Sandboxing: Lua vs Dart
610 views
Skip to first unread message
Stefan Reich
May 15, 2013, 8:29:17 AM5/15/13
to mi...@dartlang.org
Hi there!
I am having a discussion with a friend about the capabilities of Lua and Dart, respectively (we are determining which language to use). The core issue is sandboxing.
Lua has recently been augmented with "100% tight" sandboxes - multiple sandboxes in one Lua space, each limited in environment, CPU and memory. (http://stefans-new-world.net/msle/)
We have an application in mind that would load multiple code fragments from the 'net and execute each of them in a safe environment.
So we know that Lua can do this. Can Dart do it too?
All the best,
Stefan
I am having a discussion with a friend about the capabilities of Lua and Dart, respectively (we are determining which language to use). The core issue is sandboxing.
Lua has recently been augmented with "100% tight" sandboxes - multiple sandboxes in one Lua space, each limited in environment, CPU and memory. (http://stefans-new-world.net/msle/)
We have an application in mind that would load multiple code fragments from the 'net and execute each of them in a safe environment.
So we know that Lua can do this. Can Dart do it too?
All the best,
Stefan
John McCutchan
May 15, 2013, 9:14:17 AM5/15/13
to General Dart Discussion
Stefan,
Yes, all Dart programs run inside an Isolate. Isolates do not share resources and run concurrently. Isolates can spawn other Isolates and communicate using a Port.
I do not believe there is any mechanism, today, to limit the amount of CPU or memory used by an Isolate.
John
--
For other discussions, see https://groups.google.com/a/dartlang.org/
For HOWTO questions, visit http://stackoverflow.com/tags/dart
To file a bug report or feature request, go to http://www.dartbug.com/new
John McCutchan <jo...@johnmccutchan.com>
Ladislav Thon
May 15, 2013, 9:18:53 AM5/15/13
to mi...@dartlang.org
I do not believe there is any mechanism, today, to limit the amount of CPU or memory used by an Isolate.
Don't know about CPU, but surely there must be a limit for the heap size, no? Standalone Dart lets you set max heap size -- don't know if it's for the entire process, or per isolate...
LT
Rico Wind
May 15, 2013, 9:33:42 AM5/15/13
to General Dart Discussion
On Wed, May 15, 2013 at 3:18 PM, Ladislav Thon <lad...@gmail.com> wrote:
I do not believe there is any mechanism, today, to limit the amount of CPU or memory used by an Isolate.Don't know about CPU, but surely there must be a limit for the heap size, no? Standalone Dart lets you set max heap size -- don't know if it's for the entire process, or per isolate...
That is per isolate and the default is:
:~/src/dart/dart$ grep kHeapSize runtime/vm/heap.h
static const intptr_t kHeapSizeInMB = 512;
If you run downloaded code fragments then those could just spawn more isolates though :-)
Cheers,
Rico
LT
Ladislav Thon
May 15, 2013, 9:40:43 AM5/15/13
to mi...@dartlang.org
I do not believe there is any mechanism, today, to limit the amount of CPU or memory used by an Isolate.Don't know about CPU, but surely there must be a limit for the heap size, no? Standalone Dart lets you set max heap size -- don't know if it's for the entire process, or per isolate...That is per isolate and the default is::~/src/dart/dart$ grep kHeapSize runtime/vm/heap.hstatic const intptr_t kHeapSizeInMB = 512;If you run downloaded code fragments then those could just spawn more isolates though :-)
The embedder can control that, no? At least by forbidding import of dart:isolate. And if the embedder wants user scripts to be able to spawn new isolates, it can provide a wrapper on top of dart:isolate...
LT
Rico Wind
May 15, 2013, 9:50:13 AM5/15/13
to General Dart Discussion
Sure, I am just saying that out of the box there is nothing preventing new isolates from being spawned. It is pretty simple to grep that out and disallow it though
Stefan Reich
May 15, 2013, 11:39:18 AM5/15/13
to mi...@dartlang.org
OK, thanks to all for the answers so far!
