<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:x =
"urn:schemas-microsoft-com:office:excel" xmlns:p =
"urn:schemas-microsoft-com:office:powerpoint" xmlns:a =
"urn:schemas-microsoft-com:office:access" xmlns:dt =
"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s =
"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs =
"urn:schemas-microsoft-com:rowset" xmlns:z = "#RowsetSchema" xmlns:b =
"urn:schemas-microsoft-com:office:publisher" xmlns:ss =
"urn:schemas-microsoft-com:office:spreadsheet" xmlns:c =
"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa =
"urn:schemas-microsoft-com:office:activation" xmlns:html =
"http://www.w3.org/TR/REC-html40" xmlns:q =
"http://schemas.xmlsoap.org/soap/envelope/" XMLNS:D = "DAV:" xmlns:x2 =
"http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois =
"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir =
"http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds =
"http://www.w3.org/2000/09/xmldsig#" xmlns:dsp =
"http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc =
"http://schemas.microsoft.com/data/udc" xmlns:xsd =
"http://www.w3.org/2001/XMLSchema" xmlns:sps =
"http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi =
"http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf =
"http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf =
"http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver =
"http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml" xmlns:ex12t =
"http://schemas.microsoft.com/exchange/services/2006/types"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16414" name=GENERATOR>
<STYLE>@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 70.85pt 70.85pt 56.7pt 70.85pt; }
P.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
LI.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
DIV.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P.MsoListParagraph {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 34
}
SPAN.EmailStyle18 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle19 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
OL {
MARGIN-BOTTOM: 0in
}
UL {
MARGIN-BOTTOM: 0in
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV dir=ltr align=left><SPAN class=677464605-07042007><FONT face=Arial
color=#0000ff size=2>You'll want to apply CodeAccessSecurity constraints to
limit access to various pieces of functionality like Assembly.Load,
etc...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=677464605-07042007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=677464605-07042007><FONT face=Arial
color=#0000ff size=2>Basically, before you run any of this "untrusted" code, you
should enter a minimum security context that specifically does not have
permission to access the filesystem, run native code, link to other libraries
and whatnot. It should only be able to do relatively "safe" things that
prevent the code from exiting the .Net sandbox. In your own game
libraries, you'll want to ensure that your methods can be called from a
Partially Trusted context and can Demand the necessary priviledges to run.
However, be </FONT></SPAN><SPAN class=677464605-07042007><FONT face=Arial
color=#0000ff size=2>aware that locking up the CPU is just one of many denial of
service techniques a malicious (or careless) game user or designer might
employ. Such a user might also cause log files to pile up, cause stack
overflows, generate unreasonable network traffic, cause huge numbers of
exceptions to be thrown, allocate large numbers of objects, leak memory and so
on. CodeAccessSecurity will really cut down on how much of this can be
done by user code, but you do need to very careful when you write your library
to ensure that none of its functions can be abused (even
innocently!).</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=677464605-07042007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=677464605-07042007><FONT face=Arial
color=#0000ff size=2>In any case, assuming you deny the
SecurityPermissionFlag.ControlThread permission, then you can use Thread.Abort()
to kill the thread. As Dino suggested you set up a monitoring thread that
enforces the quantum and calls Thread.Abort(). If the code that's running
does not have ControlThread (and can't block in unusual ways) then it cannot
call Thread.ResetAbort() to prevent its shutdown. It _should_ shut down
pretty quickly. I wouldn't be surprised if using Thread.Abort() were not
completely robust but doing it within .Net (instead of via native code as I
think Dino implies) is at least guaranteed not to trash the runtime
environment.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=677464605-07042007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=677464605-07042007><FONT face=Arial
color=#0000ff size=2>You might be interested in the constrained execution model
that was added to .Net 2.0 to support integration with the CLR. It
specifies that only code that satisfies certain reliability contracts may
run. Check out this article: <A
href="http://msdn2.microsoft.com/en-us/library/ms228973.aspx">http://msdn2.microsoft.com/en-us/library/ms228973.aspx</A>
It doesn't sound like you need to be quite that paranoid
though.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=677464605-07042007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=677464605-07042007><FONT face=Arial
color=#0000ff size=2>Someone out there must have already implemented a robust
.Net sandbox for just the kind of thing you're trying to do... Look
around. It may be hard to find something that will work with IronPython
because it uses a lot of reflection and its builtin modules might not be
completely safe w.r.t. CodeAccessSecurity (might expose dangerous public
methods). I'm just guessing here...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=677464605-07042007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=677464605-07042007><FONT face=Arial
