Pentium 4 and misaligned doubles

classic Classic list List threaded Threaded
52 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: Simple Lua for scripts

Luiz Henrique de Figueiredo
> Everyone here seem to be missing what the OP wants, which is that they
> want to change the *syntax* of Lua, not the functions a user can
> access.
> 
> So, for example the probably don't want them defining function, or using
> loops.
> 
> Of course, I agree with the other replies that this probably isn't something
> that can easily be done in Lua.

Actually, here is a simple way, though it requires a small patch to the
lexer: edit llex.c and in the array token2string just add a space before
the keywords you want to forbid. If you disable all keywords, then you'll
get a Lua subset that only understands assignments and function calls.
--lhf

Reply | Threaded
Open this post in threaded view
|

Re: Simple Lua for scripts

Mark Hamburg-4
In reply to this post by David Given
on 8/23/05 3:23 AM, David Given at [hidden email] wrote:

> This *doesn't* put limits on CPU time and memory usage, but you can do that
> fairly easily by using the C API --- you'd set a timer that, when fired,
> would cause the sandboxed program to be terminated. By putting a bound on the
> amount of CPU time you automatically put a bound on the amount of memory, but
> that can be customised as well.

And for reference for the Lua cookbook, the place to look to see how to do
that is the standalone, command-line Lua interpreter and see how it handles
interrupts. The key point is that setting debug hooks is thread safe so you
can set the hook proc at interrupt time which is a lot more efficient than
setting it earlier and having it check a flag.

Mark


Reply | Threaded
Open this post in threaded view
|

Re: Simple Lua for scripts

Alain
In reply to this post by David Given
Hi David,

You understood some of my problems: safety (don't destruct the machine) and eliminating unwanted function access.

I will reread all this thread and make a sumary later today. Many interesting point are in here.

thanks everybody,
Alain

David Given escreveu:
On Tuesday 23 August 2005 09:30, many people wrote:

Lots of messages about sandboxing Lua


Wee! 40 messages waiting for me when I get in to work!

The reason why I'm posting this is that I've noticed that nobody's actually explained the following yet, which may help to clarify things slightly.

There are two parts to Lua; there's the language (if...then...end, while...end, function...end, etc), and there are the libraries (print, math.sin, io.open, etc). The Lua *language* has zero functionality for doing anything without the libraries. As all the libraries are accessed via global variables, and the set of global variables a piece of code has access to can be easily changed, this means that the set of available libraries is trivially customisable. This means that it's possible to remove *all* ways that a Lua script can interact with the outside world, by simply removing the set of available libraries.

This Lua program:

  script = io.read("*all")   -- read in text from stdin
  chunk = loadstring(script) -- compile into an executable Lua chunk
  setfenv(chunk, {})         -- completely empty the chunk's globals

  status, result = pcall(chunk) -- execute the chunk
  print("status=", status, " result=", result)

...implements a safe Lua interpreter. It will execute the Lua program given in stdin in a sandboxed environment; the only way the sandboxed program has of interacting with the outside world is to return a value --- try it. If you can break it, the devs here would love to know because it's a major bug. It'll even execute invalid Lua code safely, returning the error that occurred so your program can deal with it.

(Typically you wouldn't do the above, because there are a number of safe functions that all Lua programs use; tonumber(), tostring(), type(), unpack(), math, table, etc. You'd want to provide these to the sandboxed program.)

This *doesn't* put limits on CPU time and memory usage, but you can do that fairly easily by using the C API --- you'd set a timer that, when fired, would cause the sandboxed program to be terminated. By putting a bound on the amount of CPU time you automatically put a bound on the amount of memory, but that can be customised as well.

Does this help?


Reply | Threaded
Open this post in threaded view
|

Re: Simple Lua for scripts

Erik Hougaard
In reply to this post by Alain
Remember, you can "delete" a function simply by doing "functionnottobetouched=nil"

/Erik

Alain wrote:

Thanks Ben for the information, but that is not enough. It does protect a function to alter some things, but a skilled (auto-nominated) can use other ways to access what he is not suposed to use.