So the conclusion is that isolates provide SOME aspects of a sandbox - but, as they are now, do not provide the "hermetic sealing" we are looking for.
We actually want our sandbox to execute any string of characters without it being able to exceed CPU or memory resources, or to issue unwanted side effects.
We actually want our sandbox to execute any string of characters without it being able to exceed CPU or memory resources, or to issue unwanted side effects.
> Sure, I am just saying that out of the box there is nothing preventing new isolates from being spawned. It is pretty simple to grep that out and disallow it though
Hm, so we're on the "grep" level (textual analysis of source code for preventing 'bad stuff')? Lua is a lot further advanced then... =)
In Lua, we set an environment (a table), like this:
env = {
env = {
printme = print
}
}
When we run code in that environment, we KNOW that all it can do is print - and nothing else (except compute!).
I'll point my friend to these results and hope he sees the light too. =)
Here's the project page btw: http://improveyourlife.de/en/ (yes, quite preliminary :)
(To make sure: This is not a campaign against Dart or anything - I'm just for choosing the right tool for every job. Oh, and there's the GUI question... =)
Cheers,
Stefan
Ladislav Thon
May 15, 2013, 1:07:08 PM5/15/13
to mi...@dartlang.org
Hm, so we're on the "grep" level (textual analysis of source code for preventing 'bad stuff')?
No, not at all. As the embedder, you are in charge of resolving imports, so you can easily allow or disallow arbitrary libraries. I don't think that you can get finer granularity.
As we established above, you can also control the memory (though I'm not sure what happens if an isolate tries to exceed the limit -- the embedder should be notified about that and the isolate should be "suspended").
Limiting CPU is probably a no-go with Dart VM right now. Maybe there are ways to stop an isolate from the outside (using the debugger protocol?), but I honestly don't know.
And finally -- Dart isn't even 1.0, while Lua is an established language with much larger ecosystem. That would probably be the deciding factor for you.
LT
Stefan Reich
May 16, 2013, 12:18:40 PM5/16/13
to mi...@dartlang.org
Ha! The David is posting here. Nice.
Am Donnerstag, 16. Mai 2013 02:41:52 UTC+2 schrieb Don David Alegria:
I don't want to keep you from anything. I want you to pick up a super-easy language on the fly that will be incredibly useful.
Lua is like the new assembler. It has only one data structure, super easy syntax, a simple API. I really see no reason why a pro like you (you are a pro, right?) could not pick it up extremely quickly. The only reason seems to be... I don't know... pride or something? =)
This is the point anyways. I'm a professional, and I want to behave professionally. This means MAKING A PRODUCT.
I have a dentist bill coming up, David, and I probably cannot pay it unless I make a popular product. So that is what I want to do.
Lua just fits the bill. Sandboxing is at the heart of the iCan concept, so why need a sandbox-able language.
Really? The keyword? That's your argument? Come on man. Let's cut the nonsense. You don't have to marry a syntax. You just use a language for a while.
Yeah, braces. So important =) How can anyone live without?
We just can't build a standalone app that does what we want with Chromium right now. My Lua prototype app is ready and its API can be grown in minutes. Just when you hop on boat... =)
Should be? It is not, right now.
? What's that even supposed to mean? It's another tool that you will have mastered.
Yeah, good question. There are many languages alright, so not even makes its way into everything.
Once again: We want to ship a product now, and Lua does the job. From a programmer's perspective, I have wet dreams about lots of language features that Lua does not have. But it's really flexible and you can write code in it really quickly. Like I said, it's a bit like a new assembler.
So once again, the question is: Do you want to produce something or stay in the wet dreams area? I will make a product now, one way or another.
Am Donnerstag, 16. Mai 2013 02:41:52 UTC+2 schrieb Don David Alegria:
The highly motivated Stefan and his beloved Lua with its sophisticated sandboxing can not keep me from Dart scripting!
I don't want to keep you from anything. I want you to pick up a super-easy language on the fly that will be incredibly useful.
Lua is like the new assembler. It has only one data structure, super easy syntax, a simple API. I really see no reason why a pro like you (you are a pro, right?) could not pick it up extremely quickly. The only reason seems to be... I don't know... pride or something? =)
This is the point anyways. I'm a professional, and I want to behave professionally. This means MAKING A PRODUCT.
I have a dentist bill coming up, David, and I probably cannot pay it unless I make a popular product. So that is what I want to do.
Lua just fits the bill. Sandboxing is at the heart of the iCan concept, so why need a sandbox-able language.
First, I don't like "end", not only for the world, but also in a programming language.
Really? The keyword? That's your argument? Come on man. Let's cut the nonsense. You don't have to marry a syntax. You just use a language for a while.
Also I need this and class and braces!
Yeah, braces. So important =) How can anyone live without?
Besides, with the Dart rollout, there is a huge amount of users. Chromium and dart obviously are made for serving the demands of concurrency and safety on distributed systems. Afaiu its one of the main reasons why JS needed to be dumped.
We just can't build a standalone app that does what we want with Chromium right now. My Lua prototype app is ready and its API can be grown in minutes. Just when you hop on boat... =)
I think memory consumption of spawned isolates is something that should be controllable as well as CPU consumption.
Should be? It is not, right now.
How could I survive with Lua in the html5 world?
? What's that even supposed to mean? It's another tool that you will have mastered.
Knowing js,php,perl,c,c++,java already, dart looks more like the armor of light. Lua looks pretty serious though... wonder why it didn't find its way into the browser.
Yeah, good question. There are many languages alright, so not even makes its way into everything.
Once again: We want to ship a product now, and Lua does the job. From a programmer's perspective, I have wet dreams about lots of language features that Lua does not have. But it's really flexible and you can write code in it really quickly. Like I said, it's a bit like a new assembler.
So once again, the question is: Do you want to produce something or stay in the wet dreams area? I will make a product now, one way or another.
cheers -David
Cheers,
Stefan
Stefan
Stefan Reich
May 16, 2013, 12:22:01 PM5/16/13
to mi...@dartlang.org
OK, thanks for your input, Ladislav. That cleared some things up!
I tried to put the sandboxing feature list into a comparison table (hope the formatting comes out ok):
Feature Lua w/MSLE Dart with isolates
Limited resource access [X] [X]
Eval (code from string) [X] [?]
Redefining system funcs [X] [?]
Portable [X] [?]
Multi VMs per process [X] [?]
Memory limit per VM [X] [ ]
Time limit per VM [X] [ ]
"Limited resource access" means that only allowed system functions are
available to sandboxed code.
"Redefining system funcs" means that you can provide uesr-defined system
functions to sandboxed code. Can Dart do that?
"Portable" means supporting all major OSes (Lua is ultraportable).
Please correct if anything's wrong in the Dart column?
Cheers,
Stefan
I tried to put the sandboxing feature list into a comparison table (hope the formatting comes out ok):
Feature Lua w/MSLE Dart with isolates
Limited resource access [X] [X]
Eval (code from string) [X] [?]
Redefining system funcs [X] [?]
Portable [X] [?]
Multi VMs per process [X] [?]
Memory limit per VM [X] [ ]
Time limit per VM [X] [ ]
"Limited resource access" means that only allowed system functions are
available to sandboxed code.
"Redefining system funcs" means that you can provide uesr-defined system
functions to sandboxed code. Can Dart do that?
"Portable" means supporting all major OSes (Lua is ultraportable).
Please correct if anything's wrong in the Dart column?
Cheers,
Stefan
Stefan Reich
May 16, 2013, 12:26:54 PM5/16/13
to mi...@dartlang.org
> so not even makes its way into everything.
Uhm. "Not everything makes its way into everything" was what I wanted to write.Oh, and you can have classes and "this" or "self" in Lua easily, too.
I'm still not really sure why the prospect of a quickly-developed product does not excite you.
Next, I think I might be building a bridge to bash so iCan is then also a better surface for bash. How about that?
Cheers,
Stefan
Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages