Jump to content

  • Log In with Google      Sign In   
  • Create Account


- - - - -

Safety (executing untrusted AngelScript code)


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
1 reply to this topic

#1 collinstocks   Members   -  Reputation: 104

Like
0Likes
Like

Posted 31 May 2013 - 09:55 PM

I am planning to create an application which is similar to a web browser in some respects: it executes untrusted code in order to manipulate its behavior. In a web browser, this would be the display. In my application, it may be the display or possibly some other things. What is manipulated is not really very important.

 

AngelScript seems to be exactly what I am looking for: it is fast, its syntax is familiar, it can be embedded in an application, it supports multiple contexts (I forget the technical term you use in your documentation), it has good documentation, and it is sandboxed---that is, the script will only have access to the functions I give it access to.

 

I just had a few questions about the safety of running untrusted AngelScript code, and specifically the bytecode.

 

If I provide the AngelScript environment with the function with prototype "void print(const string &in)" (as per an example in the documentation), what is the behavior of a script which calls "print(0)"? Will this fail to compile to bytecode? I would assume that this would probably be the case.

 

How about a different scenario: An evil person (Eve) provides the AngelScript environment with "void print(const int &in)" and compiles her program which calls "print(0)" to bytecode. She then exports the bytecode and sends it over a network to me.

 

I then load the bytecode into an AngelScript VM which is provided the original function with prototype "void print(const string &in)" instead of Eve's version. What is the behavior in this case?

 

More generally, is it safe to load untrusted bytecode into the AngelScript VM assuming that I only provide the AngelScript environment with safe functions? Is there any unrestricted memory access that the bytecode is capable of performing? Is it able to, for example, treat integers as pointers and follow them, or free a pointer and then follow it, or double-free a pointer?

 

 

 

tl;dr: Can I execute untrusted AngelScript bytecode sent from an untrusted server, or should I compile AngelScript code at the client end before running it?

 

 

 

Edit (answer): According to "Things to remember" on this page in the documentation, it is not safe to execute untrusted bytecode. I am really grateful for the extensive documentation you have created!


Edited by collinstocks, 02 June 2013 - 07:56 PM.


Sponsor:

#2 Andreas Jonsson   Moderators   -  Reputation: 3293

Like
0Likes
Like

Posted 13 June 2013 - 03:49 PM

You can trust code that you're compiling within the application. It will not be able to successfully compile and execute invalid scripts. 

 

Pre-compiled bytecode is another matter. There is no validation during the loading of the bytecode, except to link with the correct functions and properties. If you plan to run pre-compiled bytecode you need to make sure you can authenticate the bytecode comes from a trusted source. Presumably you'll want to use something like digital signatures to do that.


AngelCode.com - game development and more - Reference DB - game developer references
AngelScript - free scripting library - BMFont - free bitmap font generator - Tower - free puzzle game




Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS