emacs.d/clones/scheme/docs.racket-lang.org/guide/code-inspectors_protect.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"/><meta name="viewport" content="width=device-width, initial-scale=0.8"/><title>15.4&nbsp;Code Inspectors for Trusted and Untrusted Code</title><link rel="stylesheet" type="text/css" href="../scribble.css" title="default"/><link rel="stylesheet" type="text/css" href="../racket.css" title="default"/><link rel="stylesheet" type="text/css" href="../manual-style.css" title="default"/><link rel="stylesheet" type="text/css" href="../manual-racket.css" title="default"/><link rel="stylesheet" type="text/css" href="../manual-racket.css" title="default"/><link rel="stylesheet" type="text/css" href="../doc-site.css" title="default"/><script type="text/javascript" src="../scribble-common.js"></script><script type="text/javascript" src="../manual-racket.js"></script><script type="text/javascript" src="../manual-racket.js"></script><script type="text/javascript" src="../doc-site.js"></script><script type="text/javascript" src="../local-redirect/local-redirect.js"></script><script type="text/javascript" src="../local-redirect/local-user-redirect.js"></script><!--[if IE 6]><style type="text/css">.SIEHidden { overflow: hidden; }</style><![endif]--></head><body id="doc-racket-lang-org"><div class="tocset"><div class="tocview"><div class="tocviewlist tocviewlisttopspace"><div class="tocviewtitle"><table cellspacing="0" cellpadding="0"><tr><td style="width: 1em;"><a href="javascript:void(0);" title="Expand/Collapse" class="tocviewtoggle" onclick="TocviewToggle(this,&quot;tocview_0&quot;);">&#9658;</a></td><td></td><td><a href="index.html" class="tocviewlink" data-pltdoc="x">The Racket Guide</a></td></tr></table></div><div class="tocviewsublisttop" style="display: none;" id="tocview_0"><table cellspacing="0" cellpadding="0"><tr><td align="right">1&nbsp;</td><td><a href="intro.html" class="tocviewlink" data-pltdoc="x">Welcome to Racket</a></td></tr><tr><td align="right">2&nbsp;</td><td><a href="to-scheme.html" class="tocviewlink" data-pltdoc="x">Racket Essentials</a></td></tr><tr><td align="right">3&nbsp;</td><td><a href="datatypes.html" class="tocviewlink" data-pltdoc="x">Built-<wbr></wbr>In Datatypes</a></td></tr><tr><td align="right">4&nbsp;</td><td><a href="scheme-forms.html" class="tocviewlink" data-pltdoc="x">Expressions and Definitions</a></td></tr><tr><td align="right">5&nbsp;</td><td><a href="define-struct.html" class="tocviewlink" data-pltdoc="x">Programmer-<wbr></wbr>Defined Datatypes</a></td></tr><tr><td align="right">6&nbsp;</td><td><a href="modules.html" class="tocviewlink" data-pltdoc="x">Modules</a></td></tr><tr><td align="right">7&nbsp;</td><td><a href="contracts.html" class="tocviewlink" data-pltdoc="x">Contracts</a></td></tr><tr><td align="right">8&nbsp;</td><td><a href="i_o.html" class="tocviewlink" data-pltdoc="x">Input and Output</a></td></tr><tr><td align="right">9&nbsp;</td><td><a href="regexp.html" class="tocviewlink" data-pltdoc="x">Regular Expressions</a></td></tr><tr><td align="right">10&nbsp;</td><td><a href="control.html" class="tocviewlink" data-pltdoc="x">Exceptions and Control</a></td></tr><tr><td align="right">11&nbsp;</td><td><a href="for.html" class="tocviewlink" data-pltdoc="x">Iterations and Comprehensions</a></td></tr><tr><td align="right">12&nbsp;</td><td><a href="match.html" class="tocviewlink" data-pltdoc="x">Pattern Matching</a></td></tr><tr><td align="right">13&nbsp;</td><td><a href="classes.html" class="tocviewlink" data-pltdoc="x">Classes and Objects</a></td></tr><tr><td align="right">14&nbsp;</td><td><a href="units.html" class="tocviewlink" data-pltdoc="x">Units</a></td></tr><tr><td align="right">15&nbsp;</td><td><a href="reflection.html" class="tocviewselflink" data-pltdoc="x">Reflection and Dynamic Evaluation</a></td></tr><tr><td align="right">16&nbsp;</td><td><a href="macros.html" class="tocviewlink" data-pltdoc="x">Macros</a></td></tr><tr><td align="right">17&nbsp;</td><td><a href="languages.html" class="tocviewlink" data-pltdoc="x">Creating Languages</a></td></tr><tr><td align="right">18&nbsp;</td><td><a href="con
modules are trusted to use functions like <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=Namespaces.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._module-%7E3enamespace%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">module-&gt;namespace</a></span>
or unsafe modules like <span class="RktSym">ffi/unsafe</span>. When a module is declared,
the value of <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=modprotect.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._current-code-inspector%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">current-code-inspector</a></span> is associated to the
module declaration. When a module is instantiated (i.e., when the body
of the declaration is actually executed), a sub-inspector is created
to guard the module&rsquo;s exports. Access to the module&rsquo;s <a href="protect-out.html#%28tech._protected%29" class="techoutside" data-pltdoc="x"><span class="techinside">protected</span></a>
exports requires a code inspector that is stronger (i.e., higher in
the inspector hierarchy) than the module&rsquo;s instantiation inspector;
note that a module&rsquo;s declaration inspector is always stronger than its
instantiation inspector, so modules are declared with the same code
inspector can access each other&rsquo;s exports.</p><p>To distinguish between trusted an untrusted code, load trusted code
first, then set <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=modprotect.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._current-code-inspector%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">current-code-inspector</a></span> to the result of
<span class="RktPn">(</span><span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=inspectors.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._make-inspector%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">make-inspector</a></span><span class="stt"> </span><span class="RktPn">(</span><span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=modprotect.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._current-code-inspector%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">current-code-inspector</a></span><span class="RktPn">)</span><span class="RktPn">)</span> to install a weaker
inspector, and finally load untrusted code with the weaker inspector
in place. The weaker inspector should stay in place when any untrusted
code is run. If necessary, trusted code can restore the original
inspector temporarily during the dynamic extent of trusted code (as
long as it does not call back into untrusted code).</p><p>Syntax-object constants within a module, such as literal identifiers
in a template, retain the inspector of their source module. In this
way, a macro from a trusted module can be used within an untrusted
module, and <a href="protect-out.html#%28tech._protected%29" class="techoutside" data-pltdoc="x"><span class="techinside">protected</span></a> identifiers in the macro expansion still
work, even through they ultimately appear in an untrusted module. To
prevent abuse of identifiers by extracting them from expanded code,
functions like <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=stxtrans.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._local-expand%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">local-expand</a></span> are <a href="protect-out.html#%28tech._protected%29" class="techoutside" data-pltdoc="x"><span class="techinside">protected</span></a>, and
functions like <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=Expanding_Top-Level_Forms.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._expand%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">expand</a></span> return <a href="stx-certs.html#%28tech._tainted%29" class="techoutside" data-pltdoc="x"><span class="techinside">tainted</span></a> syntax if not
given a sufficiently powerful inspector.</p><p>Compiled code from a <span class="stt">".zo"</span> file is inherently untrustworthy,
unfortunately, since it can be synthesized by means other than
<span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=eval.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._compile%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">compile</a></span>. When compiled code is written to a <span class="stt">".zo"</span>
file, syntax-object constants within the compiled code lose their
inspectors. All syntax-object constants within compiled code acquire
the enclosing module&rsquo;s declaration-time inspector when the code is
loaded.</p><div class="navsetbottom"><span class="navleft"><form class="searchform"><input class="searchbox" id="searchbox" type="text" tabindex="1" placeholder="...search manuals..." title="Enter a search string to search the manuals" onkeypress="return DoSearchKey(event, this, &quot;8.6&quot;, &quot;../&quot;);"/></form>&nbsp;&nbsp;<a href="https://docs.racket-lang.org/index.html" title="up to the documentation top" data-pltdoc="x" onclick="return GotoPLTRoot(&quot;8.6&quot;);">top</a><span class="tocsettoggle">&nbsp;&nbsp;<a href="javascript:void(0);" title="show/hide table of contents" onclick="TocsetToggle();">contents</a></span></span><span class="navright">&nbsp;&nbsp;<a href="load.html" title="backward to &quot;15.3 Scripting Evaluation and Using load&quot;" data-pltdoc="x">&larr; prev</a>&nbsp;&nbsp;<a href="reflection.html" title="up to &quot;15 Reflection and Dynamic Evaluation&quot;" data-pltdoc="x">up</a>&nbsp;&nbsp;<a href="macros.html" title="forward to &quot;16 Macros&quot;" data-pltdoc="x">next &rarr;</a></span>&nbsp;</div></div></div><div id="contextindicator">&nbsp;</div></body></html>
