sandbox.pl -- Sandboxed Prolog code

Prolog is a full-featured Turing complete programming language in which it is easy to write programs that can harm your computer. On the other hand, Prolog is a logic based query language which can be exploited to query data interactively from, e.g., the web. This library provides safe_goal/1, which determines whether it is safe to call its argument.

See also

- http://www.swi-prolog.org/pldoc/package/pengines.html

To be done

- Handling of ^ and // meta predicates

- Complete set of whitelisted predicates

 safe_call(:Goal)

Call Goal if it complies with the sandboxing rules. Before calling Goal, it performs expand_goal/2, followed by safe_goal/1. Expanding is done explicitly because situations in which safe_call/1 typically concern goals that are not known at compile time.

See also

- safe_goal/1.

 safe_goal(:Goal) is det

True if calling Goal provides no security risc. This implies that:

• The call-graph can be fully expanded. Full expansion stops if a meta-goal is found for which we cannot determine enough details to know which predicate will be called.
• All predicates referenced from the fully expanded are whitelisted by the predicate safe_primitive/1 and safe_meta/2.
• It is not allowed to make explicitly qualified calls into modules to predicates that are not exported or declared public.

Errors

- instantiation_error if the analysis encounters a term in a callable position that is insufficiently instantiated to determine the predicate called.

- permission_error(call, sandboxed, Goal) if Goal is in the call-tree and not white-listed.

 safe(+Goal, +Module, +Parents, +Safe0, -Safe) is semidet[private]

Is true if Goal can only call safe code.

 safe_bodies(+Bodies, +Module, +Parents, +Safe0, -Safe)[private]

Verify the safety of bodies. If a clause was compiled with a qualified module, we consider execution of the body in a different module not a cross-module call.

 safe_list(+Called, +Module, +Parents, +Safe0, -Safe)[private]

Processed objects called through meta predicates. If the called object is in our current context we remove the module qualification to avoid the cross-module check.

 meta_qualify(:G, +M, -QG) is det[private]

Perform meta-qualification of the goal-argument

 goal_id(:Goal, -Id, -Gen) is nondet[private]

Generate an identifier for the goal proven to be safe. We first try to prove the most general form of the goal. If this fails, we try to prove more specific versions.

To be done

- Do step-by-step generalisation instead of the current two levels (most general and most specific).

- We could also use variant_sha1 for the goal ids.

 copy_goal_args(+I, +Term, +Skolem, +Gen) is det[private]

Create the most general form, but keep module qualified arguments because they will likely be called anyway.

 verify_safe_declaration(+Decl)[private]

See whether a safe declaration makes sense. That is, the predicate must be defined (such that the attacker cannot define the predicate), must be sufficiently instantiated and only ISO declared predicates may omit a module qualification.

To be done

- Verify safe_meta/2 declarations. It is a bit less clear what the rules are.

 safe_primitive(?Goal) is nondet[multifile]

True if Goal is safe to call (i.e., cannot access dangerous system-resources and cannot upset other parts of the Prolog process). There are two types of facts. ISO built-ins are declared without a module prefix. This is safe because it is not allowed to (re-)define these primitives (i.e., give them an unsafe implementation) and the way around (redefine_system_predicate/1) is unsafe. The other group are module-qualified and only match if the system infers that the predicate is imported from the given module.

 safe_assert(+Term) is semidet[private]

True if assert(Term) is safe, which means it asserts in the current module. Cross-module asserts are considered unsafe. We only allow for adding facts. In theory, we could also allow for rules if we prove the safety of the body.

 safe_clause(+Head) is semidet[private]

Consider a call to clause safe if it does not try to cross a module boundary. Cross-module usage of clause/2 can extract private information from other modules.

 safe_global_var(+Name) is semidet[private]

True if Name is a global variable to which assertion is considered safe.

 safe_global_variable(Name) is semidet[multifile]

Declare the given global variable safe to write to.

 safe_meta(+Goal, -Called:list(callable)) is semidet[multifile]

Hook. True if Goal is a meta-predicate that is considered safe iff all elements in Called are safe.

 attr_hook_predicates(+Hooks0, +Module, -Hooks) is det[private]

Filter the defined hook implementations. This is safe because (1) calling an undefined predicate is not a safety issue, (2) the user an only assert in the current module and only predicates that have a safe body. This avoids the need to define attribute hooks solely for the purpose of making them safe.

 expand_nt(+NT, ?Xs0, ?Xs, -NewGoal)[private]

Similar to expand_phrase/2, but we do throw errors instead of failing if NT is not sufficiently instantiated.

 safe_meta_call(+Goal, +Context, -Called:list(callable)) is semidet[private]

True if Goal is a meta-predicate that is considered safe iff all elements in Called are safe.

 safe_meta(?Template)[private]

 safe_output(+Output)[private]

True if something is a safe output argument for with_output_to/2 and friends. We do not want writing to streams.

 format_calls(+Format, +FormatArgs, -Calls)

Find ~@ calls from Format and Args.

 prolog:sandbox_allowed_directive(:G) is det[multifile]

Throws an exception if G is not considered a safe directive.

 safe_directive(:Directive) is semidet[multifile]

Hook to declare additional directives as safe. The argument is a term Module:Directive (without :- wrapper). In almost all cases, the implementation must verify that the Module is the current load context as illustrated below. This check is not performed by the system to allow for cases where particular cross-module directives are allowed.

sandbox:safe_directive(M:Directive) :-
    prolog_load_context(module, M),
    ...

 safe_prolog_flag(+Flag, +Value) is det[multifile]

True if it is safe to set the flag Flag to Value.

To be done

- If we can avoid that files are loaded after changing this flag, we can allow for more flags. The syntax flags are safe because they are registered with the module.

 prolog:sandbox_allowed_expansion(:G) is det[multifile]

Throws an exception if G is not considered a safe expansion goal. This deals with call-backs from the compiler for

• goal_expansion/2
• term_expansion/2
• Quasi quotations.

Our assumption is that external expansion rules are coded safely and we only need to be careful if the sandboxed code defines expansion rules.

 prolog:sandbox_allowed_goal(:G) is det[multifile]

Throw an exception if it is not safe to call G