[MUD-Dev] Scripting languages

Bruce Mitchener bruce at cubik.org
Wed Jul 2 13:15:15 CEST 2003 

Kwon J. Ekstrom wrote:
> Lars Duening wrote:
>> On Monday, June 30, 2003, at 11:07 PM, Mark 'Kamikaze' Hughes wrote:

>>> If you don't trust someone, my first instinct is to not give
>>> them scripting access.  If you do give them scripting access,
>>> they can break your system if they so choose.  Making a custom
>>> language won't stop that.  Only social solutions will work.

>> *nod* But a custom language implementation can help enforcing the
>> social solutions by raising the bar for wannabe crackers and
>> limiting the possible damage.

> I personally don't see how writing a custom language helps much
> against malicious code.

It depends on the custom language of course.  Various systems out
there have security models that are part of the language, its
compilation environment, or its runtime environment.

There 4 examples of this that come to mind:

    * MOO: Has task ownership and ways of directly enforcing
      a privilege model as part of its runtime environment.

    * Cold (http://www.cold.org/): Has various primitives for
      letting the programmer build their own security system,
      usually one similar to ACLs although other models have
      been constructed.

    * E (http://www.erights.org/): Has capability-based
      security primitives and ideology throughout. There's a lot
      of good stuff to read and think about based on their
      work.

    * Flowcaml (http://cristal.inria.fr/~simonet/soft/flowcaml/):
      This is an extension to OCaml that provides a type system
      that traces information flow and can automatically verify
      that a program conforms to some confidentiality or integrity
      policy.  A bit of the tutorial on it is at:

      http://cristal.inria.fr/~simonet/soft/flowcaml/manual/fcs003.html

I'm sure there are plenty of other interesting examples out there at
that sort of level.  The Water language (http://www.waterlang.org/)
might be interesting in this context as well, I don't know as I
haven't looked at it that deeply.

And then there's plenty of research as well:

    * http://www.cs.jhu.edu/labs/pll/secure/
    * http://www.cs.cornell.edu/home/jgm/cs711sp02/Language%20Based%20Security%20Notes%20and%20Papers.htm

I'm sure a relevant google search would turn up more ... these were
just some random things in my bookmarks.

Cheers,

  - Bruce
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev

More information about the mud-dev-archive mailing list