LuaJIT sandboxing

I~=Spam · Post by **I~=Spam** » Sat May 02, 2015 7:19 pm

Well after a lot of effort I got LuaJIT sandboxing working.

The sandbox is just a coroutine with a limited environment but a c function is attached to the sandboxed coroutine that forces the coroutine to yield after running so many statements.

In other words...

Code: Select all

while true do end

won't make it hang.

The only problem comes up if the lua sandbox is executing a c function. The yield function cannot make a c function yield (How could it possibly do that and by ANSI C compliant?). This means that if the sandboxed lua code can get any c function to hang... then lua will hang

So you do have to be careful about what you expose to the sandbox. Here is an example that will cause the sandbox to hang if the standard string library is exposed to it.

Code: Select all

string.find(string.rep("a", 50), string.rep("a?", 50)..string.rep("a", 50))"

Obviously, the FFI library would be really stupid to expose to sandboxed code.

Later, I will add a lua wrapper that will partially implement c funcs such as string.find so that they too will yield.

The interesting thing is that I had to write a c library to do this. The c library is simple. It defines a c func that gets set as a debug hook. This hook is set to the coroutine directly in c. (Otherwise, lua actually uses a wrapper c func that calls a generic lua/c function. This causes lua complain about crossing c boundaries and it is for this reason that the debug hook with the yield has to be written in c and not lua.)

Also make sure that you use jit.off(sandboxedFunc,true) or you will run into problems as soon as luaJIT determines that sandboxedFunc needs to be compiled.

Here's the link: https://github.com/GoogleBot42/LuaJIT-Sandbox

Nasarius · Post by **Nasarius** » Mon May 04, 2015 11:01 pm

Cool! Have you tried compiling LuaJIT with LUAJIT_ENABLE_CHECKHOOK defined? That should make debug hooks work in JIT-compiled code.

http://lua-users.org/lists/lua-l/2011-06/msg00513.html

I~=Spam · Post by **I~=Spam** » Tue May 05, 2015 3:14 am

Nasarius wrote:Cool! Have you tried compiling LuaJIT with LUAJIT_ENABLE_CHECKHOOK defined? That should make debug hooks work in JIT-compiled code.

http://lua-users.org/lists/lua-l/2011-06/msg00513.html

Thanks for checking this out.

I did think about doing that but decided not to because it slows down all jit compiled code. Although, it would be a good idea to change the github readme to reflect that. I will do that now.

I~=Spam · Post by **I~=Spam** » Wed May 06, 2015 3:11 am

I have changed this somewhat. Now it is called "IronBox" and you use it like so:

Code: Select all

-- load library
local IronBox = require "IronBox"

local box = IronBox.create(function() 
    while true do 
        -- never exits
    end 
    print("I don't finish :(")
end)

-- run the box
box() -- box:resume() works too
-- ding! The box has surpassed the executing limit.  Pausing the coroutine

-- continue the box
box()
-- stops again

print("And they stop!")

So what now use a different sandbox library? Why do I use C? The answer is that if I didn't I wouldn't be able to allow pausing and resuming of a coroutine. Furthermore, you can pause and start as many of these as you want!

Although, currently you cannot have a sandbox in a sandbox. Don't try it because it will allow the base sandbox to be free and never yield after its time execution is up. This feature will be added later.

LuaJIT sandboxing

LuaJIT sandboxing

Re: LuaJIT sandboxing

Re: LuaJIT sandboxing

Re: LuaJIT sandboxing

Who is online