IMPORTS •One extension to the Haskell language: import safe M •Allows module author to specify that M must be trusted for the import to succeed •Under -XSafe all imports are safe imports (keyword implicit) •Under -XTrustworthy the module author can choose
PROBLEMS WITH 7.2 • Current description is of Safe Haskell in 7.2 • Issue with operation of package trust • Causes Safe Haskell to be invasive, infect the world!
BUILD ERRORS “I'm running into a lot of issues like the following: libraries/hoopl/src/Compiler/Hoopl/Collections.hs:14:1: base:Data.List can't be safely imported! The package (base) the module resides in isn't trusted.”
PACKAGE TRUST REIFIED • In 7.4, we won’t require that the package a Trustworthy module resides in be trusted for the compilation to succeed • -XTrustworthy modules will simply be trusted by default • New -fpackage-trust flag to enable old behavior of 7.2 • This flag should always be used if you are compiling untrusted code
SAFE INFERENCE Unreasonable to expect the Haskell world to all start putting explicit -XSafe and -XTrustworthy pragmas in their files. So in 7.4: •Safe status of a module will be inferred •New -XUnsafe flag to explicitly mark a module as unsafe so that it can’t be imported by untrusted code
RUNNING EXAMPLE {-# LANGUAGE Unsafe #-} module RIO.Unsafe ( RIO(..) ) where newtype RIO a = UnsafeRIO { runRIO :: IO a } instance Monad RIO where return = UnsafeRIO . return (UnsafeRIO m) >>= k = UnsafeRIO $ m >>= runRIO . k {-# LANGUAGE Trustworthy #-} module RIO.FileAccess ( rioReadFile, rioWriteFile ) where ... pathOK f = {- Implement some policy -} rioReadFile :: FilePath -> RIO String rioReadFile f = UnsafeRIO $ do ok <- pathOK f if ok then readFile f else return “” rioWriteFile :: FilePath -> String -> RIO () rioWriteFile f s = ...
RUNNING EXAMPLE {-# LANGUAGE Trustworthy #-} module RIO ( RIO() , runRIO, rioReadFile, rioWriteFile ) where import RIO.Unsafe import safe RIO.FileAccess {-# LANGUAGE Safe #-} module UntrustedPlugin ( runPlugin ) where import RIO runPlugin :: RIO () runPlugin = ...
SUMMARY • New language flags: -XSafe, -XTrustworthy, -XUnsafe • New option flag: -fpackage-trust (7.4) • Safe status of a module will be inferred (7.4) Trust your types!
FUTURE WORK • Prove safety guarantees • Establish clearer definition of safe and what guarantees trustworthy modules should provide • Machine checking possible here? • Do a retake on Safe language but by starting with a small, proven correct core and expanding out. • Inclusion in the Safe language could be used as a quality bar for new Haskell extensions. • Require formal semantics and proofs
SAFE HASKELL In GHC 7.2 Please try out and provide feedback http://www.scs.stanford.edu/~davidt/safehaskell.html

Recommended

Mr201307 investigation into_emet4.0_eng
Mr201307 investigation into_emet4.0_engMr201307 investigation into_emet4.0_eng
Mr201307 investigation into_emet4.0_engFFRI, Inc.
 
Wordpress security
Wordpress securityWordpress security
Wordpress securityMehmet Ince
 
Attacks on SAP Mobile
Attacks on SAP MobileAttacks on SAP Mobile
Attacks on SAP MobilePositive Hack Days
 
OpenStack Days Prague - Bringing Enterprise Operations to OpenStack
OpenStack Days Prague - Bringing Enterprise Operations to OpenStackOpenStack Days Prague - Bringing Enterprise Operations to OpenStack
OpenStack Days Prague - Bringing Enterprise Operations to OpenStackLachlan Evenson
 
Virtual machine and javascript engine
Virtual machine and javascript engineVirtual machine and javascript engine
Virtual machine and javascript engineDuoyi Wu
 
OSGi made simple - Fuse Application Bundles
OSGi made simple - Fuse Application BundlesOSGi made simple - Fuse Application Bundles
OSGi made simple - Fuse Application BundlesRob Davies
 
Let's Write Better Node Modules
Let's Write Better Node ModulesLet's Write Better Node Modules
Let's Write Better Node ModulesKevin Whinnery
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
 

Recommended

Mr201307 investigation into_emet4.0_eng
Mr201307 investigation into_emet4.0_engMr201307 investigation into_emet4.0_eng
Mr201307 investigation into_emet4.0_engFFRI, Inc.
 
