lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Hello Lua people!

I am currently realizing some ideas I have had for a long time
regarding fine-grained customizable sandboxes.

I had an earlier research project called "Imaginary Microcomputers"
that explored this (parts of it still online) plus a few other
projects. These projects yielded insights and prototypes; but what
they lacked was the right programming language for the job.
(Noteworthy language candidates included: Assembly, Java, Python, and

There are very interesting applications for customizable, light-weight
sandboxes that, to my knowledge, have not been realized anywhere yet.

It all starts with a system that can run untrusted code safely. And
then, optionally, you go on to connect running programs to each other
in a well-defined, restricted way.

I am happy to report that I think I have now finally found a language
that is suitable for implementing this. As you may have guessed by
now: It's Lua :)

Lua seems to provide all the necessary means to create real sandboxes
and extend/modify them the way I want. Even CPU and memory consumption
can be limited which is an important feature that many other candidate
languages I looked at did not provide.

Here's the project homepage:

I made a first release with a very simple script runner (safelua.lua)
and two examples, downloadable from the project page.

A general note: I don't intend to really "own" this project. I do want
to maintain my own page about it. And maybe maintain some sort of
steering oversight because I have a vision I want to see realized.
Other than that, I really do welcome any and all collaboration here.
And of course, you can always fork the thing if you feel that your
vision is somehow cooler (hotter?) than mine :)

In fact, if a better system exists that suits all my needs, I will be
happy to throw mine away and use that system instead. However, I don't
know of any such system yet.

So, it does look like we're building something new here.

Many components will want to be realized. A language definition for
Safe Lua (quite simple really, it's just Lua with less globals and a
bit of a new API). Safe Lua script runners, textual as well as
graphical. Some simple means to combine scripts with each other.
Standard components that take other scripts as input and/or output
(this is where the real power of the approach begins).

As for possible applications, here's a few:

-Safe, portable, mobile agents
-Execution of untrusted code without worries
-Migrating running code from one machine to another with a single click
-Cloning running programs with equally little effort
-Orthogonal or semi-orthogonal persistence
-Logging of each and all activity, including full replayability - live
or post-portem
-Self-unpacking data with arbitrary algorithms (procedural compression)
-A complete "Safe Lua OS" could be developed, providing perfect
portability and much better and easier to handle security than
traditional OSes

So... well well. As I said before: Contributions, questions or ideas
will be very appreciated. (Don't flame me though... I might flame
back! *grins broadly*)

Best regards to you all,

Stefan Reich
Software enthusiast / Activist of the German revolution