Login/Register
Capabilities for Lua: what experience is there?
Asked Answered
securityluaenvironment-variablessandboxcapability
S

1

35

There's been some discussion on the cap-talk mailing list around whether Lua and Javascript support the object-capability model, with the conclusion that because of support for restricting the environment to called functions through setfenv, and the possibility of unforgeable references to immutable objects, the OCM could be implemented.

Have we seen how this works out? I'm interested in removing exploits from an existing application with very useful, generous scripting support in Lua that unfortunately allows full shell access in all kinds of cases. Some shell access is needed: the object-capability model seems like a good way to manage things. But I worry about how convincing a case I can make that this approach will actually be verifiably secure in the sure-to-be messy practice.

Some links:

  1. Older SO question: How can I create a secure Lua sandbox?
  2. Background at erights.org: From Objects To Capabilities
  3. Lua wiki: SandBoxes and ReadOnlyTables - shows setfenv in action; shows basic idea behind tables that can, under the right circumstances, be made read only
Sardanapalus answered 9/11, 2010 at 13:27 Comment(6)
Sounds like you have done your homework. What exactly are you missing?Elutriate
For the record, I think Lua is definitely able of supporting the OCM. At the very least, you can edit the source code of liolib.c and loslib.c yourself. It should be relatively simple, since the code there isn't so complex.Elutriate
@Zecc: Actual stories of the theory being applied, successfully, or not. On any scale whatsoever.Sardanapalus
+1 for reminding me of the cap-talk mail list :)Anomalistic
I'd just like to point out that setfenv will be deprecated in favor of the _ENV variable and the loadin function starting on version 5.2 of Lua: lua.org/work/doc/manual.html#2.2Elutriate
@Zecc: That's an important change, "C functions do not have environments any more. Use an upvalue with a shared table if you need to keep shared state among several C functions. (You may use luaL_setfuncs to open a C library with all functions sharing a common upvalue.)"Sardanapalus
N
3

I can't speak to Lua but for Javascript, Caja has tooling to create a proper sandbox, limiting access to only certain functions. It was originally created to build a sandbox for HTML/JS widgets (like those used on iGoogle).

http://code.google.com/p/google-caja/

Here's a description of the project from their homepage:

Caja (pronounced "KA-ha"), is a Spanish word that means box, bank, cash register, vault; a container for valuables. A web developer uses traditional tools like HTML, JavaScript, and CSS; and Caja provides a compiler (a "cajoler") that takes the web application and produces a "cajoled" HTML web application. The cajoler tries to verify security properties by doing static analysis, and where it cannot it rewrites the input to add runtime checks.

Since web applications make common use of browser APIs, e.g. the DOM APIs, that give a huge amount of control over the web page, Caja provides tamed APIs that virtualize portions of the DOM. A containing page can set up the embedding application's environment so that the embedded application thinks it is interacting with the DOM of a full page, but is in fact only manipulating a bounded portion of the containing page via a mechanism called virtual iframes.

The JavaScript that a Caja application uses is written in a fail stop subset of JavaScript (actually EcmaScript5). This subset, called "Valija", includes almost the entire JavaScript language, but removes a few error-prone constructs such as with and restricts how eval may be used.

Neckline answered 7/2, 2011 at 11:45 Comment(1)
If I understand the project rightly, the idea is that we have a subset of Javascript, Cajita, written in a dialect that limits access to data in a capability-passing style. My first impression is that this would be a very heavy duty application of capabilities to the kind of refactoring task I have in mind, and it doesn't really answer the question of what the capability-based security model looks like outside of toy examples. But looking at how typical Javascript can be refactored into Cajita might be rewarding.Sardanapalus

© 2022 - 2024 — McMap. All rights reserved.