I what I really am looking for is validating a minimal Lua-subset and avoiding commands unknown by me to get into the scripts.

I am Ssorry to ask the same quastion 3 times, but I feel that I did not make myself clear enough :(

Alain

Ben Sunshine-Hill escreveu:

That's accomplished with setfenv.
On 8/22/05, Alain <[hidden email]> wrote:


Aaron Brown escreveu:

Alain wrote:

I want to include Lua scripts in screen objects. My
concern is that I want to limit accessibility to too many
LUA commands, I want to limit the commands that he can
use.


If I understand what you're trying to do, it can be done
easily in stock Lua.  First use loadstring() to turn the
user's code into a function (this is where you catch any
syntax errors).  Then use setfenv() to keep the function
from accessing any dangerous globals.  This second step is
explained in section 14.3 of Programming in Lua:
<http://www.lua.org/pil/14.3.html>


Ok, that was very usefull information and I will probably use both. But
what I intended is something more restrictive. I want a syntax checker
that forbids access to many lua functions, just saying ok/notok. I am
thinking of a lexical analysis with only minimal lua syntax or something
like that...

The problem is that LUA is a powerfull language, and I don't want users
with all that power because I am the one who will have to give support
to the program. That means that if the user puts some statement in his
script he can do more that was intended fot him to do.



That's accomplished with setfenv. Just only put the safe functions in
the environment that is set for the function.

Ben






Reply | Threaded
Open this post in threaded view
|

Simple Lua for scripts - Sumary

Alain
In reply to this post by Luiz Henrique de Figueiredo
Hi,

thanks to all the feedback I got from this thread. I am making here a sumary where I will try to put it all toghether and see if it is reasonable. I started with a question about a small aspect (2) and got much more.

1) Link Lua static into my program. (this also helps Win/Lin portability stability and install)

2) I can edit llex.c and make a syntaticaly simpler Lua language. I will check if this can do what I want.

3) Remove from Lua all possibilty of loading modules and even functions from Lua code. This will probably require altering the code to remove "loadstring" , "loadlib" and "require" (maybe some others...)

4) Use one Lua state for each window. A window in the system is one entity where all objects colectively execute one single task. This will keep things independant and problems easier to track.

4) All general libs and functions will be pre-loaded by the C program. Then a new environment is created to protect all globals with setfenv(). Then all object functions are loaded, they can only access selected functions and variables declared as locals (last sniplet of http://www.lua.org/pil/15.4.html) I could even have a GLOB local to access the global environment only in debug mode.

5) All object scripts share the same environment. They comunicate with the outside world though C functions that access the Window properties and databases. A single return string sets the object's value if apprepriate. (I believe this is a kind os community sandboxing)

6) In the editing window for object scripts, I test the code with loadstring() to turn the user's code into a function (to catch any syntax errors). A few more filtering can be done (eg: GLOB access) only then I accept and store the code.

MISSING: all user data should be UTF8 :() how much far from Lua is LuaPlus? do you recomend it?

TODO: limit execution time. Mark Hamburg sent some info that I could not understand. FWIK it should be done inside the VM ... (?)

Alain

Reply | Threaded
Open this post in threaded view
|

Re: Simple Lua for scripts - Sumary

Alain
Hi all,

I made this nice summary in a wild hope that I will get some comments from someone... This will serve as the basis of a big and long term project so I would really be very thankfull if someone take me out of a wrong path ;-)

Was it too perfect to need any comment (just impossible) or too stupid and so equivalent? (just joking)

forguive me for repeating the message, but maybe it did not go to the list (?)

thanks for your collective patience
Alain

Hi,

thanks to all the feedback I got from this thread. I am making here a sumary where I will try to put it all toghether and see if it is reasonable. I started with a question about a small aspect (2) and got much more.

1) Link Lua static into my program. (this also helps Win/Lin portability stability and install)

2) I can edit llex.c and make a syntaticaly simpler Lua language. I will check if this can do what I want.

3) Remove from Lua all possibilty of loading modules and even functions from Lua code. This will probably require altering the code to remove "loadstring" , "loadlib" and "require" (maybe some others...)

4) Use one Lua state for each window. A window in the system is one entity where all objects colectively execute one single task. This will keep things independant and problems easier to track.

4) All general libs and functions will be pre-loaded by the C program. Then a new environment is created to protect all globals with setfenv(). Then all object functions are loaded, they can only access selected functions and variables declared as locals (last sniplet of http://www.lua.org/pil/15.4.html) I could even have a GLOB local to access the global environment only in debug mode.

5) All object scripts share the same environment. They comunicate with the outside world though C functions that access the Window properties and databases. A single return string sets the object's value if apprepriate. (I believe this is a kind os community sandboxing)

6) In the editing window for object scripts, I test the code with loadstring() to turn the user's code into a function (to catch any syntax errors). A few more filtering can be done (eg: GLOB access) only then I accept and store the code.

MISSING: all user data should be UTF8 :() how much far from Lua is LuaPlus? do you recomend it?

TODO: limit execution time. Mark Hamburg sent some info that I could not understand. FWIK it should be done inside the VM ... (?)

Alain



Reply | Threaded
Open this post in threaded view
|

Re: Simple Lua for scripts - Sumary

Ben Sunshine-Hill
1, 2, 3, 4a, 6: Sounds fine, but keep in mind that you are going out
of your way to keep people from doing things that they may really want
to do. Be prepared to spend a lot of time supporting alternatives to
the functionality you have taken away from them.

4b: Careful there. Using a scripting language without being able to
define your own globals would be a pain in the arse. Consider having
globals protected by default, but having a function to add globals.

5. If you are so concerned with not letting scripts do very much,
consider putting them in separate environments.

UTF8: IIRC, Lua supports UTF8 in strings but may have trouble if you
try to use UTF8 identifiers in code or string literals. I haven't done
much i18n, though, so someone else should correct me on this.

Limiting execution time: This is an OS-specific thing. The effect of
it, though, should be to set a line hook in the VM when you decide you
want a script to die suddenly. Then the script will break on the next
line.

Ben


Reply | Threaded
Open this post in threaded view
|

Re: Simple Lua for scripts - Sumary

Rici Lake-2

On 25-Aug-05, at 5:04 PM, Ben Sunshine-Hill wrote:

UTF8: IIRC, Lua supports UTF8 in strings but may have trouble if you
try to use UTF8 identifiers in code or string literals. I haven't done
much i18n, though, so someone else should correct me on this.

UTF8 will work fine in string literals (but Lua won't convert to UTF8). But you would not be able to use multibyte characters in identifiers.

On 23-Aug-05, at 10:45 PM, Alain wrote:

2) I can edit llex.c and make a syntaticaly simpler Lua language. I will check if this can do what I want.

Indeed you can, but I'm still at a loss as to what Lua syntactic constructions you consider complicated.

3) Remove from Lua all possibilty of loading modules and even functions from Lua code. This will probably require altering the code to remove "loadstring" , "loadlib" and "require" (maybe some others...)

Loading arbitrary libraries is obviously dangerous in an uncontrolled environment. But I fail to see any benefit to preventing people from maintaining their own libraries of Lua functions. If they can't do that, they'll end up cutting and pasting the code into every script, which is a maintenance nightmare (and unnecessarily bulky). This strikes me as a way to complicate people's lives, rather than simplify them.


Reply | Threaded
Open this post in threaded view
|

Re: Simple Lua for scripts - Sumary

David Given
In reply to this post by Ben Sunshine-Hill
On Thursday 25 August 2005 23:04, Ben Sunshine-Hill wrote:
[...]
> Limiting execution time: This is an OS-specific thing. The effect of
> it, though, should be to set a line hook in the VM when you decide you
> want a script to die suddenly. Then the script will break on the next
> line.