Add racket guides 2022-09-30 11:00:09 +02:00			`<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">`
			<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"/><meta name="viewport" content="width=device-width, initial-scale=0.8"/><title>15.4 Code Inspectors for Trusted and Untrusted Code</title><link rel="stylesheet" type="text/css" href="../scribble.css" title="default"/><link rel="stylesheet" type="text/css" href="../racket.css" title="default"/><link rel="stylesheet" type="text/css" href="../manual-style.css" title="default"/><link rel="stylesheet" type="text/css" href="../manual-racket.css" title="default"/><link rel="stylesheet" type="text/css" href="../manual-racket.css" title="default"/><link rel="stylesheet" type="text/css" href="../doc-site.css" title="default"/><script type="text/javascript" src="../scribble-common.js"></script><script type="text/javascript" src="../manual-racket.js"></script><script type="text/javascript" src="../manual-racket.js"></script><script type="text/javascript" src="../doc-site.js"></script><script type="text/javascript" src="../local-redirect/local-redirect.js"></script><script type="text/javascript" src="../local-redirect/local-user-redirect.js"></script><!--[if IE 6]><style type="text/css">.SIEHidden { overflow: hidden; }</style><![endif]--></head><body id="doc-racket-lang-org"><div class="tocset"><div class="tocview"><div class="tocviewlist tocviewlisttopspace"><div class="tocviewtitle"><table cellspacing="0" cellpadding="0"><tr><td style="width: 1em;"><a href="javascript:void(0);" title="Expand/Collapse" class="tocviewtoggle" onclick="TocviewToggle(this,"tocview_0");">►</a></td><td></td><td><a href="index.html" class="tocviewlink" data-pltdoc="x">The Racket Guide</a></td></tr></table></div><div class="tocviewsublisttop" style="display: none;" id="tocview_0"><table cellspacing="0" cellpadding="0"><tr><td align="right">1 </td><td><a href="intro.html" class="tocviewlink" data-pltdoc="x">Welcome to Racket</a></td></tr><tr><td align="right">2 </td><td><a href="to-scheme.html" class="tocviewlink" data-pltdoc="x">Racket Essentials</a></td></tr><tr><td align="right">3 </td><td><a href="datatypes.html" class="tocviewlink" data-pltdoc="x">Built-<wbr></wbr>In Datatypes</a></td></tr><tr><td align="right">4 </td><td><a href="scheme-forms.html" class="tocviewlink" data-pltdoc="x">Expressions and Definitions</a></td></tr><tr><td align="right">5 </td><td><a href="define-struct.html" class="tocviewlink" data-pltdoc="x">Programmer-<wbr></wbr>Defined Datatypes</a></td></tr><tr><td align="right">6 </td><td><a href="modules.html" class="tocviewlink" data-pltdoc="x">Modules</a></td></tr><tr><td align="right">7 </td><td><a href="contracts.html" class="tocviewlink" data-pltdoc="x">Contracts</a></td></tr><tr><td align="right">8 </td><td><a href="i_o.html" class="tocviewlink" data-pltdoc="x">Input and Output</a></td></tr><tr><td align="right">9 </td><td><a href="regexp.html" class="tocviewlink" data-pltdoc="x">Regular Expressions</a></td></tr><tr><td align="right">10 </td><td><a href="control.html" class="tocviewlink" data-pltdoc="x">Exceptions and Control</a></td></tr><tr><td align="right">11 </td><td><a href="for.html" class="tocviewlink" data-pltdoc="x">Iterations and Comprehensions</a></td></tr><tr><td align="right">12 </td><td><a href="match.html" class="tocviewlink" data-pltdoc="x">Pattern Matching</a></td></tr><tr><td align="right">13 </td><td><a href="classes.html" class="tocviewlink" data-pltdoc="x">Classes and Objects</a></td></tr><tr><td align="right">14 </td><td><a href="units.html" class="tocviewlink" data-pltdoc="x">Units</a></td></tr><tr><td align="right">15 </td><td><a href="reflection.html" class="tocviewselflink" data-pltdoc="x">Reflection and Dynamic Evaluation</a></td></tr><tr><td align="right">16 </td><td><a href="macros.html" class="tocviewlink" data-pltdoc="x">Macros</a></td></tr><tr><td align="right">17 </td><td><a href="languages.html" class="tocviewlink" data-pltdoc="x">Creating Languages</a></td></tr><tr><td align="right">18 </td><td><a href="con
			`modules are trusted to use functions like <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&rel=Namespaces.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._module-%7E3enamespace%2529%2529&version=8.6" class="RktValLink Sq" data-pltdoc="x">module->namespace</a></span>`
			`or unsafe modules like <span class="RktSym">ffi/unsafe</span>. When a module is declared,`
			`the value of <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&rel=modprotect.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._current-code-inspector%2529%2529&version=8.6" class="RktValLink Sq" data-pltdoc="x">current-code-inspector</a></span> is associated to the`
			`module declaration. When a module is instantiated (i.e., when the body`
			`of the declaration is actually executed), a sub-inspector is created`
			`to guard the module’s exports. Access to the module’s <a href="protect-out.html#%28tech._protected%29" class="techoutside" data-pltdoc="x"><span class="techinside">protected</span></a>`
			`exports requires a code inspector that is stronger (i.e., higher in`
			`the inspector hierarchy) than the module’s instantiation inspector;`
			`note that a module’s declaration inspector is always stronger than its`
			`instantiation inspector, so modules are declared with the same code`
			`inspector can access each other’s exports.</p><p>To distinguish between trusted an untrusted code, load trusted code`
			`first, then set <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&rel=modprotect.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._current-code-inspector%2529%2529&version=8.6" class="RktValLink Sq" data-pltdoc="x">current-code-inspector</a></span> to the result of`
			<span class="RktPn">(</span><span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&rel=inspectors.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._make-inspector%2529%2529&version=8.6" class="RktValLink Sq" data-pltdoc="x">make-inspector</a></span><span class="stt"> </span><span class="RktPn">(</span><span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&rel=modprotect.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._current-code-inspector%2529%2529&version=8.6" class="RktValLink Sq" data-pltdoc="x">current-code-inspector</a></span><span class="RktPn">)</span><span class="RktPn">)</span> to install a weaker
			`inspector, and finally load untrusted code with the weaker inspector`
			`in place. The weaker inspector should stay in place when any untrusted`
			`code is run. If necessary, trusted code can restore the original`
			`inspector temporarily during the dynamic extent of trusted code (as`
			`long as it does not call back into untrusted code).</p><p>Syntax-object constants within a module, such as literal identifiers`
			`in a template, retain the inspector of their source module. In this`
			`way, a macro from a trusted module can be used within an untrusted`
			`module, and <a href="protect-out.html#%28tech._protected%29" class="techoutside" data-pltdoc="x"><span class="techinside">protected</span></a> identifiers in the macro expansion still`
			`work, even through they ultimately appear in an untrusted module. To`
			`prevent abuse of identifiers by extracting them from expanded code,`
			`functions like <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&rel=stxtrans.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._local-expand%2529%2529&version=8.6" class="RktValLink Sq" data-pltdoc="x">local-expand</a></span> are <a href="protect-out.html#%28tech._protected%29" class="techoutside" data-pltdoc="x"><span class="techinside">protected</span></a>, and`
			`functions like <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&rel=Expanding_Top-Level_Forms.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._expand%2529%2529&version=8.6" class="RktValLink Sq" data-pltdoc="x">expand</a></span> return <a href="stx-certs.html#%28tech._tainted%29" class="techoutside" data-pltdoc="x"><span class="techinside">tainted</span></a> syntax if not`
			`given a sufficiently powerful inspector.</p><p>Compiled code from a <span class="stt">".zo"</span> file is inherently untrustworthy,`
			`unfortunately, since it can be synthesized by means other than`
			`<span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&rel=eval.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._compile%2529%2529&version=8.6" class="RktValLink Sq" data-pltdoc="x">compile</a></span>. When compiled code is written to a <span class="stt">".zo"</span>`
			`file, syntax-object constants within the compiled code lose their`
			`inspectors. All syntax-object constants within compiled code acquire`
			`the enclosing module’s declaration-time inspector when the code is`
			loaded.</p><div class="navsetbottom"><span class="navleft"><form class="searchform"><input class="searchbox" id="searchbox" type="text" tabindex="1" placeholder="...search manuals..." title="Enter a search string to search the manuals" onkeypress="return DoSearchKey(event, this, "8.6", "../");"/></form>  <a href="https://docs.racket-lang.org/index.html" title="up to the documentation top" data-pltdoc="x" onclick="return GotoPLTRoot("8.6");">top</a><span class="tocsettoggle">  <a href="javascript:void(0);" title="show/hide table of contents" onclick="TocsetToggle();">contents</a></span></span><span class="navright">  <a href="load.html" title="backward to "15.3 Scripting Evaluation and Using load"" data-pltdoc="x">← prev</a>  <a href="reflection.html" title="up to "15 Reflection and Dynamic Evaluation"" data-pltdoc="x">up</a>  <a href="macros.html" title="forward to "16 Macros"" data-pltdoc="x">next →</a></span> </div></div></div><div id="contextindicator"> </div></body></html>