lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

On Thu, Dec 19, 2013 at 4:54 PM, Roberto Ierusalimschy
<roberto@inf.puc-rio.br> wrote:

> Probably I am being too naive, but I have written a very simple sandbox
> that seems to be enough to ensure a "safe" execution of a script. It
> simply uses debug hooks to control CPU usage, finalizers to control
> memory usage, and a restricted environment (emtpy by default) to control
> what the script can call. It would be nice if other people could
> check it. (It assumes Lua 5.2.)

Me likes, although aIthough I cannot say wether is correct, so I assume it.

One think I do not grok. To me it seems the memory counting function
is set to be called in nearly all garbage collection events, so only
on finalization, what happens if the script mount some kind of attack
which does not generate garbage and finalize anything, ie, something
like [[[ t = {}; while true do t = { t } end ]]]  ( or a similar thing
eating more memory and fast enough to send the system trashing before
hitting the steplimit )

Also, for sandboxing in an embeded setup, as we already have C code
written, I think it may be better, and maybe faster, to control memory
usage passing a lua_alloc which keeps track of memory ( it's just a
matter of adding nsize-osize to a running total, although the limit
would need to be adjusted to account for garbage, it will be more
realistic, if I want to limit my code to 1Gb, it doesn,t matter to me
wether lua is using it or half is garbage ) and use lua_sethook to
register a C function to keep track of time, or cpu usage if we are
being fancy, in C. Lua sandboxing seems pretty strong, but it seems to
me a state pre-sandoboxed in C will eb more difficult to subvert even
if more library functions are allowed ( not sure, so I just write this
in case you can give an informed opinion ).

Francisco Olarte.