Re: Specification for Trusted PLs?

On Fri, May 28, 2010 at 01:03:15AM +0300, Peter Eisentraut wrote:
> On fre, 2010-05-21 at 14:22 -0400, Robert Haas wrote:
> > On Fri, May 21, 2010 at 2:21 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > > Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> > >> So... can we get back to coming up with a reasonable
> > >> definition,
> > >
> > > (1) no access to system calls (including file and network I/O)
> > >
> > > (2) no access to process memory, other than variables defined
> > > within the PL.
> > >
> > > What else?
> >
> > Doesn't subvert the general PostgreSQL security mechanisms? Not
> > sure how to formulate that.
>
> Succinctly: A trusted language does not grant access to data that
> the user would otherwise not have.

That's a great definition from a point of view of understanding by
human beings. A whitelist system will work better from the point of
automating tests which, while they couldn't conclusively prove that
something was actually this way, could go a long way toward making
sure that PLs didn't regress into untrusted territory.

Cheers,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david(dot)fetter(at)gmail(dot)com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate