[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Making LUA safe to execute untrusted scripts
- From: "Luc Van den Borre" <luc@...>
- Date: Tue, 18 Apr 2000 00:29:50 +0200
| Ok, but we really think that it is important for an embedded language to be
| as safe as possible; in particular, it should not be easy or even possible to
| crash a host program from within Lua.
| >> Programs that need fine control of memory allocation should then write these
| >> critical routines in C,
I'm interested in mobile code - (LUA) code received by an application from an external, perhaps untrusted source.
Say you've got an application that wants to execute this code, but you've got certain security standards. For example:
- restrictions on file-access
- cpu usage limitations (which would probably mean pre-emptive multitasking between scripts)
- memory limitations (no more than a fixed amount of memory to play with)
- time limitations (run no longer than fixed amount of cycles or get killed)
- doesn't crash - or at least crashes nicely without taking down the host program
In my naive view, these seem like a good set of minimum requirements. I realise ensuring a general-purpose program is
'safe' is hard. It seems to be the subject of some ongoing research, e.g.:
- Certifying compiled code : http://www.cs.cornell.edu/kozen/secure/
- Proof-carrying code: http://www.cs.princeton.edu/sip/projects/pcc/
- Compiling to typed assembly language (which can be proven to be safe): http://www.cs.cornell.edu/talc/
- http://www.cs.cornell.edu/kozen/papers/lbs.ps is a very interesting introduction with a nice overview of several
Now, I'm a games programmer (yet another one of those ;0) ), not a computer scientist. I'd like to make it possible for
users to download scripts from other users, without fear of harming their system. In fact, these scripts might be
downloaded by the application (game) without the user even knowing about it.
The application would provide a set of operating-system like functions to the LUA script writer (e.g. file write, but to
a file system separate from the host's file system). Library functions that could breach security would be removed.
Here's an example of the kind of scripts I'd like to see. Let's say I've got an online game, a multi-user role playing
game for example, and I want to make it possible for a user to create new objects in this game.
Say an enterprising player decides to code a drinks machine. As a player, you push a button on the machine, and it spits
out a can of soft drink which, when you drink it, has some funny effect - e.g. it makes you burp.
So, our coder has to create some artwork: a vending machine, a can, and a .wav file of a burp. Then he needs to write
some code: a script attached to the (button on the) vending machine, and one for the can. Presumably, when the user
'acts' upon the vending machine, the attached script handles a callback from the game, and creates a can of coke. The
script attached to the can of coke handles the drinking of it, etc.
It quickly gets more complex when you start asking (virtual) money for the can as well, but that's another topic. And
all this opens up a can of social (virtual) worms, beside the technical problems, but that's another matter...
What I'd like to ask the list, especially the LUA developers, is whether this is in the realms of the possible...