Suitable language for running client code in sandbox

Question

I want to simulate (unsafe) client code on my server, and I am looking for a suitable language to do so. I'd prefer having the clients write in the same language as I will use to simulate.

• safety is the primary concern
• preferably a well known language (easy for clients to learn syntax)
• should be easy to disable/enable language features useable in the sandbox
• would be a plus if I could actually simulate the code step by step

Ideally I would simply construct a few interfaces (and publish these), load the clients code, and simulate that code by allowing it to only use my interfaces + a subset of the standard API I carefully selected.

During this simulation I should be able to limit resources (time and memory) used by the clients code. Bonus would be if I could simulate the code step by step, that way I could always return a deterministic solution.

Performance is not really an issue. The idea is to allow clients to write a custom AI for a small game/puzzle. The game would be simulated (on the server!) and the result returned to the user.

Originally I was thinking of constructing an external DSL myself, including a parser and evaluator, but perhaps there is a ready-to-use solution out there?

Answer 1

My choice would be to use some scripting language that can be used without automatically providing access to some extensive framework (like .Net or Java) - it is easier to add features than to limit them. Game engine scripting languages like LUA may be an option and usually come with implementations for multiple platforms to use them in.

General considerations:

Whatever language/framework you pick, make sure you can recover from/accept risk of:

• fatal exceptions (like stack overflow due to recursive functions)
• unbounded memory allocations/ out of memory exceptions
• long running tasks

Beware of exposing APIs that allow users to create new threads/tasks/synchronization objects (locks/semaphores) outside of your control or building on platform that provides such API. Allowing such methods may open resources of your server to unlimited consumption or DOS/deadlocks...

Note that long running tasks is a problem with any reasonable language as you can't determine if a program ever ends by looking at it - halting problem. You have to figure out a solution no matter what platform you choose.

.Net/C#:

You can check out Terrarium which does exactly this in .Net - running untrusted code on user's machine in a sandboxed environment.

.Net provides a way to restrict usage of multiple APIs - How to: Run Partially Trusted Code in a Sandbox is a good starting point. Note that as @Andrew points out it is good idea to verify if an assembly provided by a user (either directly or compiled from user's sources) does not use APIs that you don't like (or even the other way around - uses just APIs that you do allow) in addition to basic sandboxing. Partially trusted code running in a separate AppDomain gives you ok protection from not-too-hostile code.

Stack overflows are hard to prevent in general and require a custom host to handle in .Net. Long running tasks can be terminated with Thread.Abort or shutting down the AppDomain with the user's code.