Wordpress security
Wordpress securityWordpress security
Wordpress securityMehmet Ince
 
Attacks on SAP Mobile
Attacks on SAP MobileAttacks on SAP Mobile
Attacks on SAP MobilePositive Hack Days
 
OpenStack Days Prague - Bringing Enterprise Operations to OpenStack
OpenStack Days Prague - Bringing Enterprise Operations to OpenStackOpenStack Days Prague - Bringing Enterprise Operations to OpenStack
OpenStack Days Prague - Bringing Enterprise Operations to OpenStackLachlan Evenson
 
Virtual machine and javascript engine
Virtual machine and javascript engineVirtual machine and javascript engine
Virtual machine and javascript engineDuoyi Wu
 
OSGi made simple - Fuse Application Bundles
OSGi made simple - Fuse Application BundlesOSGi made simple - Fuse Application Bundles
OSGi made simple - Fuse Application BundlesRob Davies
 
Let's Write Better Node Modules
Let's Write Better Node ModulesLet's Write Better Node Modules
Let's Write Better Node ModulesKevin Whinnery
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beMandi Walls
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecMandi Walls
 
Java1
Java1Java1
Java1Lovepreet Kaur
 
Java1
Java1Java1
Java1denis diigula
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecMandi Walls
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Ansible module development 101
Ansible module development 101Ansible module development 101
Ansible module development 101yfauser
 
Securing applications
Securing applicationsSecuring applications
Securing applicationsColdFusionConference
 
Code Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application MigrationsCode Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application MigrationsDana Luther
 
Securing Legacy CFML Code
Securing Legacy CFML CodeSecuring Legacy CFML Code
Securing Legacy CFML CodeColdFusionConference
 
Meetup devops
Meetup devopsMeetup devops
Meetup devopsLeonard Moustacchis
 
Anatomy of a Build Pipeline
Anatomy of a Build PipelineAnatomy of a Build Pipeline
Anatomy of a Build PipelineSamuel Brown
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Fluo CICD OpenStack Summit
Fluo CICD OpenStack SummitFluo CICD OpenStack Summit
Fluo CICD OpenStack SummitMiguel Zuniga
 
Osgi
OsgiOsgi
OsgiHeena Madan
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

More Related Content

Similar to Safe Haskell

InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beMandi Walls
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecMandi Walls
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecMandi Walls
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Ansible module development 101
Ansible module development 101Ansible module development 101
Ansible module development 101yfauser
 
Code Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application MigrationsCode Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application MigrationsDana Luther
 
Anatomy of a Build Pipeline
Anatomy of a Build PipelineAnatomy of a Build Pipeline
Anatomy of a Build PipelineSamuel Brown
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Fluo CICD OpenStack Summit
Fluo CICD OpenStack SummitFluo CICD OpenStack Summit
Fluo CICD OpenStack SummitMiguel Zuniga
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 

Similar to Safe Haskell (20)

InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
 
Java1
Java1Java1
Java1
 
Java1
Java1Java1
Java1
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpec
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Ansible module development 101
Ansible module development 101Ansible module development 101
Ansible module development 101
 
Securing applications
Securing applicationsSecuring applications
Securing applications
 
Code Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application MigrationsCode Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application Migrations
 
Securing Legacy CFML Code
Securing Legacy CFML CodeSecuring Legacy CFML Code
Securing Legacy CFML Code
 
Meetup devops
Meetup devopsMeetup devops
Meetup devops
 
Anatomy of a Build Pipeline
Anatomy of a Build PipelineAnatomy of a Build Pipeline
Anatomy of a Build Pipeline
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Fluo CICD OpenStack Summit
Fluo CICD OpenStack SummitFluo CICD OpenStack Summit
Fluo CICD OpenStack Summit
 
Osgi
OsgiOsgi
Osgi
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Recently uploaded (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

