Capabilities for Lua: what experience is there?

Question

There's been some discussion on the cap-talk mailing list around whether Lua and Javascript support the object-capability model, with the conclusion that because of support for restricting the environment to called functions through setfenv, and the possibility of unforgeable references to immutable objects, the OCM could be implemented.

Have we seen how this works out? I'm interested in removing exploits from an existing application with very useful, generous scripting support in Lua that unfortunately allows full shell access in all kinds of cases. Some shell access is needed: the object-capability model seems like a good way to manage things. But I worry about how convincing a case I can make that this approach will actually be verifiably secure in the sure-to-be messy practice.

Some links:

1. Older SO question: How can I create a secure Lua sandbox?
2. Background at erights.org: From Objects To Capabilities
3. Lua wiki: SandBoxes and ReadOnlyTables - shows setfenv in action; shows basic idea behind tables that can, under the right circumstances, be made read only

Answer 1

I can't speak to Lua but for Javascript, Caja has tooling to create a proper sandbox, limiting access to only certain functions. It was originally created to build a sandbox for HTML/JS widgets (like those used on iGoogle).

http://code.google.com/p/google-caja/

Here's a description of the project from their homepage:

Caja (pronounced "KA-ha"), is a Spanish word that means box, bank, cash register, vault; a container for valuables. A web developer uses traditional tools like HTML, JavaScript, and CSS; and Caja provides a compiler (a "cajoler") that takes the web application and produces a "cajoled" HTML web application. The cajoler tries to verify security properties by doing static analysis, and where it cannot it rewrites the input to add runtime checks.

Since web applications make common use of browser APIs, e.g. the DOM APIs, that give a huge amount of control over the web page, Caja provides tamed APIs that virtualize portions of the DOM. A containing page can set up the embedding application's environment so that the embedded application thinks it is interacting with the DOM of a full page, but is in fact only manipulating a bounded portion of the containing page via a mechanism called virtual iframes.

The JavaScript that a Caja application uses is written in a fail stop subset of JavaScript (actually EcmaScript5). This subset, called "Valija", includes almost the entire JavaScript language, but removes a few error-prone constructs such as with and restricts how eval may be used.