已经有some discussion on the cap-talk mailing list围绕 Lua 和 Javascript 是否支持对象能力模型,得出的结论是,由于支持通过 setfenv 将环境限制为被调用函数,以及对不可变对象(immutable对象)的不可伪造引用的可能性,OCM 可以是已实现。
我们看到这是如何实现的吗?我感兴趣的是从现有应用程序中删除漏洞利用,并在 Lua 中提供非常有用、慷慨的脚本支持,不幸的是,Lua 允许在各种情况下进行完整的 shell 访问。需要一些 shell 访问:对象能力模型似乎是管理事物的好方法。但我担心我能如何令人信服地证明这种方法在肯定会是困惑的实践中实际上是可验证的安全性。
一些链接:
- 较旧的问题:How can I create a secure Lua sandbox?
- erights.org 背景:From Objects To Capabilities
- Lua 维基:SandBoxes和 ReadOnlyTables - 显示正在运行的
setfenv;显示了表格背后的基本思想,在适当的情况下,表格可以被设置为只读
最佳答案
我无法与 Lua 对话,但对于 Javascript,Caja 有工具可以创建适当的沙箱,限制仅访问某些功能。它最初是为了为 HTML/JS 小部件(如 iGoogle 上使用的小部件)构建沙箱而创建的。
http://code.google.com/p/google-caja/
以下是他们主页上对该项目的描述:
Caja (pronounced "KA-ha"), is a Spanish word that means box, bank, cash register, vault; a container for valuables. A web developer uses traditional tools like HTML, JavaScript, and CSS; and Caja provides a compiler (a "cajoler") that takes the web application and produces a "cajoled" HTML web application. The cajoler tries to verify security properties by doing static analysis, and where it cannot it rewrites the input to add runtime checks.
Since web applications make common use of browser APIs, e.g. the DOM APIs, that give a huge amount of control over the web page, Caja provides tamed APIs that virtualize portions of the DOM. A containing page can set up the embedding application's environment so that the embedded application thinks it is interacting with the DOM of a full page, but is in fact only manipulating a bounded portion of the containing page via a mechanism called virtual iframes.
The JavaScript that a Caja application uses is written in a fail stop subset of JavaScript (actually EcmaScript5). This subset, called "Valija", includes almost the entire JavaScript language, but removes a few error-prone constructs such as with and restricts how eval may be used.
关于security - Lua : what experience is there? 的功能,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/4134114/