On 16 Jan 2007, at 5:46 am, Chris Mungall wrote:
> Let's say I wanted to allow people to send queries to a prolog
> database over http. This would obviously be a massive security hole.
Right.
>
>
> However, if their query/program was limited to a fixed set of
> predicates (no I/O), and there was a clever way to check the second
> argument of bagof/3 then could this be made safe?
Sure. Trivial proof: limit the set of predicates to true/0 and fail/0.
>
> The safest way would be through a meta-circular interpreter; a more
> efficient but perhaps more difficult way would be through static
> analysis (HiLog would be banned, making this easier)
What do you need a meta-circular interpreter for?
(For one thing, why should your query language be able to interpret
itself?)
You need to define SOME query language using Prolog term syntax
(given that you want to send Prolog terms over the link).
You need to have SOME safety filter which walks over a query
in your query language, "compiling" it to a Prolog goal as you
go. In easy cases, compiling could be the identity transformation.
You then execute the query using call/1.
_In general_ using call/1 is a security hole,
but not when you have just checked that it's OK.
>
> Are there any implementations out there?
The process as described is pretty trivial.
A starting point might be
"A query is OK if it is
- a callable term which is
- a call to a predicate exported from 'mysafe:' module or
- a call to one of a short list of built in predicates or
- a bunch of safe queries combined using _, _
_ ; _ _ -> _ _ -> _ ; _ \+ (_)
or any other control structures you deem safe."
Compilation adds 'mysafe:' in front of the subgoals that need it.
Labour: about one page of trivial code.
------------
For further info, please visit
http://www.swi-prolog.org/To unsubscribe, send a plaintext mail with "unsubscribe prolog <e-mail>"
in its body to
majordomo@...