color=#0000ff size=2>Jeff.</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@lists.ironpython.com
[mailto:users-bounces@lists.ironpython.com] <B>On Behalf Of </B>Dino
Viehland<BR><B>Sent:</B> Friday, April 06, 2007 2:43 PM<BR><B>To:</B> Discussion
of IronPython<BR><B>Subject:</B> Re: [IronPython] Restricting
IronPython<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">There’s two ways I can think of
how to enforce the time limit:<o:p></o:p></SPAN></P>
<P class=MsoListParagraph
style="MARGIN-LEFT: 0.75in; TEXT-INDENT: -0.25in; mso-list: l1 level1 lfo3"><![if !supportLists]><SPAN
style="COLOR: #1f497d"><SPAN style="mso-list: Ignore">1.<SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></SPAN></SPAN><![endif]><SPAN style="COLOR: #1f497d">An external monitor
which aborts the thread when a quantum has expired. This has the problem
of potentially aborting at any native CPU instruction which most code is in no
way prepared to handle. Therefore <o:p></o:p></SPAN></P>
<P class=MsoListParagraph
style="MARGIN-LEFT: 0.75in; TEXT-INDENT: -0.25in; mso-list: l1 level1 lfo3"><![if !supportLists]><SPAN
style="COLOR: #1f497d"><SPAN style="mso-list: Ignore">2.<SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></SPAN></SPAN><![endif]><SPAN style="COLOR: #1f497d">Update CodeGen to
emit checks to see if the current quantum has expired. Most likely you’d
want to do this on every back-branch within the IL. I’m not sure how
exactly you’d detect that w/o putting an abstraction around the Label structure
so you know where each label lives within the IL. For compiler generated
loops which you know to be bounded you could eliminate the check also and only
do it for user defined loops.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">
users-bounces@lists.ironpython.com [mailto:users-bounces@lists.ironpython.com]
<B>On Behalf Of </B>Markus Hajek<BR><B>Sent:</B> Friday, April 06, 2007 6:33
AM<BR><B>To:</B> users@lists.ironpython.com<BR><B>Subject:</B> [IronPython]
Restricting IronPython<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Hi,<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>I’m evaluating IronPython for use as a scripting language in
a game server. Designers would use it for game-logic.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Because designers typically are not engineers, one cannot
expect them to follow common good practices. So I need to restrict what their
script code can do in a few ways:<o:p></o:p></P>
<P class=MsoListParagraph
style="TEXT-INDENT: -0.25in; mso-list: l0 level1 lfo2"><![if !supportLists]><SPAN
style="mso-list: Ignore">a.<SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></SPAN><![endif]>They should not be able to use any libraries other than
what we expose to them explicitly. That includes Python libraries (other than
local) and .NET-Framework libraries.<o:p></o:p></P>
<P class=MsoListParagraph
style="TEXT-INDENT: -0.25in; mso-list: l0 level1 lfo2"><![if !supportLists]><SPAN
style="mso-list: Ignore">b.<SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></SPAN><![endif]>For framework classes it’s necessary to expose only
certain members of these classes that are meant to be used from
Python.<o:p></o:p></P>
<P class=MsoListParagraph
style="TEXT-INDENT: -0.25in; mso-list: l0 level1 lfo2"><![if !supportLists]><SPAN
style="mso-list: Ignore">c.<SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></SPAN><![endif]>It should be possible to time-limit execution time of a
script. Designers might build scripts that under certain circumstances enter an
infinite loop or something similar. In such a case, script execution should be
aborted.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Now with a) it’s easy enough to take away access to Python
libraries. Neither is there a problem with .NET framework stuff because you need
to add a reference explicitly – with two exceptions, mscorlib.dll and system.dll
are referenced automatically. I wrote a patch to get around this (PythonEngine
and ReflectedPackage). With this patch you have two boolean properties in
EngineOptions, AutoReferenceMscorlib and AutoReferenceSystem which by default
are set to true to keep behavior as it is, but can be set to false, too, with
the expected effect.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>For b) it turns out there is no easy way of having a
framework classes expose only certain methods/properties by for example passing
only an interface to Python. That just doesn’t work because Python will allow
access to any public member of the concrete instance. One way around that would
be to write adapter for each framework class (like: for class Player create
class PythonPlayer which holds an instance of Player as private member and
exposes only those members publicly that should be visible from Python), but
that would be tedious. So I created another patch (Attributes and ReflectedType)
which adds a new attribute [DoNotExpose] to IronPython. Framework code writers
can decorate properties, methods, fields, nested types etc. with this attribute.
Members decorated such won’t be visible to Python code. Again, by default
behavior is not changed as no code has this attribute.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>With c) I am stuck. I’m not at all sure where I could add
such functionality with minimum impact to the existing codebase.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Any ideas on that?<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Besides, any feedback to the patches would be most welcome,
too.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Happy Easter holidays,<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Max Hajek<o:p></o:p></P>
<P class=MsoNormal>Vienna<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P></DIV></BODY></HTML>