Safe Haskell

  • 1. SAFE HASKELL David Terei Simon Marlow David Mazières Simon Peyton Jones Stanford University Microsoft Research
  • 2. MOTIVATION Haskell is a great language for building secure systems in: •Information flow control •Capabilities •Computations on encrypted data But all this work can’t secure untrusted code in the real world!
  • 3. MOTIVATION Running Example: Build in Haskell a website that can run untrusted third-party plugins: •Users can upload plugins in source form •Any user can install an uploaded plugin against their account
  • 4. MOTIVATION How? •Carefully craft plugin interface to restrict functions that a plugin can execute •e.g Only pure functions •Need type safety guarantees for this to work
  • 5. MOTIVATION f :: a -> a
  • 6. MOTIVATION f :: a -> a f a = unsafePerformIO $ do _ <- send_credit_card return a
  • 9. SAFE HASKELL • Safe subset of Haskell that provides ‘enough’ guarantees •A safe import extension •A definition of trust that applies to modules and packages
  • 10. SAFE LANGUAGE •Safe language (enabled with -XSafe) provides: •Type safety •Guaranteed module boundaries •Semantic consistency •These are the properties that we usually think about Haskell having •Safe language is a subset of Haskell
  • 11. -XSAFE RESTRICTIONS • FFI imports must be in the IO monad • Can’t define RULES • No Template Haskell • No GeneralizedNewtypeDeriving • No hand crafted instances of Data.Typeable, only derived • Overlapping instances can only overlap instances defined in the same module • Can only import other ‘trusted’ modules
  • 12. REVISITING THE EXAMPLE •So for untrusted plugins, compile with -XSafe •Can craft a plugin interface that uses types carefully to control functions a plugin can execute Done?
  • 13. TURTLES ALL THE WAY DOWN • -XSafe compiled modules can only import trusted modules • So far -XSafe is only way to create trusted modules • What about modules like Data.ByteString? • Want to allow untrusted code to use Data.ByteString • Unsafe internals but safe API
  • 14. -XTRUSTWORTHY Allows a module author to declare: ‘While module M may use unsafe functions internally, it only exposes a safe API’
  • 15. -XTRUSTWORTHY • No restrictions on Haskell language • Marks a module as trusted though • Moduleauthor should assure that type safety can’t be violated by importing their module • Enables a small extension called safe imports
  • 16. WHAT IS TRUST? • What determines if a module is considered ‘trusted’? • -XSafe compiled modules • What about -XTrustworthy modules?
  • 17. WHAT IS TRUST? • -XTrustworthy allows a module author to mark any module as potentially ‘trusted’ • Very easy to abuse • So we require that the client (person running the compiler) assert that they trust the module author by stating they trust the package • For example: • Don Stewart marks Data.Bytestring as Trustworthy • Untrusted plugin author imports and uses Data.Bytestring • Website administrator marks the bytestring package as trusted
  • 18. WHAT IS TRUST? • For -XSafe: • trust provided by compiler • For -XTrustworthy: • trust of module stated by module author • trust of module author provided by client by trusting the package the module resides in
  • 19. TRUST IS TRANSITIVE {-# LANGUAGE Safe #-} •For A to be trusted package module A P must be trusted ... •An -XSafe module may bring in a package trust requirement Package P {-# LANGUAGE Trustworthy #-} module B ...
  • 20. PACKAGE TRUST • ghc-pkg trust <pkg> • ghc-pkg distrust <pkg> • ghc -trust <pkg> ... • ghc -distrust <pkg> ... • ghc -distrust-all-packages ...
  • 21. SAFE IMPORTS •One extension to the Haskell language: import safe M •Allows module author to specify that M must be trusted for the import to succeed •Under -XSafe all imports are safe imports (keyword implicit) •Under -XTrustworthy the module author can choose
  • 22. PROBLEMS WITH 7.2 • Current description is of Safe Haskell in 7.2 • Issue with operation of package trust • Causes Safe Haskell to be invasive, infect the world!
  • 23. BUILD ERRORS “I'm running into a lot of issues like the following: libraries/hoopl/src/Compiler/Hoopl/Collections.hs:14:1: base:Data.List can't be safely imported! The package (base) the module resides in isn't trusted.”
  • 24. PACKAGE TRUST REIFIED • In 7.4, we won’t require that the package a Trustworthy module resides in be trusted for the compilation to succeed • -XTrustworthy modules will simply be trusted by default • New -fpackage-trust flag to enable old behavior of 7.2 • This flag should always be used if you are compiling untrusted code
  • 25. SAFE INFERENCE Unreasonable to expect the Haskell world to all start putting explicit -XSafe and -XTrustworthy pragmas in their files. So in 7.4: •Safe status of a module will be inferred •New -XUnsafe flag to explicitly mark a module as unsafe so that it can’t be imported by untrusted code
  • 26. RUNNING EXAMPLE {-# LANGUAGE Unsafe #-} module RIO.Unsafe ( RIO(..) ) where newtype RIO a = UnsafeRIO { runRIO :: IO a } instance Monad RIO where return = UnsafeRIO . return (UnsafeRIO m) >>= k = UnsafeRIO $ m >>= runRIO . k {-# LANGUAGE Trustworthy #-} module RIO.FileAccess ( rioReadFile, rioWriteFile ) where ... pathOK f = {- Implement some policy -} rioReadFile :: FilePath -> RIO String rioReadFile f = UnsafeRIO $ do ok <- pathOK f if ok then readFile f else return “” rioWriteFile :: FilePath -> String -> RIO () rioWriteFile f s = ...
  • 27. RUNNING EXAMPLE {-# LANGUAGE Trustworthy #-} module RIO ( RIO() , runRIO, rioReadFile, rioWriteFile ) where import RIO.Unsafe import safe RIO.FileAccess {-# LANGUAGE Safe #-} module UntrustedPlugin ( runPlugin ) where import RIO runPlugin :: RIO () runPlugin = ...
  • 28. SUMMARY • New language flags: -XSafe, -XTrustworthy, -XUnsafe • New option flag: -fpackage-trust (7.4) • Safe status of a module will be inferred (7.4) Trust your types!
  • 29. FUTURE WORK • Prove safety guarantees • Establish clearer definition of safe and what guarantees trustworthy modules should provide • Machine checking possible here? • Do a retake on Safe language but by starting with a small, proven correct core and expanding out. • Inclusion in the Safe language could be used as a quality bar for new Haskell extensions. • Require formal semantics and proofs
  • 30. SAFE HASKELL In GHC 7.2 Please try out and provide feedback http://www.scs.stanford.edu/~davidt/safehaskell.html