Scopes that restrict resources for some callees #445
Labels
component: language
The Definition of the Plasma Language
meta: triaged
Has the issue been triaged yet?
skill: mercury
skill: plasma
Write plasma for plasma!
status: accepted
A bug we intend to fix it.
type: enhancement
Milestone
I was listening to a discussion about supply chain attacks where they said what if you import and call some benign code like a logger. It provides a method like:
Note how it uses the Log resource.
Then you call it in your function:
But one day you update to Logger 3.2 (some supply chain attack or it turns out the author is malicious) and the log call now also uses the PasswordDatabase resource and uses it to steal passwords. You won't see an error in your use of the logger above - but might in other code. Instead it'd be useful to be able to put a scope around some calls to remove the availability of sensitive resources.
or make it an allowlist
The remaining problem is that this is opt-in, programmers have to think ahead and be defensive. So maybe other tooling could be built to imply this for inter-library calls and check for changes when libraries are updated. I'm sure it also won't stop all problems, what if the resources you need to give ARE the resources that are sensitive, or an attack doesn't need resources at all, or the resource system itself is vulnerable. But like strong static types, it makes a certain class of problems compile errors.
The text was updated successfully, but these errors were encountered: