Re: Specification for Trusted PLs?

On Fri, May 28, 2010 at 01:03:15AM +0300, Peter Eisentraut wrote:
> On fre, 2010-05-21 at 14:22 -0400, Robert Haas wrote:
> > On Fri, May 21, 2010 at 2:21 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > > Robert Haas <robertmhaas@gmail.com> writes:
> > >> So... can we get back to coming up with a reasonable
> > >> definition,
> > >
> > > (1) no access to system calls (including file and network I/O)
> > >
> > > (2) no access to process memory, other than variables defined
> > > within the PL.
> > >
> > > What else?
> > 
> > Doesn't subvert the general PostgreSQL security mechanisms?  Not
> > sure how to formulate that.
> 
> Succinctly: A trusted language does not grant access to data that
> the user would otherwise not have.

That's a great definition from a point of view of understanding by
human beings.  A whitelist system will work better from the point of
automating tests which, while they couldn't conclusively prove that
something was actually this way, could go a long way toward making
sure that PLs didn't regress into untrusted territory.

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate