[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Sandbox implementation, attempt #2
- From: "Soni L." <fakedme@...>
- Date: Sat, 18 Mar 2017 20:52:13 -0300
On 18/03/17 08:35 PM, David F wrote:
On 18/03/17 10:47 PM, Soni L. wrote:
You don't need to worry about 2 and 3 if you disable "os" lib.
os is disabled except clock, difftime and time.
Wrapping "io" lib is painful but possible.
Remember to also remove "require", "loadfile", "dofile", etc, then
reimplement them using wrapped "io". Use a wrapped "load"/"loadstring"
and implement signed bytecode loading so you don't load untrusted
bytecode. (With the caveat that an user could manually retrieve the key
and manually load untrusted bytecode, but the key isn't portable anyway
so it's a non-issue. Just use a secure CSPRNG when the user runs the
game for the first time.)
Did exactly that.
Bytecode is disabled entirely since there seem to be exploits.
There are no exploits with *signed* bytecode (if you use a CSPRNG and
stuff and implement it correctly), except if you have access to the key
(which only the player should have, NOT the mod author).
For large mods, they could pre-compile themselves on the user's machine
to speed up loading.
Disclaimer: these emails may be made public at any given time, with or without reason. If you don't agree with this, DO NOT REPLY.