document what is needed for this to be a statically verified sandbox #351
Comments
|
As discussed here, cap-std is currently promoted for untrusted-input situations and not untrusted-code situations. I myself don't have a comprehensive list of what would be needed to handle untrusted code, but here's what I do know offhand: A clippy configuration for scanning for some calls to functions that employ ambient authority is here. It doesn't include cap-directories though, or most third-party crates. Rust has several open soundness bugs. I wouldn't assume that miri can catch all of them. Some of them are even miscompilations, which miri likely can't catch. I myself am not aware of anyone having studied rustc from the perspective of using it for untrusted-code sandboxing. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Would adding a section to the Readme about this be welcome?
Together with static analysis, I think cap-std can be used to reduce the necessary code review to know that something does not escape the capabilities handed to it. So one would only need to review the API that one uses from a crate.
For this one would need some tool(s) one could run on a crate (and recursively its dependencies) to verify that it does not use any of the following:
#![deny(unsafe_code)]https://doc.rust-lang.org/reference/attributes/diagnostics.html , I think there are ready made tools, need to find a good recommendation)Any suggestions for relevant tools?
While there is research in that direction, for now none of this is to the level of formally proven, but the constructed to be correct level known from Rust.
The text was updated successfully, but these errors were encountered: