Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How safe is Safe Haskell?

Tags:

haskell

sandbox

I was thinking about Safe Haskell and I wonder how much I can trust it?

Some fictional scenarios:

  1. I am a little hacker writing a programmable game (think Robocode) where I allow others to program their own entities to compete against each other. Most of the time users will run some untrusted programs on private machines. Untrusted code would probably be inspected before running it.

  2. I am the programmer of an application that is used by several clients. I provide an api so they can extend the functionality and encourage my users to share their plugins. The user community is small and most of the time there is mutual trust, but occasionally someone is working on a top-secret client project and any dataleaks would prove disastrous.

  3. I am ... Google (or Facebook,Yahoo,etc) and want to allow my clients to script their email accounts. Scripts are uploaded and are run on my servers. Any access violations would be fatal.

Given these scenarios:

  • would Safe Haskell be appropriate to ensure sandboxing and access restriction?
  • Should someone in the given situations be able to trust the promises made?
like image 353
fho Avatar asked Nov 06 '14 13:11

fho

People also ask

Is Haskell safe?

To my knowledge, safe Haskell is not safe. Someone can use unsafePerformIO in a package and manually override the "unsafe" factor. If not, every package that had any dependencies on c programs or system libraries could not be marked safe.

Is Haskell a safe language?

Haskell, like most modern languages, performs well with low-level, technical vulnerabilities. For one, Haskell is memory safe which takes one huge expanse of potential vulnerabilities out of reach of potential attackers – arrays and buffer overflows are even more so.

1 Answers

As a rule of thumb, I'd say safe Haskell tries to get roughly where the safe subset of C# is. For your scenarios:

  1. Can use safe haskell because you are inspecting code.
  2. Cannot really use safe haskell alone to avoid disastrous data leaks.
  3. I wouldn't recommend Google or Yahoo relying on safe haskell alone to run untrusted code. For one thing, it doesn't manage excessive resource consumption (CPU,memory,disk) or bottoms (undefined or while true). Use an OS sandbox for that.

A note on undefined: operationally, it stops the function returning a value by throwing an exception, as does the error function. Denotationally, it's considered to be the 'bottom' value. Now, even if safe Haskell disallowed undefined and error, a function could still fail to return, just by looping endlessly. And an endless loop is bottom too. So safe Haskell guarantees type and memory safety but doesn't try to guarantee that functions terminate. Safe Haskell is, of course, Turing complete, so it's not possible in general to prove termination. Furthermore, since out-of-memory throws an exception, functions may terminate with them. Finally, pattern match errors throw exceptions. So safe Haskell cannot eliminate bottoms of any kind and may as well allow explicit undefined and error.

like image 141
GarethR Avatar answered Nov 04 '22 17:11

GarethR
Sign in to Comment

Related questions

Defining function signature in GHCi
Operating on a return from a Maybe that contains "Just"
What do people use the identity function for? [duplicate]
Is there a better way to express the absolute error function in point-free notation?
Read from stdin in Haskell using IO.readLn
Haskell: actual IO monad implementation, in different language?
Does F# have an equivalent to Haskell's take?
Zipping same value over a list of tuples Haskell
What are some better ways to write [(-1,-1),(-1,0),(-1,1),(0,-1),(0,1),(1,-1),(1,0),(1,1)] in Haskell?
Python, Ruby, Haskell - Do they provide true multithreading?
What is a good reason to use a type signature for functions when the compiler can infer the types
Why isn't every type part of Eq in Haskell?
Empty program segfaulting
Passing app secrets in Yesod and Keter
Running GHC's LLVM output through the LLVM bitcode linker first
How To Add a Constraint to a Type Constructor
Android application in haskell
How can I get JHC to cooperate with the android ndk?
How do functional languages represent algebraic data types in memory?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!