Not meaning to contradict you, but:

  while true do end

No line hooks!

This has to be done at the bytecode level, and AIUI there isn't a debug hook 
for that, so it can't be done from Lua.

-- 
"Curses! Foiled by the chilled dairy treats of righteousness!" --- Earthworm 
Jim (evil)

Attachment: pgp0C5V6dRZZt.pgp
Description: PGP signature

Reply | Threaded
Open this post in threaded view
|

Re: Simple Lua for scripts - Sumary

Rici Lake-2

On 25-Aug-05, at 6:12 PM, David Given wrote:

On Thursday 25 August 2005 23:04, Ben Sunshine-Hill wrote:
[...]
Limiting execution time: This is an OS-specific thing. The effect of
it, though, should be to set a line hook in the VM when you decide you
want a script to die suddenly. Then the script will break on the next
line.

Not meaning to contradict you, but:

  while true do end

No line hooks!

He might have meant a counthook. You set the counthook to one and it will trigger on the next VM instruction. Setting the counthook to one inside of an alarm handler is a standard way of breaking Lua execution after a certain amount of time.

In any event, in Lua 5.0.2 at least, the above statement does trigger line hooks. The line hook is triggered by any backwards branch, regardless of line number:

function hook(what, where)
  print ("Hooked!", what, where)
  if what == "count" then debug.sethook(hook, "l")
elseif count < 10 then count = count + 1; debug.sethook(hook, "c", 100)
    else error("Done!")
  end
end

> count = 0
> debug.sethook(hook, "c", 100); while true do end
Hooked! count   nil
Hooked! line    1
Hooked! count   nil
Hooked! line    1
Hooked! count   nil
Hooked! line    1
Hooked! count   nil
Hooked! line    1
Hooked! count   nil
Hooked! line    1
Hooked! count   nil
Hooked! line    1
Hooked! count   nil
Hooked! line    1
Hooked! count   nil
Hooked! line    1
Hooked! count   nil
Hooked! line    1
Hooked! count   nil
Hooked! line    1
Hooked! count   nil
Hooked! line    1
stdin:5: Done!
stack traceback:
        [C]: in function `error'
        stdin:5: in function `hook'
        stdin:1: in main chunk
        [C]: ?


Reply | Threaded
Open this post in threaded view
|

Re: Simple Lua for scripts - Sumary

Klaus Ripke
In reply to this post by Ben Sunshine-Hill
On Thu, Aug 25, 2005 at 03:04:04PM -0700, Ben Sunshine-Hill wrote:
> UTF8: IIRC, Lua supports UTF8 in strings but may have trouble if you
> try to use UTF8 identifiers in code or string literals. I haven't done
> much i18n, though, so someone else should correct me on this.
a string lib for UTF-8 is at http://luaforge.net/projects/sln/

Reply | Threaded
Open this post in threaded view
|

Re: Simple Lua for scripts - Sumary

David Given
In reply to this post by Rici Lake-2
On Friday 26 August 2005 00:49, Rici Lake wrote:
[...]
> He might have meant a counthook.
[...]
> The line hook is triggered by any backwards branch, 
> regardless of line number:

Having groped through the documentation, I notice that the bit *I* was looking 
at (the debug.sethook() Lua interface) doesn't mention this behaviour, but 
the bit *you* were looking at (the lua_sethook() C interface) does...

-- 
+- David Given --McQ-+ "A character is considered to be a letter if and
|  [hidden email]    | only if it is a letter or digit (§20.5.16) but is
| ([hidden email]) | not a digit (§20.5.14)." --- SMSDN Java
+- www.cowlark.com --+ documentation

Attachment: pgpGdgjS4OO5S.pgp
Description: PGP signature

123