I was listening to a discussion about supply chain attacks where they said what if you import and call some benign code like a logger. It provides a method like:
func do_something() uses Log, PasswordDatabase {
set_password!(...) // Uses PasswordDatabase resource
log!("I set the password") // Uses the Log resource
}
But one day you update to Logger 3.2 (some supply chain attack or it turns out the author is malicious) and the log call now also uses the PasswordDatabase resource and uses it to steal passwords. You won't see an error in your use of the logger above - but might in other code. Instead it'd be useful to be able to put a scope around some calls to remove the availability of sensitive resources.
The remaining problem is that this is opt-in, programmers have to think ahead and be defensive. So maybe other tooling could be built to imply this for inter-library calls and check for changes when libraries are updated. I'm sure it also won't stop all problems, what if the resources you need to give ARE the resources that are sensitive, or an attack doesn't need resources at all, or the resource system itself is vulnerable. But like strong static types, it makes a certain class of problems compile errors.
I was listening to a discussion about supply chain attacks where they said what if you import and call some benign code like a logger. It provides a method like:
Note how it uses the Log resource.
Then you call it in your function:
But one day you update to Logger 3.2 (some supply chain attack or it turns out the author is malicious) and the log call now also uses the PasswordDatabase resource and uses it to steal passwords. You won't see an error in your use of the logger above - but might in other code. Instead it'd be useful to be able to put a scope around some calls to remove the availability of sensitive resources.
or make it an allowlist
The remaining problem is that this is opt-in, programmers have to think ahead and be defensive. So maybe other tooling could be built to imply this for inter-library calls and check for changes when libraries are updated. I'm sure it also won't stop all problems, what if the resources you need to give ARE the resources that are sensitive, or an attack doesn't need resources at all, or the resource system itself is vulnerable. But like strong static types, it makes a certain class of problems compile errors.