SAFE HASKELL  David Terei           Simon Marlow David Mazières       Simon Peyton JonesStanford University   Microsoft Re...
MOTIVATIONHaskell is a great language for building secure systems in:•Information flow control•Capabilities•Computations on...
MOTIVATIONRunning Example:Build in Haskell a website that can run untrusted third-partyplugins:•Users can upload plugins i...
MOTIVATIONHow?•Carefully craft plugin interface to restrict functions that a plugin can execute  •e.g Only pure functions•...
MOTIVATION  f :: a -> a
MOTIVATION       f :: a -> af a = unsafePerformIO $ do        _ <- send_credit_card        return a
SOLUTION?
SOLUTION?Safe Haskell !
SAFE HASKELL• Safe   subset of Haskell that provides ‘enough’ guarantees•A   safe import extension•A   definition of trust ...
SAFE LANGUAGE•Safe language (enabled with -XSafe) provides:    •Type safety    •Guaranteed module boundaries    •Semantic ...
-XSAFE RESTRICTIONS• FFI   imports must be in the IO monad• Can’t   define RULES• No Template    Haskell• No    Generalized...
REVISITING THE EXAMPLE•So for untrusted plugins, compile with -XSafe•Can craft a plugin interface that uses types carefull...
TURTLES ALL THE WAY DOWN• -XSafe   compiled modules can only import trusted modules• So   far -XSafe is only way to create...
-XTRUSTWORTHYAllows a module author to declare:‘While module M may use unsafe functions internally, it onlyexposes a safe ...
-XTRUSTWORTHY• No   restrictions on Haskell language• Marks   a module as trusted though• Moduleauthor should assure that ...
WHAT IS TRUST?• What   determines if a module is considered ‘trusted’? • -XSafe   compiled modules • What    about -XTrust...
WHAT IS TRUST?•   -XTrustworthy allows a module author to mark any module as    potentially ‘trusted’•   Very easy to abus...
WHAT IS TRUST?• For   -XSafe:  • trust   provided by compiler• For   -XTrustworthy:  • trust   of module stated by module ...
TRUST IS TRANSITIVE{-# LANGUAGE Safe #-}   •For A to be trusted packagemodule A                 P must be trusted...      ...
PACKAGE TRUST• ghc-pkg   trust <pkg>• ghc-pkg   distrust <pkg>• ghc   -trust <pkg> ...• ghc   -distrust <pkg> ...• ghc   -...
SAFE IMPORTS•One extension to the Haskell language:                         import safe M•Allows module author to specify ...
PROBLEMS WITH 7.2• Current    description is of Safe Haskell in 7.2• Issue   with operation of package trust  • Causes    ...
BUILD ERRORS“Im running into a lot of issues like the following:libraries/hoopl/src/Compiler/Hoopl/Collections.hs:14:1:   ...
PACKAGE TRUST REIFIED• In  7.4, we won’t require that the package a Trustworthy module resides in be trusted for the compi...
SAFE INFERENCEUnreasonable to expect the Haskell world to all start puttingexplicit -XSafe and -XTrustworthy pragmas in th...
RUNNING EXAMPLE{-# LANGUAGE Unsafe #-}module RIO.Unsafe ( RIO(..) ) wherenewtype RIO a = UnsafeRIO { runRIO :: IO a }insta...
RUNNING EXAMPLE{-# LANGUAGE Trustworthy #-}module RIO ( RIO() , runRIO, rioReadFile, rioWriteFile ) whereimport RIO.Unsafe...
SUMMARY•   New language flags: -XSafe, -XTrustworthy, -XUnsafe•   New option flag: -fpackage-trust (7.4)•   Safe status of a...
FUTURE WORK•   Prove safety guarantees•   Establish clearer definition of safe and what guarantees    trustworthy modules s...
SAFE HASKELL                    In GHC 7.2       Please try out and provide feedbackhttp://www.scs.stanford.edu/~davidt/sa...
Upcoming SlideShare
Loading in …5
×

Safe Haskell

4,397 views

Published on

Safe Haskell talk at Haskell Implementors Workshop 2011, Tokyo Japan.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Safe Haskell

  1. 1. SAFE HASKELL David Terei Simon Marlow David Mazières Simon Peyton JonesStanford University Microsoft Research
  2. 2. MOTIVATIONHaskell is a great language for building secure systems in:•Information flow control•Capabilities•Computations on encrypted dataBut all this work can’t secure untrusted code in the real world!
  3. 3. MOTIVATIONRunning Example:Build in Haskell a website that can run untrusted third-partyplugins:•Users can upload plugins in source form•Any user can install an uploaded plugin against their account
  4. 4. MOTIVATIONHow?•Carefully craft plugin interface to restrict functions that a plugin can execute •e.g Only pure functions•Need type safety guarantees for this to work
  5. 5. MOTIVATION f :: a -> a
  6. 6. MOTIVATION f :: a -> af a = unsafePerformIO $ do _ <- send_credit_card return a
  7. 7. SOLUTION?
  8. 8. SOLUTION?Safe Haskell !
  9. 9. SAFE HASKELL• Safe subset of Haskell that provides ‘enough’ guarantees•A safe import extension•A definition of trust that applies to modules and packages
  10. 10. SAFE LANGUAGE•Safe language (enabled with -XSafe) provides: •Type safety •Guaranteed module boundaries •Semantic consistency•These are the properties that we usually think about Haskell having•Safe language is a subset of Haskell
  11. 11. -XSAFE RESTRICTIONS• FFI imports must be in the IO monad• Can’t define RULES• No Template Haskell• No GeneralizedNewtypeDeriving• No hand crafted instances of Data.Typeable, only derived• Overlapping instances can only overlap instances defined in the same module• Can only import other ‘trusted’ modules
  12. 12. REVISITING THE EXAMPLE•So for untrusted plugins, compile with -XSafe•Can craft a plugin interface that uses types carefully to control functions a plugin can execute Done?
  13. 13. TURTLES ALL THE WAY DOWN• -XSafe compiled modules can only import trusted modules• So far -XSafe is only way to create trusted modules• What about modules like Data.ByteString? • Want to allow untrusted code to use Data.ByteString • Unsafe internals but safe API
  14. 14. -XTRUSTWORTHYAllows a module author to declare:‘While module M may use unsafe functions internally, it onlyexposes a safe API’
  15. 15. -XTRUSTWORTHY• No restrictions on Haskell language• Marks a module as trusted though• Moduleauthor should assure that type safety can’t be violated by importing their module• Enables a small extension called safe imports
  16. 16. WHAT IS TRUST?• What determines if a module is considered ‘trusted’? • -XSafe compiled modules • What about -XTrustworthy modules?
  17. 17. WHAT IS TRUST?• -XTrustworthy allows a module author to mark any module as potentially ‘trusted’• Very easy to abuse• So we require that the client (person running the compiler) assert that they trust the module author by stating they trust the package• For example: • Don Stewart marks Data.Bytestring as Trustworthy • Untrusted plugin author imports and uses Data.Bytestring • Website administrator marks the bytestring package as trusted
  18. 18. WHAT IS TRUST?• For -XSafe: • trust provided by compiler• For -XTrustworthy: • trust of module stated by module author • trust of module author provided by client by trusting the package the module resides in
  19. 19. TRUST IS TRANSITIVE{-# LANGUAGE Safe #-} •For A to be trusted packagemodule A P must be trusted... •An -XSafe module may bring in a package trust requirement Package P {-# LANGUAGE Trustworthy #-} module B ...
  20. 20. PACKAGE TRUST• ghc-pkg trust <pkg>• ghc-pkg distrust <pkg>• ghc -trust <pkg> ...• ghc -distrust <pkg> ...• ghc -distrust-all-packages ...
  21. 21. SAFE IMPORTS•One extension to the Haskell language: import safe M•Allows module author to specify that M must be trusted for the import to succeed•Under -XSafe all imports are safe imports (keyword implicit)•Under -XTrustworthy the module author can choose
  22. 22. PROBLEMS WITH 7.2• Current description is of Safe Haskell in 7.2• Issue with operation of package trust • Causes Safe Haskell to be invasive, infect the world!
  23. 23. BUILD ERRORS“Im running into a lot of issues like the following:libraries/hoopl/src/Compiler/Hoopl/Collections.hs:14:1: base:Data.List cant be safely imported! The package (base)the module resides in isnt trusted.”
  24. 24. PACKAGE TRUST REIFIED• In 7.4, we won’t require that the package a Trustworthy module resides in be trusted for the compilation to succeed• -XTrustworthy modules will simply be trusted by default• New -fpackage-trust flag to enable old behavior of 7.2 • This flag should always be used if you are compiling untrusted code
  25. 25. SAFE INFERENCEUnreasonable to expect the Haskell world to all start puttingexplicit -XSafe and -XTrustworthy pragmas in their files.So in 7.4:•Safe status of a module will be inferred•New -XUnsafe flag to explicitly mark a module as unsafe so that it can’t be imported by untrusted code
  26. 26. RUNNING EXAMPLE{-# LANGUAGE Unsafe #-}module RIO.Unsafe ( RIO(..) ) wherenewtype RIO a = UnsafeRIO { runRIO :: IO a }instance Monad RIO where return = UnsafeRIO . return (UnsafeRIO m) >>= k = UnsafeRIO $ m >>= runRIO . k{-# LANGUAGE Trustworthy #-}module RIO.FileAccess ( rioReadFile, rioWriteFile ) where...pathOK f = {- Implement some policy -}rioReadFile :: FilePath -> RIO StringrioReadFile f = UnsafeRIO $ do ok <- pathOK f if ok then readFile f else return “”rioWriteFile :: FilePath -> String -> RIO ()rioWriteFile f s = ...
  27. 27. RUNNING EXAMPLE{-# LANGUAGE Trustworthy #-}module RIO ( RIO() , runRIO, rioReadFile, rioWriteFile ) whereimport RIO.Unsafeimport safe RIO.FileAccess{-# LANGUAGE Safe #-}module UntrustedPlugin ( runPlugin ) whereimport RIOrunPlugin :: RIO ()runPlugin = ...
  28. 28. SUMMARY• New language flags: -XSafe, -XTrustworthy, -XUnsafe• New option flag: -fpackage-trust (7.4)• Safe status of a module will be inferred (7.4) Trust your types!
  29. 29. FUTURE WORK• Prove safety guarantees• Establish clearer definition of safe and what guarantees trustworthy modules should provide • Machine checking possible here?• Do a retake on Safe language but by starting with a small, proven correct core and expanding out. • Inclusion in the Safe language could be used as a quality bar for new Haskell extensions. • Require formal semantics and proofs
  30. 30. SAFE HASKELL In GHC 7.2 Please try out and provide feedbackhttp://www.scs.stanford.edu/~davidt/safehaskell.html

×