Okay, we'll try this again... (darned cranky mail clients)
We've two big issues to deal with here--safety and security. While
related they aren't the same and there are different things that need
doing. As far as I can see it, we need four things:
1) An oploop that checks branch destinations for validity
2) Opcodes that check their parameters for basic sanity--valid
register numbers (0-31) and basically correct (ie non-NULL) register
3) An oploop that checks basic quotas, mainly run time
4) Opcodes that check to see if you can actually do the thing you've requested
#s 1&2 are safety issues. #2, specifically, can be dealt with by the
opcode preprocessor, generating op bodies that do validity checking.
#1 needs a bounds-checking runloop, which we mostly have already. I'm
comfortable getting this done now, and this is what the framework
that's going in should be able to handle OK.
#s 3&4 deal with security. This... this is a dodgier issue.
Security's easy to get wrong and hard to get right. (Though quotas
are straightforward enough. Mostly) And once the framework's in
place, there's the issue of performance--how do we get good
performance in the common (insecure) case without sacrificing
security in the secure case?
At any rate, perl 5's Safe module is a good example of the Wrong Way
to do security, and as such we're going to take it as a cautionary
tale rather than a template. For security I want to go with an
explicit privilege model with privilege checking in parrot's
internals, rather than counting on op functions to Do The Right
Thing. That means that IO restrictions are imposed by the IO code,
not the IO ops, and suchlike stuff. Generally speaking, we're going
to emulate the VMS quota and privilege system, as it's reasonably
good as these things go.
If we're going to tackle this, though, we need to pull in some folks
who're actually competent at it before we do more than handwave about
--------------------------------------"it's like this"-------------------
Dan Sugalski even samurai
d...@sidhe.org have teddy bears and even
teddy bears get drunk