Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scopes that restrict resources for some callees #445

Open
PaulBone opened this issue Oct 8, 2022 · 0 comments
Open

Scopes that restrict resources for some callees #445

PaulBone opened this issue Oct 8, 2022 · 0 comments
Labels
component: language The Definition of the Plasma Language meta: triaged Has the issue been triaged yet? skill: mercury skill: plasma Write plasma for plasma! status: accepted A bug we intend to fix it. type: enhancement

Comments

@PaulBone
Copy link
Member

PaulBone commented Oct 8, 2022

I was listening to a discussion about supply chain attacks where they said what if you import and call some benign code like a logger. It provides a method like:

resource Log ...

func log(message : String) uses Log

Note how it uses the Log resource.

Then you call it in your function:

func do_something() uses Log, PasswordDatabase {
   set_password!(...)   // Uses PasswordDatabase resource
   log!("I set the password")  // Uses the Log resource
}

But one day you update to Logger 3.2 (some supply chain attack or it turns out the author is malicious) and the log call now also uses the PasswordDatabase resource and uses it to steal passwords. You won't see an error in your use of the logger above - but might in other code. Instead it'd be useful to be able to put a scope around some calls to remove the availability of sensitive resources.

scope without_resource PasswordDatabase {
   log!("Hi")
}

or make it an allowlist

scope with_only_resource Log {
   log!("Hi")
}

The remaining problem is that this is opt-in, programmers have to think ahead and be defensive. So maybe other tooling could be built to imply this for inter-library calls and check for changes when libraries are updated. I'm sure it also won't stop all problems, what if the resources you need to give ARE the resources that are sensitive, or an attack doesn't need resources at all, or the resource system itself is vulnerable. But like strong static types, it makes a certain class of problems compile errors.

@PaulBone PaulBone added type: enhancement skill: mercury meta: triaged Has the issue been triaged yet? status: accepted A bug we intend to fix it. skill: plasma Write plasma for plasma! component: language The Definition of the Plasma Language labels Oct 8, 2022
@PaulBone PaulBone added this to the Ergonomics (Cloud) milestone Oct 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component: language The Definition of the Plasma Language meta: triaged Has the issue been triaged yet? skill: mercury skill: plasma Write plasma for plasma! status: accepted A bug we intend to fix it. type: enhancement
Projects
None yet
Development

No branches or pull requests

1 participant