I am considering swapping an interpreted scripting language in a project of mine with some form of just using native c++ code to compile tiny dlls to load and run code from. The motivation is to eliminate entirely the interpreted scripting aspect, the binding aspect, and simplify things down to just exposing virtual interfaces to tiny plugins that can do things with the full speed of running native code.
One of the biggest hurdles to this though is that it blows the lid off the application in the domain of security, which is a serious issue. In a scripting language if you don't bind the IO libraries and such, you can basically sandbox the scripts from being able to do things they shouldn't be doing, like messing with system files, or anything not outside the narrowly defined scope of what the plugin should have access to. If you compile arbitrary c++ code and link it in, someone could write c++ code that includes libraries that do all manner of malicious stuff. I've been trying to think of ways that I could provide a c++ plugin interface but still have some control over security to sandbox what access they can get. If the system relied on them compiling their own dlls, I don't think there is anything I could do to prevent malicious stuff from being coded. However if I used something like Runtime-Compiled C++, perhaps I could accomplish my goals by restricting the linker options only to a library that I have exposed only what I have access to. I haven't yet dug into the linker options of RPC++ but am I correct that this could be done? Ultimately I would not allow even the c standard library I suppose, so the only things they would be able to use are types I expose via the includes and libraries of my own. There are probably holes in this security, but I'm thinking it might be good enough. Maybe I could cover other issues with some preprocessor defines that break pragma library loading and such.
Thoughts?