World: r3wp

(Even though the BIND function is "crippled*, but, as proven by the 
above statement, unreasonably so.)

I am asking something really specific (see my last message).

Yes, but I never offered the answer to your question.

Ah, but that is the only question I was asking.

Yes, but my intent was to prove, that the BIND crippling is unreasonable, 
which is provable.

We can plug one hole at a time. What you are requesting is something 
that we are trying to prohibit, and we have good reasons for doing 
so. If there are also other means of doing it, we can address those 
issues later. One issue at a time.

What you are requesting is something that we are trying to prohibit, 
and we have good reasons for doing so. 
 - by the above, I just proved, that you do not

...have good reasons

We are trying to prevent functions from being modified from the outside 
without changing the function (SAME? test), and to allow functions 
to work on information that we want to keep hidden from other code, 
such as when a variable has an unencrypted password in it or other 
sensitive information. Or we could just give up on being able to 
run untrusted code because it's futile, as you are requesting.

Above you mentioned, that the reson is this:


- if I had access to a 'var-a variable bound to the F's context, 
and if I were able to do "some harm" having another variable 'var-b 
bound to the F's context, then that is a good reason why to cripple 
BIND, to not give me the access to the 'var-b bound to the F's context 
as well when the function is not running.

 As stated, I can disprove that as a reason.

Thus, the purported reason is not a reason at all, surely not "good".

My last message had the reasons. What you are talking about are the 
means.

OK, I will cite you exactly:


Sure it is, in some cases. What if 'a is harmless, but 'b refers 
to a password? If you can only CHANGE, not BIND, then leaking a word 
is only as dangerous as leaking what that word refers to. If you 
can BIND using that word as a context, you can get access to *every* 
value referred to by that context, not just the one. So it's still 
potentially a problem to leak a single word (depending on what gets 
assigned to that one word), but not as bad a problem as it could 
be.

That can be easily disproved.

Do you want me to?

OK, prove it without having access to the original body code (a separate 
issue), and while the function isn't running (another separate issue).

Yes, it is easy

Just with access to a reference to the function itself, and and a 
word bound to its context.

Sure, still trivial

Proof:


1) Due to the way how the function contexts are implemented in R3, 
the word 'b in F's context does not refer to a password when F is 
not running.

2) Because of that, I either cannot read the password at all, or 
have to be able to read it somehow, which is possible *only* when 
the function is running. (oherwise, there is no danger of me reading 
the password as is well known)
3) do I have to continue?

Sorry for using the power of logic, but I just am unable to see illogical 
statements as "good reasons".

OK, so you don't have a solution to that problem (darn, I was looking 
forward to that), but you have a proposed proof that it doesn't matter 
because you can't exploit it until the function is running. And since 
the BIND restriction when the function isn't running doesn't apply 
when the function *is* running later, even when applied to the same 
word, then the ban on BIND to a function-context-bound word when 
the function isn't running has no security benefit.


But the ban on BIND to the function! value *itself* still has value, 
because it would defeat the efforts to prevent any bound words from 
leaking out of the function from helping. Otherwise it would be unsafe 
to let untrusted code call safe functions because they would need 
to have a reference to the function in order to call it.

I do have a proof, which disproves your exact citation

But the ban on BIND to the function! value *itself* still has value, 
because it would defeat the efforts to prevent any bound words from 
leaking out of the function from helping. 
 - another disprovable statement

OK, get access to a function context with just a reference to the 
function itself. It doesn't matter if you run the function, because 
the function doesn't leak any bound words.

Why are you stating disprovable statements, and when I call them 
as such, you invent completely unrelated statements requiring me 
to prove them?

And no, using STACK still doesn't count because it's known, and blocked 
if SECURE works.

And, regarding to your "password problem", you are still trying to 
impose unrelated conditions. As is obvious, nobody can read a password 
from a function not referring to it when the function is not running. 
Thus, you cannot purport, that for the security of said password 
it is necessary to forbid something when the function is not running. 
It is not.

The "But the ban on BIND to the function! value *itself*..." statement 
refers to this:
>> not find second types-of :bind function!
== true


The BIND function doesn't accept function! values for its context 
argument. The reason for this is so that functions can prevent access 
to their context from leaking to code *that the function calls* that 
could be exploited while the function is running. All the function 
has to do is not leak bound words, and it's safe. If that doesn't 
work, please show how.

To remind you, I am and was always referring to this:

>> f: func [a b] ['a]
>> bind [b] f 1 2
** Script error: none word is not bound to a context
** Where: bind
** Near: bind [b] f 1 2

The above is unrelated

No, the above is the exact reason for:
>> not find second types-of :bind function!
== true

No...
 - still unrelated

But, the reasons for disallowing the functions as the BIND arguments 
have actually a similar flaw.

a: func [code /stuff] [stuff: "something secret, not a literal string" 
code]


With just a reference to :a, bind 'stuff to the function context. 
The function could be running or not when you get access to the bound 
word 'stuff. The exploit code can then be passed to the function 
in its code argument, which would then have access to the contents 
of 'stuff because the function is running.

your example is too trivial. I get the access to the "something secret..." 
too easily, jut by examining the function body. Don't you have anything 
more complicated?

This is the reason for that particular restriction. If there's a 
workaround that we don't yet know about, let us know so we can plug 
it.

That was just a placeholder. The stuff variable could be the results 
of a prompt to the user for their password, or of a native function 
that decrypts something. One problem at a time.

As said, problem solved. You need something nontrivial to throw at 
me.

No, seriously, I meant it. How do you do this without BIND 'stuff 
:a ?

As said, I do not have to. The string is already there for me to 
read.

Your trouble is, that you do not see, that the triviality of your 
problem matters.

Ignore the particular literal value there, and substitute it with 
something that outside code can't otherwise get access to, like the 
results of a call to a function that is referred to by a PROTECT/hide 
variable.

I cannot, it is up to you to find *any* meaningful example, which 
I am maintaining is impossible.

It is you failing to provide a reason, and, I am actually able to 
prove there is none.

If getting access to 'stuff is the only way to get access to what 
it refers to, how do you get access to 'stuff if all you have is 
:a ?

Any example?

As said, using the properties of REBOL functions, I can easily prove 
you wrong in any case you invent.

blah: module [] [hidden hidden-stuff: "something you want" a: func 
[code /stuff] [stuff: hidden-stuff code]]
blah/a func [] [do something to get access to hidden-stuff]

OK, fine, an example that looks meaningful to you.

So, do I assume correctly, that I cannot examine the BLAH module 
to get the HIDDEN-STUFF value?