It’s a shame nothing seems to have come of this — he hasn’t blogged since, and doesn’t seem to have anything related on GitHub.
My main uncertainty about a protocol like this, where you can run sandboxed code remotely, is how to deal with DoS vulnerabilities by way of infinite loops, expensive queries, etc. Do you just kill a sandboxed task after it runs for X ms or allocates Y amount of memory?
Seems like a losing battle, doesn’t it? If you somewhat trust the people sending you code, you could probably get away with Lua-style “max N instructions / max M ram” or something. But if you don’t trust the caller.. at least intuitively it feels like you end up in the realm of browser vendors, mounting an endless arms race as people learn to exploit new features you add.
I’ve recently written about half of a spellserver (entrypoint, support library) in Monte, a dialect of E which supports auditors like DeepFrozen. Indeed, Monte modules are DeepFrozen and could plausibly be used as spells. The main difficulty is that we really did need both the cryptographic libraries as builtin routines and also E-style auditors, and we’ll need to develop orthogonal persistence as well.
Along similar lines, I imagine that the author would argue that their work with Agoric is towards a platform which can host spellservers; it includes the necessary cryptographic primitives, code auditing, and orthogonal persistence. It’s also blockchain-oriented, which is explicitly something I don’t want to to require, but I am happy to see diversity in our ecosystem.
I agree that even the most trivial of expensive queries can be debilitating. I have an old Monte issue about integer exponentiation, for example. The only solution I know of which reliably works is metainterpretation, where the runtime hosting the code is able to delimit itself somehow and then execute the entirety of the hosted code within that delimiter.