Did you know ... Search Documentation:
sandbox.pl -- Sandboxed Prolog code
PublicShow source

Prolog is a full-featured Turing complete programming language in which it is easy to write programs that can harm your computer. On the other hand, Prolog is a logic based query language which can be exploited to query data interactively from, e.g., the web. This library provides safe_goal/1, which determines whether it is safe to call its argument.

See also
- http://www.swi-prolog.org/pldoc/package/pengines.html
To be done
- Handling of ^ and // meta predicates
- Complete set of whitelisted predicates
Source safe_call(:Goal)
Call Goal if it complies with the sandboxing rules. Before calling Goal, it performs expand_goal/2, followed by safe_goal/1. Expanding is done explicitly because situations in which safe_call/1 typically concern goals that are not known at compile time.
See also
- safe_goal/1.
Source safe_goal(:Goal) is det
True if calling Goal provides no security risc. This implies that:
  • The call-graph can be fully expanded. Full expansion stops if a meta-goal is found for which we cannot determine enough details to know which predicate will be called.
  • All predicates referenced from the fully expanded are whitelisted by the predicate safe_primitive/1 and safe_meta/2.
  • It is not allowed to make explicitly qualified calls into modules to predicates that are not exported or declared public.
Errors
- instantiation_error if the analysis encounters a term in a callable position that is insufficiently instantiated to determine the predicate called.
- permission_error(call, sandboxed, Goal) if Goal is in the call-tree and not white-listed.
Source safe(+Goal, +Module, +Parents, +Safe0, -Safe) is semidet[private]
Is true if Goal can only call safe code.
Source safe_bodies(+Bodies, +Module, +Parents, +Safe0, -Safe)[private]
Verify the safety of bodies. If a clause was compiled with a qualified module, we consider execution of the body in a different module not a cross-module call.
Source safe_list(+Called, +Module, +Parents, +Safe0, -Safe)[private]
Processed objects called through meta predicates. If the called object is in our current context we remove the module qualification to avoid the cross-module check.
Source meta_qualify(:G, +M, -QG) is det[private]
Perform meta-qualification of the goal-argument
Source goal_id(:Goal, -Id, -Gen) is nondet[private]
Generate an identifier for the goal proven to be safe. We first try to prove the most general form of the goal. If this fails, we try to prove more specific versions.
To be done
- Do step-by-step generalisation instead of the current two levels (most general and most specific).
- We could also use variant_sha1 for the goal ids.
Source copy_goal_args(+I, +Term, +Skolem, +Gen) is det[private]
Create the most general form, but keep module qualified arguments because they will likely be called anyway.
Source verify_safe_declaration(+Decl)[private]
See whether a safe declaration makes sense. That is, the predicate must be defined (such that the attacker cannot define the predicate), must be sufficiently instantiated and only ISO declared predicates may omit a module qualification.
To be done
- Verify safe_meta/2 declarations. It is a bit less clear what the rules are.
Source safe_primitive(?Goal) is nondet[multifile]
True if Goal is safe to call (i.e., cannot access dangerous system-resources and cannot upset other parts of the Prolog process). There are two types of facts. ISO built-ins are declared without a module prefix. This is safe because it is not allowed to (re-)define these primitives (i.e., give them an unsafe implementation) and the way around (redefine_system_predicate/1) is unsafe. The other group are module-qualified and only match if the system infers that the predicate is imported from the given module.
Source safe_assert(+Term) is semidet[private]
True if assert(Term) is safe, which means it asserts in the current module. Cross-module asserts are considered unsafe. We only allow for adding facts. In theory, we could also allow for rules if we prove the safety of the body.
Source safe_clause(+Head) is semidet[private]
Consider a call to clause safe if it does not try to cross a module boundary. Cross-module usage of clause/2 can extract private information from other modules.
Source safe_global_var(+Name) is semidet[private]
True if Name is a global variable to which assertion is considered safe.
Source safe_global_variable(Name) is semidet[multifile]
Declare the given global variable safe to write to.
Source safe_current_predicate(+X)[private]
current_predicate/1 is safe when not used with qualification.
Source safe_meta(+Goal, -Called:list(callable)) is semidet[multifile]
Hook. True if Goal is a meta-predicate that is considered safe iff all elements in Called are safe.
Source attr_hook_predicates(+Hooks0, +Module, -Hooks) is det[private]
Filter the defined hook implementations. This is safe because (1) calling an undefined predicate is not a safety issue, (2) the user an only assert in the current module and only predicates that have a safe body. This avoids the need to define attribute hooks solely for the purpose of making them safe.
Source expand_nt(+NT, ?Xs0, ?Xs, -NewGoal)[private]
Similar to expand_phrase/2, but we do throw errors instead of failing if NT is not sufficiently instantiated.
Source safe_meta_call(+Goal, +Context, -Called:list(callable)) is semidet[private]
True if Goal is a meta-predicate that is considered safe iff all elements in Called are safe.
Source safe_meta(?Template)[private]
Source safe_output(+Output)[private]
True if something is a safe output argument for with_output_to/2 and friends. We do not want writing to streams.
Source format_calls(+Format, +FormatArgs, -Calls)
Find ~@ calls from Format and Args.
Source prolog:sandbox_allowed_directive(:G) is det[multifile]
Throws an exception if G is not considered a safe directive.
Source safe_directive(:Directive) is semidet[multifile]
Hook to declare additional directives as safe. The argument is a term Module:Directive (without :- wrapper). In almost all cases, the implementation must verify that the Module is the current load context as illustrated below. This check is not performed by the system to allow for cases where particular cross-module directives are allowed.
sandbox:safe_directive(M:Directive) :-
    prolog_load_context(module, M),
    ...
Source safe_prolog_flag(+Flag, +Value) is det[multifile]
True if it is safe to set the flag Flag to Value.
To be done
- If we can avoid that files are loaded after changing this flag, we can allow for more flags. The syntax flags are safe because they are registered with the module.
Source prolog:sandbox_allowed_expansion(:G) is det[multifile]
Throws an exception if G is not considered a safe expansion goal. This deals with call-backs from the compiler for

Our assumption is that external expansion rules are coded safely and we only need to be careful if the sandboxed code defines expansion rules.

Source prolog:sandbox_allowed_goal(:G) is det[multifile]
Throw an exception if it is not safe to call G