Requirements for a restricted execution runtime

I don't care what the language is, just please someone give me a runtime with these properties:


  1. Namespace restriction. Encapsulation. Capabilities. Whatever: the code should only be able to do what I say it can do.
  2. CPU timeslice restriction: Either I should be able to run some code for so long, pause it, and then resume it where it left off, or I should be able to run some code asynchronously, giving it 1/Nth CPU time.
  3. Memory allocation restrictions: this user's code should only be able to allocate up to N megabytes.
  4. Efficient at rather high scales: I should be able to run at least 500, maybe 1000 completely isolated functions concurrently. If all they're doing is sleep()ing, then this shouldn't put the host under heavy load.
  5. Some simple way to expose new, audited functions. This is pretty easy. If it can't run in a Python process and allow Python functions to be exposed to it, then I can at least run it in a separate process with method invocations going over a trivial RPC protocol.
  6. A decent set of secure built-in operations, but nothing really fancy. People are going to be interfacing with my API and nothing else, so they won't need a hugely rich core language API. It does need to be secure, though: large exponentiation should either be disallowed or interruptible, for example.
  7. Secure, ok? For example, don't talk to me about Python (as implemented by CPython). I have very little trust for any restricted execution system that's tacked onto an existing complex runtime.

In case you need some context for these requirements to make sense, think LambdaMOO or Second Life. Any user can upload code to run with their rights; it can manipulate the world through an audited "trusted" API. The code isn't allowed to interfere with the host system or other users' code. Another possible application is a wiki which allows people to upload code to be executed when a page is viewed.

Here's the list of things I've considered:

  • PLT looks damned close with its sandbox library, but its execution limitation is in terms of wall-clock seconds, not CPU seconds, and it's not continuable.
  • Monte could definitely do it some day, if its development remains steady.
  • Lua... well, can Lua do it? I'd love it if someone would actually make a point on this.
  • Haskell might be able to do it. Haskell can do anything, it seems. (I think I saw some code once which somehow implemented continuations in Haskell, for Haskell. Without being a Haskell runtime or compiler. What? I don't know.) The problem is it's inscrutable to me. I'd love it if someone commented about this.
  • Javascript? Is there actually a usable standalone implementation of Javascript? Which of these properties does it have?
  • PyPy with the sandbox translation option. It's very cool, but I'm not sure it's usable at the 1000 node scale, because I can't see a way to run multiple isolated interpreters within one process. It also misses things like CPU timeslice restriction and memory allocation restriction, as far as I can tell.
I'd love to hear your comments. If you think that an existing runtime is close and know which of these properties it lacks, I want to hear about it. If you actually know of a runtime that has all of these properties, I'll buy you fifty beers.

Posted by Christopher Armstrong at Thursday, May 29, 2008 31 comments Links to this post

Search History: "R"

To continue my series of search history starting with "S", here is "R":

Posted by Christopher Armstrong at Friday, May 16, 2008 0 comments Links to this post

Intelligent Hinting

Aaron A. Reed recently announced an open beta for his Intelligent Hinting extension for Inform 7. This is an amazing extension that intelligently figures out how to solve puzzles in Inform 7-based games with high-level puzzle annotations in your I7 project.

You have to define "puzzles" and "tasks" in your own game, at implementation-time, and the extension provides a >SUGGEST command which indicates the next action to be taken to solve the current puzzle. It's surprisingly smart: if you've defined that a cloak must be placed on a particular hook, it will automatically figure out how to move the player to find the cloak, pick it up, and move the player to the hook. Not only that, it even knows how to completely automatically find keys for locked doors that are between the player and either the cloak or the hook.

Not only is this a good feature for end-users, it also offers very important benefits to implementors of IF: It makes it trivial to automatically test if your work is winnable, and it makes it similarly trivial to generate a walkthrough to publish with your game automatically.

Inform 7 has a rich and descriptive world model, and it's great to see tools that are starting to really take advantage of it in very useful ways.

Posted by Christopher Armstrong at Sunday, May 11, 2008 0 comments Links to this post

Labels:

Subscribe to: Posts (Atom)