Advertisement

Safety (executing untrusted AngelScript code)

Started by June 01, 2013 03:55 AM
0 comments, last by WitchLord 11 years, 5 months ago

I am planning to create an application which is similar to a web browser in some respects: it executes untrusted code in order to manipulate its behavior. In a web browser, this would be the display. In my application, it may be the display or possibly some other things. What is manipulated is not really very important.

AngelScript seems to be exactly what I am looking for: it is fast, its syntax is familiar, it can be embedded in an application, it supports multiple contexts (I forget the technical term you use in your documentation), it has good documentation, and it is sandboxed---that is, the script will only have access to the functions I give it access to.

I just had a few questions about the safety of running untrusted AngelScript code, and specifically the bytecode.

If I provide the AngelScript environment with the function with prototype "void print(const string &in)" (as per an example in the documentation), what is the behavior of a script which calls "print(0)"? Will this fail to compile to bytecode? I would assume that this would probably be the case.

How about a different scenario: An evil person (Eve) provides the AngelScript environment with "void print(const int &in)" and compiles her program which calls "print(0)" to bytecode. She then exports the bytecode and sends it over a network to me.

I then load the bytecode into an AngelScript VM which is provided the original function with prototype "void print(const string &in)" instead of Eve's version. What is the behavior in this case?

More generally, is it safe to load untrusted bytecode into the AngelScript VM assuming that I only provide the AngelScript environment with safe functions? Is there any unrestricted memory access that the bytecode is capable of performing? Is it able to, for example, treat integers as pointers and follow them, or free a pointer and then follow it, or double-free a pointer?

tl;dr: Can I execute untrusted AngelScript bytecode sent from an untrusted server, or should I compile AngelScript code at the client end before running it?

Edit (answer): According to "Things to remember" on this page in the documentation, it is not safe to execute untrusted bytecode. I am really grateful for the extensive documentation you have created!

You can trust code that you're compiling within the application. It will not be able to successfully compile and execute invalid scripts.

Pre-compiled bytecode is another matter. There is no validation during the loading of the bytecode, except to link with the correct functions and properties. If you plan to run pre-compiled bytecode you need to make sure you can authenticate the bytecode comes from a trusted source. Presumably you'll want to use something like digital signatures to do that.

AngelCode.com - game development and more - Reference DB - game developer references
AngelScript - free scripting library - BMFont - free bitmap font generator - Tower - free puzzle game

This topic is closed to new replies.

Advertisement