On Wed, Mar 20, 2013 at 11:40 AM, Bardur Arantsson <span dir="ltr"><<a href="mailto:spam@scientician.net" target="_blank">spam@scientician.net</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 03/20/2013 07:14 PM, Johan Tibell wrote:> Just as</div><div class="im">
> sandboxing is a better way to run untrusted software than trying to plug<br>
> every whole in your code/RTS,<br>
<br>
</div>(Citation needed). There have been lots of exploits of VMs and<br>
sandboxes. This is also irrelevant to DoS prevention, AFAICT.<br>
<div class="im"><br>
> generic anti-DoS techniques are usually<br>
> better than trying to figure out every possible way someone can DoS you.<br>
<br>
</div>(Citation needed.)<br>
<br>
There's no excuse for not preventing obvious an relatively easily<br>
preventable problems. Security in Depth and all that.</blockquote><div><br></div><div>My only citation is that this is how we do things, but I think you can make a theoretical argument for it as well. This is what I tried to do with the sandboxing analogy.</div>
<div><br></div><div>The reason that sandboxing works well is that it's a whitelist approach (instead of a blacklist approach). I should note that when I talk about sandboxing I don't really mean a VM, but rather a chroot/process isolation approach, like AppEngine. If you only allow the e.g. AppEngine user code to modify the system via a few select RPCs and then block all file system access by default, you can avoid having to audit every single API that the platform offers.</div>
<div><br></div><div>Now, for DoS protection we can do something similar. We have a detector for bad behavior (e.g. long running connections that time out, etc) and a generic mechanism for rejecting such users (IP blocking). That way we don't have to inspect everything the app itself does that could open it up for a DoS attack.</div>
<div><br></div><div>You're of course right that current Haskell frameworks don't do this. There hasn't really been a need yet.</div><div><br></div><div>-- Johan</div><div><br></div></div>