SlideShare a Scribd company logo
SAFE HASKELL
  David Terei           Simon Marlow
 David Mazières       Simon Peyton Jones

Stanford University   Microsoft Research
MOTIVATION

Haskell is a great language for building secure systems in:

•Information flow control
•Capabilities
•Computations on encrypted data
But all this work can’t secure untrusted code in the real world!
MOTIVATION

Running Example:

Build in Haskell a website that can run untrusted third-party
plugins:

•Users can upload plugins in source form
•Any user can install an uploaded plugin against their account
MOTIVATION

How?

•Carefully craft plugin interface to restrict functions that a
 plugin can execute

  •e.g Only pure functions
•Need type safety guarantees for this to work
MOTIVATION
  f :: a -> a
MOTIVATION
       f :: a -> a


f a = unsafePerformIO $ do
        _ <- send_credit_card
        return a
SOLUTION?
SOLUTION?




Safe Haskell !
SAFE HASKELL

• Safe   subset of Haskell that provides ‘enough’ guarantees

•A   safe import extension

•A   definition of trust that applies to modules and packages
SAFE LANGUAGE
•Safe language (enabled with -XSafe) provides:
    •Type safety
    •Guaranteed module boundaries
    •Semantic consistency
•These are the properties that we usually think about Haskell
 having

•Safe language is a subset of Haskell
-XSAFE RESTRICTIONS
• FFI   imports must be in the IO monad

• Can’t   define RULES

• No Template    Haskell

• No    GeneralizedNewtypeDeriving

• No    hand crafted instances of Data.Typeable, only derived

• Overlapping
            instances can only overlap instances defined in
 the same module

• Can    only import other ‘trusted’ modules
REVISITING THE EXAMPLE

•So for untrusted plugins, compile with -XSafe
•Can craft a plugin interface that uses types carefully to control
 functions a plugin can execute



                              Done?
TURTLES ALL THE WAY DOWN

• -XSafe   compiled modules can only import trusted modules

• So   far -XSafe is only way to create trusted modules

• What    about modules like Data.ByteString?

 • Want    to allow untrusted code to use Data.ByteString

 • Unsafe    internals but safe API
-XTRUSTWORTHY

Allows a module author to declare:

‘While module M may use unsafe functions internally, it only
exposes a safe API’
-XTRUSTWORTHY

• No   restrictions on Haskell language

• Marks   a module as trusted though

• Moduleauthor should assure that type safety can’t be violated
 by importing their module

• Enables   a small extension called safe imports
WHAT IS TRUST?

• What   determines if a module is considered ‘trusted’?

 • -XSafe   compiled modules

 • What    about -XTrustworthy modules?
WHAT IS TRUST?
•   -XTrustworthy allows a module author to mark any module as
    potentially ‘trusted’
•   Very easy to abuse
•   So we require that the client (person running the compiler) assert
    that they trust the module author by stating they trust the package
•   For example:
    •   Don Stewart marks Data.Bytestring as Trustworthy
    •   Untrusted plugin author imports and uses Data.Bytestring
    •   Website administrator marks the bytestring package as trusted
WHAT IS TRUST?

• For   -XSafe:

  • trust   provided by compiler

• For   -XTrustworthy:

  • trust   of module stated by module author

  • trust
        of module author provided by client by trusting the
   package the module resides in
TRUST IS TRANSITIVE
{-# LANGUAGE Safe #-}   •For A to be trusted package
module A                 P must be trusted
...
                        •An -XSafe module may bring
                         in a package trust requirement

                        Package P

                            {-# LANGUAGE Trustworthy #-}
                            module B
                             ...
PACKAGE TRUST

• ghc-pkg   trust <pkg>

• ghc-pkg   distrust <pkg>

• ghc   -trust <pkg> ...

• ghc   -distrust <pkg> ...

• ghc   -distrust-all-packages ...
SAFE IMPORTS

•One extension to the Haskell language:
                         import safe M

•Allows module author to specify that M must be trusted for
 the import to succeed

•Under -XSafe all imports are safe imports (keyword implicit)
•Under -XTrustworthy the module author can choose
PROBLEMS WITH 7.2


• Current    description is of Safe Haskell in 7.2

• Issue   with operation of package trust

  • Causes    Safe Haskell to be invasive, infect the world!
BUILD ERRORS


“I'm running into a lot of issues like the following:

libraries/hoopl/src/Compiler/Hoopl/Collections.hs:14:1:

   base:Data.List can't be safely imported! The package (base)
the module resides in isn't trusted.”
PACKAGE TRUST REIFIED

• In
  7.4, we won’t require that the package a Trustworthy
 module resides in be trusted for the compilation to succeed

• -XTrustworthy     modules will simply be trusted by default

• New     -fpackage-trust flag to enable old behavior of 7.2

  • This   flag should always be used if you are compiling
       untrusted code
SAFE INFERENCE

Unreasonable to expect the Haskell world to all start putting
explicit -XSafe and -XTrustworthy pragmas in their files.

So in 7.4:

•Safe status of a module will be inferred
•New -XUnsafe flag to explicitly mark a module as unsafe
  so that it can’t be imported by untrusted code
RUNNING EXAMPLE
{-# LANGUAGE Unsafe #-}
module RIO.Unsafe ( RIO(..) ) where

newtype RIO a = UnsafeRIO { runRIO :: IO a }
instance Monad RIO where
      return = UnsafeRIO . return
      (UnsafeRIO m) >>= k = UnsafeRIO $ m >>= runRIO . k


{-# LANGUAGE Trustworthy #-}
module RIO.FileAccess ( rioReadFile, rioWriteFile ) where
...
pathOK f = {- Implement some policy -}


rioReadFile :: FilePath -> RIO String
rioReadFile f = UnsafeRIO $ do
      ok <- pathOK f
      if ok then readFile f else return “”


rioWriteFile :: FilePath -> String -> RIO ()
rioWriteFile f s = ...
RUNNING EXAMPLE
{-# LANGUAGE Trustworthy #-}

module RIO ( RIO() , runRIO, rioReadFile, rioWriteFile ) where

import RIO.Unsafe

import safe RIO.FileAccess



{-# LANGUAGE Safe #-}

module UntrustedPlugin ( runPlugin ) where

import RIO



runPlugin :: RIO ()

runPlugin = ...
SUMMARY
•   New language flags: -XSafe, -XTrustworthy, -XUnsafe
•   New option flag: -fpackage-trust (7.4)
•   Safe status of a module will be inferred (7.4)




                         Trust your types!
FUTURE WORK
•   Prove safety guarantees
•   Establish clearer definition of safe and what guarantees
    trustworthy modules should provide
    •   Machine checking possible here?
•   Do a retake on Safe language but by starting with a small,
    proven correct core and expanding out.
    •   Inclusion in the Safe language could be used as a quality bar
        for new Haskell extensions.
    •   Require formal semantics and proofs
SAFE HASKELL
                    In GHC 7.2

       Please try out and provide feedback

http://www.scs.stanford.edu/~davidt/safehaskell.html

More Related Content

Similar to Safe Haskell

InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
Mandi Walls
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
Java1
Java1Java1
Java1
Java1Java1
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpec
Mandi Walls
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Ansible module development 101
Ansible module development 101Ansible module development 101
Ansible module development 101
yfauser
 
Securing applications
Securing applicationsSecuring applications
Securing applications
ColdFusionConference
 
Code Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application MigrationsCode Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application Migrations
Dana Luther
 
Securing Legacy CFML Code
Securing Legacy CFML CodeSecuring Legacy CFML Code
Securing Legacy CFML Code
ColdFusionConference
 
Meetup devops
Meetup devopsMeetup devops
Meetup devops
Leonard Moustacchis
 
Anatomy of a Build Pipeline
Anatomy of a Build PipelineAnatomy of a Build Pipeline
Anatomy of a Build Pipeline
Samuel Brown
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Fluo CICD OpenStack Summit
Fluo CICD OpenStack SummitFluo CICD OpenStack Summit
Fluo CICD OpenStack Summit
Miguel Zuniga
 
Osgi
OsgiOsgi
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
AFUP_Limoges
 

Similar to Safe Haskell (20)

InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
 
Java1
Java1Java1
Java1
 
Java1
Java1Java1
Java1
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpec
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Ansible module development 101
Ansible module development 101Ansible module development 101
Ansible module development 101
 
Securing applications
Securing applicationsSecuring applications
Securing applications
 
Code Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application MigrationsCode Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application Migrations
 
Securing Legacy CFML Code
Securing Legacy CFML CodeSecuring Legacy CFML Code
Securing Legacy CFML Code
 
Meetup devops
Meetup devopsMeetup devops
Meetup devops
 
Anatomy of a Build Pipeline
Anatomy of a Build PipelineAnatomy of a Build Pipeline
Anatomy of a Build Pipeline
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Fluo CICD OpenStack Summit
Fluo CICD OpenStack SummitFluo CICD OpenStack Summit
Fluo CICD OpenStack Summit
 
Osgi
OsgiOsgi
Osgi
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 

Recently uploaded

MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
Mydbops
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
manji sharman06
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 

Recently uploaded (20)

MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 

Safe Haskell

  • 1. SAFE HASKELL David Terei Simon Marlow David Mazières Simon Peyton Jones Stanford University Microsoft Research
  • 2. MOTIVATION Haskell is a great language for building secure systems in: •Information flow control •Capabilities •Computations on encrypted data But all this work can’t secure untrusted code in the real world!
  • 3. MOTIVATION Running Example: Build in Haskell a website that can run untrusted third-party plugins: •Users can upload plugins in source form •Any user can install an uploaded plugin against their account
  • 4. MOTIVATION How? •Carefully craft plugin interface to restrict functions that a plugin can execute •e.g Only pure functions •Need type safety guarantees for this to work
  • 5. MOTIVATION f :: a -> a
  • 6. MOTIVATION f :: a -> a f a = unsafePerformIO $ do _ <- send_credit_card return a
  • 9. SAFE HASKELL • Safe subset of Haskell that provides ‘enough’ guarantees •A safe import extension •A definition of trust that applies to modules and packages
  • 10. SAFE LANGUAGE •Safe language (enabled with -XSafe) provides: •Type safety •Guaranteed module boundaries •Semantic consistency •These are the properties that we usually think about Haskell having •Safe language is a subset of Haskell
  • 11. -XSAFE RESTRICTIONS • FFI imports must be in the IO monad • Can’t define RULES • No Template Haskell • No GeneralizedNewtypeDeriving • No hand crafted instances of Data.Typeable, only derived • Overlapping instances can only overlap instances defined in the same module • Can only import other ‘trusted’ modules
  • 12. REVISITING THE EXAMPLE •So for untrusted plugins, compile with -XSafe •Can craft a plugin interface that uses types carefully to control functions a plugin can execute Done?
  • 13. TURTLES ALL THE WAY DOWN • -XSafe compiled modules can only import trusted modules • So far -XSafe is only way to create trusted modules • What about modules like Data.ByteString? • Want to allow untrusted code to use Data.ByteString • Unsafe internals but safe API
  • 14. -XTRUSTWORTHY Allows a module author to declare: ‘While module M may use unsafe functions internally, it only exposes a safe API’
  • 15. -XTRUSTWORTHY • No restrictions on Haskell language • Marks a module as trusted though • Moduleauthor should assure that type safety can’t be violated by importing their module • Enables a small extension called safe imports
