The trusted base for Crochet is too big! #24
Labels
error
Something is confusing, misbehaving, or harmful.
s:1 moderate
This is bad. We should deal with this as soon as possible.
Milestone
Comments
robotlolita
added
error
robotlolita
added a commit
that referenced
this issue
Oct 3, 2021
This adds the checks for construction and projection capabilities back to Crochet. The rule is that these capabilities are only available for the defining package---but here we run into a problem: intrinsic types have no packages! Still, trusted packages need to manipulate these intrinsic types and provide a view to them. The temporary solution this PR adds is to skip intrinsic capability checks for trusted packages---but the trusted base for Crochet is too big currently (#24), mostly as a result of native code being unsafe to load right now. This shouldn't be too much of a problem yet because intrinsic types have no real power. This fixes #14.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently all of the packages in the standard distribution are part of the trusted base. Packages in the trusted base get more powerful FFI access, construction and projection capabilities over intrinsic types, and are able to load native code without requiring a native capability.
This makes the surface of dangerous attacks in Crochet too large. Bugs in an otherwise innocuous package, such as
crochet.text.regex, could allow malicious code to get access to all of this power, effectively subverting most of the runtime safety mechanisms in Crochet.This won't be addressed for the first experimental release, as it requires significant amount of work around safe native code support, but it's important that people are aware of this issue.
The text was updated successfully, but these errors were encountered: