问题描述
我在 C++ 应用程序中嵌入了 Lua.我需要能够从占用资源中杀死流氓(即写得很糟糕的脚本).
I have embedded Lua in a C++ application. I need to be able to kill rogue (i.e. badly written scripts) from hogging resources.
我知道我无法满足导致脚本无限期运行的所有类型的条件,所以现在,我只关注简单的 Lua 方面(即脚本方面的问题).
I know I will not be able to cater for EVERY type of condition that causes a script to run indefinitely, so for now, I am only looking at the straightforward Lua side (i.e. scripting side problems).
我也知道在 SO 上有人(以各种形式)问过这个问题.可能不断被重新询问的原因是,到目前为止,还没有人提供几行代码来显示超时(对于我上面描述的简单情况)实际上是如何在工作代码中实现的- 而不是笼统地谈论它是如何实施的.
I also know that this question has been asked (in various guises) here on SO. Probably the reason why it is constantly being re-asked is that as yet, no one has provided a few lines of code to show how the timeout (for the simple cases like the one I described above), may actually be implemented in working code - rather than talking in generalities, about how it may be implemented.
如果有人真的在带有嵌入式 Lua 应用程序的 C++ 中实现了这种类型的功能,我(以及许多其他人 - 我敢肯定),将非常感谢显示的小片段:
If anyone has actually implemented this type of functionality in a C++ with embedded Lua application, I (as well as many other people - I'm sure), will be very grateful for a little snippet that shows:
- 如何在运行 Lua 脚本之前设置超时(在 C++ 端)
- 如何引发超时事件/错误(C++/Lua?)
- 如何处理错误事件/异常(C++ 端)
这样的片段(甚至是伪代码)确实非常非常有用
Such a snippet (even pseudocode) would be VERY, VERY useful indeed
推荐答案
您需要使用多种技术来解决这个问题.首先,您需要为不受信任的脚本建立一个合适的沙箱,其环境仅提供那些安全且需要的全局变量和函数.其次,您需要提供对内存和 CPU 使用的限制.第三,您需要明确拒绝从不受信任的来源加载预编译的字节码.
You need to address this with a combination of techniques. First, you need to establish a suitable sandbox for the untrusted scripts, with an environment that provides only those global variables and functions that are safe and needed. Second, you need to provide for limitations on memory and CPU usage. Third, you need to explicitly refuse to load pre-compiled bytecode from untrusted sources.
第一点很容易解决.在 Lua 用户 wiki、邮件列表和 SO 上有大量关于沙盒 Lua 的讨论.如果您知道某些脚本比其他脚本更受信任,那么您几乎肯定已经在做这部分了.
The first point is straightforward to address. There is a fair amount of discussion of sandboxing Lua available at the Lua users wiki, on the mailing list, and here at SO. You are almost certainly already doing this part if you are aware that some scripts are more trusted than others.
第二点是你要问的问题.稍后我会回到这个话题.
The second point is question you are asking. I'll come back to that in a moment.
第三点已经在邮件列表中讨论过,但在其他媒体上可能没有说得很清楚.事实证明,Lua 核心中存在许多难以或不可能解决的漏洞,但它们依赖于不正确"的字节码来执行.也就是说,它们不能从 Lua 源代码中运行,只能从预编译和仔细修补的字节代码中运行.编写一个完全拒绝加载任何二进制字节码的加载器是很简单的.
The third point has been discussed at the mailing list, but may not have been made very clearly in other media. It has turned out that there are a number of vulnerabilities in the Lua core that are difficult or impossible to address, but which depend on "incorrect" bytecode to exercise. That is, they cannot be exercised from Lua source code, only from pre-compiled and carefully patched byte code. It is straightforward to write a loader that refuses to load any binary bytecode at all.
抛开这些问题,剩下的就是通过 CPU 消耗、内存消耗或两者兼而有之的拒绝服务攻击的问题.首先,坏消息.没有完美的技术可以防止这种情况发生.也就是说,最可靠的方法之一是将 Lua 解释器推送到一个单独的进程中,并使用您平台的安全性和配额功能来限制该进程的功能.在最坏的情况下,失控的进程可以被杀死,而不会对主应用程序造成损害.最新版本的 Firefox 使用该技术来包含插件中错误的副作用,因此它并不一定像听起来那么疯狂.
With those points out of the way, that leaves the question of a denial of service attack either through CPU consumption, memory consumption, or both. First, the bad news. There are no perfect techniques to prevent this. That said, one of the most reliable approaches is to push the Lua interpreter into a separate process and use your platform's security and quota features to limit the capabilities of that process. In the worst case, the run-away process can be killed, with no harm done to the main application. That technique is used by recent versions of Firefox to contain the side-effects of bugs in plugins, so it isn't necessarily as crazy an idea as it sounds.
一个有趣的完整示例是 Lua Live Demo.这是一个网页,您可以在其中输入 Lua 示例代码,在服务器上执行它,然后查看结果.由于脚本可以从任何地方匿名输入,因此它们显然不受信任.此 Web 应用程序似乎与要求的一样安全.其源工具包可从以下网站之一下载Lua 的作者.
One interesting complete example is the Lua Live Demo. This is a web page where you can enter Lua sample code, execute it on the server, and see the results. Since the scripts can be entered anonymously from anywhere, they are clearly untrusted. This web application appears to be as secure as can be asked for. Its source kit is available for download from one of the authors of Lua.
这篇关于嵌入式 Lua - 超时流氓脚本(例如无限循环) - 任何人的例子?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!