Prevent function from accessing the Kernel instance?

[jphorv-bdo]

We need the ability to isolate an SK function from the software running it - this is because we are allowing function authors to plug-in code in a "less-than-full-trust" environment. Specifically, we want to prevent an SK function from having a parameter of type Kernel, because through the Kernel a function can access:

• the kernel's service provider (IServiceProvider), which contains a mix of services:
  • services the kernel needs to operate, but shouldn't be used by functions directly
  • services needed by functions but not the kernel
• the kernel's other SK functions, including the ability to invoke them directly.

We tried implementing the approach described in Transforming Semantic Kernel Functions and found it insufficient - that approach can change a parameter from LLM-provided to code-provided, but it is not able to override the values given to function parameters of the "special" types, like KernelFunction, Kernel, KernelArguments, etc.

In addition to those "special" parameter types, the FromKernelServicesAttribute feature is another way to break isolation.

Our current solution is that we must manually review the code of every pluggable SK function, looking for undesirable behavior. We know that pluggable code will always have risk, short of having a full-featured code isolation model. However, this is not a zero-trust environment - as I described above, it is a "less than full" trust environment. We don't need Fort Knox, we don't need to lock down determined malicious actors - we just need a mechanism to prevent the average developer from tinkering with the host application.

[moonbox3]

Adding @markwallace-microsoft for visibility.

[markwallace-microsoft]

@jphorv-bdo have you tried creating a new Kernel instance to pass to the function being wrapped? This would isolate the function from the Kernel instance being used to handle the request.

As you noted because the untrusted code run's in the same process it won't be fully secure.

    /// <summary>
    /// Create a <see cref="KernelFunction"/> instance from the provided instance which only includes permitted parameters.
    /// The function method will add additional argument values before calling the original function.
    /// </summary>
    private static KernelFunction CreateFunctionWithParameters(KernelFunction function, IncludeKernelParameter includeKernelParameter, UpdateKernelArguments updateKernelArguments)
    {
        var method = (Kernel kernel, KernelFunction currentFunction, KernelArguments arguments, CancellationToken cancellationToken) =>
        {
            // create a new Kernel and KernelArguments to isolate the origin function
            Kernel isolatedKernel ...
            KernelArguments isolatedArguments ...
            return function.InvokeAsync(isolatedKernel, isolatedArguments, new , cancellationToken);
        };

        var options = new KernelFunctionFromMethodOptions()
        {
            FunctionName = function.Name,
            Description = function.Description,
            Parameters = CreateParameterMetadataWithParameters(function.Metadata.Parameters, includeKernelParameter),
            ReturnParameter = function.Metadata.ReturnParameter,
        };

        return KernelFunctionFactory.CreateFromMethod(method, options);
    }

[jphorv-bdo]

I had not tried creating a new Kernel instance. I tried just now.

It does execute, but: the "real" Kernel has 2 items in FunctionInvocationFilters and copying those into the isolatedKernel's list causes them to be invoked (good), but those filters themselves have reflection-accessible members I'd rather not expose.

A related issue: I'd have to wrap every method-based SK function this way because there is no way of knowing if a function method has a Kernel parameter: they don't show up in KernelParameterMetadata, and the original MethodInfo isn't preserved by the created KernelFunctionFromMethod object (which is also internal).