  • 16. WHAT IS TRUST? • What determines if a module is considered ‘trusted’? • -XSafe compiled modules • What about -XTrustworthy modules?
  • 17. WHAT IS TRUST? • -XTrustworthy allows a module author to mark any module as potentially ‘trusted’ • Very easy to abuse • So we require that the client (person running the compiler) assert that they trust the module author by stating they trust the package • For example: • Don Stewart marks Data.Bytestring as Trustworthy • Untrusted plugin author imports and uses Data.Bytestring • Website administrator marks the bytestring package as trusted
  • 18. WHAT IS TRUST? • For -XSafe: • trust provided by compiler • For -XTrustworthy: • trust of module stated by module author • trust of module author provided by client by trusting the package the module resides in
  • 19. TRUST IS TRANSITIVE {-# LANGUAGE Safe #-} •For A to be trusted package module A P must be trusted ... •An -XSafe module may bring in a package trust requirement Package P {-# LANGUAGE Trustworthy #-} module B ...
  • 20. PACKAGE TRUST • ghc-pkg trust <pkg> • ghc-pkg distrust <pkg> • ghc -trust <pkg> ... • ghc -distrust <pkg> ... • ghc -distrust-all-packages ...
  • 21. SAFE IMPORTS •One extension to the Haskell language: import safe M •Allows module author to specify that M must be trusted for the import to succeed •Under -XSafe all imports are safe imports (keyword implicit) •Under -XTrustworthy the module author can choose
  • 22. PROBLEMS WITH 7.2 • Current description is of Safe Haskell in 7.2 • Issue with operation of package trust • Causes Safe Haskell to be invasive, infect the world!
  • 23. BUILD ERRORS “I'm running into a lot of issues like the following: libraries/hoopl/src/Compiler/Hoopl/Collections.hs:14:1: base:Data.List can't be safely imported! The package (base) the module resides in isn't trusted.”
  • 24. PACKAGE TRUST REIFIED • In 7.4, we won’t require that the package a Trustworthy module resides in be trusted for the compilation to succeed • -XTrustworthy modules will simply be trusted by default • New -fpackage-trust flag to enable old behavior of 7.2 • This flag should always be used if you are compiling untrusted code
  • 25. SAFE INFERENCE Unreasonable to expect the Haskell world to all start putting explicit -XSafe and -XTrustworthy pragmas in their files. So in 7.4: •Safe status of a module will be inferred •New -XUnsafe flag to explicitly mark a module as unsafe so that it can’t be imported by untrusted code
  • 26. RUNNING EXAMPLE {-# LANGUAGE Unsafe #-} module RIO.Unsafe ( RIO(..) ) where newtype RIO a = UnsafeRIO { runRIO :: IO a } instance Monad RIO where return = UnsafeRIO . return (UnsafeRIO m) >>= k = UnsafeRIO $ m >>= runRIO . k {-# LANGUAGE Trustworthy #-} module RIO.FileAccess ( rioReadFile, rioWriteFile ) where ... pathOK f = {- Implement some policy -} rioReadFile :: FilePath -> RIO String rioReadFile f = UnsafeRIO $ do ok <- pathOK f if ok then readFile f else return “” rioWriteFile :: FilePath -> String -> RIO () rioWriteFile f s = ...
  • 27. RUNNING EXAMPLE {-# LANGUAGE Trustworthy #-} module RIO ( RIO() , runRIO, rioReadFile, rioWriteFile ) where import RIO.Unsafe import safe RIO.FileAccess {-# LANGUAGE Safe #-} module UntrustedPlugin ( runPlugin ) where import RIO runPlugin :: RIO () runPlugin = ...
  • 28. SUMMARY • New language flags: -XSafe, -XTrustworthy, -XUnsafe • New option flag: -fpackage-trust (7.4) • Safe status of a module will be inferred (7.4) Trust your types!
  • 29. FUTURE WORK • Prove safety guarantees • Establish clearer definition of safe and what guarantees trustworthy modules should provide • Machine checking possible here? • Do a retake on Safe language but by starting with a small, proven correct core and expanding out. • Inclusion in the Safe language could be used as a quality bar for new Haskell extensions. • Require formal semantics and proofs
  • 30. SAFE HASKELL In GHC 7.2 Please try out and provide feedback http://www.scs.stanford.edu/~davidt/safehaskell.html