SecureLuaVirtualMachine - Controlled Execution Environment

HexadecimalLiker · January 2, 2024, 12:30am

[] SLVM (SecureLuaVirtualMachine)

SLVM (SecureLuaVirtualMachine) is a secure Lua virtual machine based on the FiOne Project by Rerumu, to provide a controlled execution environment for Lua code, mainly for games allowing the execution of untrusted usercode, like Studio Lite or Lua Learning . This topic provides an overview of the functionalities, usage instructions, and features of the Secure Lua Virtual Machine.

Testing place is available @ SLVM - SecureLuaVirtualMachine - Roblox

Features

SLVM has plenty of features to help you control execution of code:

Closure Hooking: SLVM enables the exploit-like powerful hooking system of closures within the virtual machine, allowing controlled modifications to their behavior.
Read and Write Hooks: You can create read and write hooks, such as preventing read methods on specific objects (e.g., the game object) to restrict access to certain properties using the LuaVM:CheckCString method to compare 2 strings safely.
Env Table for Custom Variables: The Env table allows the definition of custom variables and their associated behaviors within the virtual machine.
Restrictions: It allows the prevention of access to sensitive elements like the game object or global instances using rules.
Call Sandboxing: (Additional setting) Prevents xpcall / any callstack-based attack that circumvents hooks or restrictions by isolating every function call, which hides the callstack.
Loop Throttling: (Additional setting) SLVM offers an optional loop throttler to prevent common crashing methods such as while true do end or for i = 1, math.huge do

…and many more!

Usage

To use SLVM in your project, follow these steps:

Installation:
Add the SLVM Module file onto a secure location like ServerScriptService, then in one of your scripts, require the main module:

local SLVM = require(path.to.slvm)

Creating a Secure Lua Virtual Machine Instance

--> First argument is `ChunkName` which is a string, second argument is `Env` which provides additional globals to the Virtual Machine. Both of them are optional.
local LuaVM = SLVM.LuaVM.new("UntrustedCode@" .. Player.Name, {
    CodeInvoker = Player, --> Adds new variable to environment
    _VERSION = "Lua 1.2.3" --> Overwrites built-in global "_VERSION"
})

Using the Secure Lua Virtual Machine

Once you’ve created an instance of the Secure Lua Virtual Machine (SLVM.LuaVM), you can utilize its functionalities, such as:

Managing Sandbox Rules:

-- Define and add a new rule
local TableFindRestriction = SLVM.Rule.new(SLVM.Enum.RuleType.ClosureRestriction, table.find, "Table.Find is not allowed to be referenced / returned by functions!") --> Analyzes stack, getglobal & call opcodes for hooks and restrictions
LuaVM:AddRule(TableFindRestriction)

-- Remove the newly added rule
LuaVM:RemoveRule(TableFindRestriction)

Run code:

-- (i) -> Run is just a shortcut to LuaVM:Compile(Code)(...)! 
local Number = LuaVM:Run("print('Hello, Secure Lua Virtual Machine!'); return ...", 123) --> will return 123

Compile code:

local CompiledFunc, FailReason = LuaVM:Compile("return function(MyNumber) return MyNumber * 10; end")
if CompiledFunc then
    print("Result with calling 10: " .. CompiledFunc(10)) --> Result with calling 10: 100
else
    warn("Error compiling code: " .. FailReason)
end

Hooking Closures

-- Hook a closure (in this example, print) inside the virtual machine
local OriginalPrint; OriginalPrint = LuaVM:ReplaceClosure(print, function(...)
    return OriginalPrint("Hooked via SLVM!", ...)
end)

LuaVM:Run("print(123)") --> "Hooked via SLVM! 123"

Hooking Read & Write on objects

Only use LuaVM:CheckCString with the first argument being a string you want to check with (for example “Parent”) and the second string being the “Index” one (or any unknown string). It is very important to not switch up the two arguments as the behavior of the function will change

-- /!\ If an instance is passed to AddXHook, it will automatically apply that to all instances.
-- The following code snippet blocks the manipulation and reading of "Parent".
LuaVM:AddReadHook(game, function(self, Index, NormalValue)
	if type(Index) == "string" then
		if LuaVM:CheckCString("Parent", Index) or LuaVM:CheckCString("parent", Index) then
			error("Not allowed to read Parent", 2)
		end
	end
	
	return NormalValue
end)

LuaVM:AddWriteHook(game, function(self, Index, NewValue)
	if type(Index) == "string" then
		if LuaVM:CheckCString("Parent", Index) or LuaVM:CheckCString("parent", Index) then
			error("Not allowed to write Parent", 2)
		end
	end
	
	return NewValue
end)

Managing Additional Settings

-- Check if a specific additional setting is enabled
local IsSettingEnabled = LuaVM:IsAdditionalSettingEnabled(SLVM.Enum.AdditionalSettings.SandboxCalls)

-- Enable or disable additional settings
LuaVM:EnableAdditionalSetting(SLVM.Enum.AdditionalSettings.ThrottleLoopInstructions)
LuaVM:DisableAdditionalSetting(SLVM.Enum.AdditionalSettings.ThrottleLoopInstructions)

Contributing

We welcome contributions from the community! If you have suggestions, improvements, or bug fixes, feel free to reply to this topic explaining the issue, shoot me a Devforum PM, or join the ASense Community Server!

Documentation

There isn’t any documentation right now simply because I am not sure what base to use for the documentation. If you have any good tool to help me out, feel free to contact me!

License

This project is licensed under the same terms as FiOne, the GNU GPL v3 License, allowing for free and commercial usage, modification, and distribution.

Credits

SLVM is developed and maintained by the ASense Team, and made possible thanks to more specifically:

Especially Musli / thispassed (@AverageOnionUser) & Unlimited (@Unlimited_Objects): Helping finding sandbox escaping exploits in a real-case scenario
omwot (@elomwot): Giving server crash method regarding threads
Daily (@daily3014TheGod): Giving server crash method regarding SharedTable
Europa (@MrJake092209): Giving server crash method regarding the buffer library
XNX (@XoifailTheGod): Finding bug which would make a specific perlin benchmark error
Jeremy (@CodedJer): Testing
EDM (@OneEDM): Testing

- Thank you for using SLVM! If you encounter any issues or need some questions answered, don’t hesitate to reach out to me. Happy coding!

CodedJer · January 2, 2024, 12:33am

This is probably one of the most useful community resources in my opinion.

freakphantoms · January 2, 2024, 12:36am

Useful post, will try this out later make some more stuff like this!

MrJake092209 · January 2, 2024, 2:12am

Hey guys, have you heard of this silly thing called the buffer library

Nevermind

HexadecimalLiker · January 2, 2024, 2:17am

What do you mean by that @MrJake092209 ?

MrJake092209 · January 2, 2024, 2:22am

Absolutely nothing important

HexadecimalLiker · January 2, 2024, 2:23am

If you are talking about the crash method concerning buffer.fill, me and @AverageOnionUser are trying to mitigate this ASAP. Will push the update once buffer is no longer a studio beta.

vParkuu · January 2, 2024, 2:37am

this is great, however would be better if it had Luau support.
luau projects: Fiu and LuauInLuau

HexadecimalLiker · January 2, 2024, 2:39am

LuauInLuau is NOT made to be used in production
Maybe, just maybe ill take Fiu into consideration

Luau support would be considerably harder, which is why it is not on my list of priorities. Thank you for your suggestion though

vParkuu · January 2, 2024, 2:41am

idk what u mean by that but would be really helpful if you added Fiu support, I’m currently remaking roblox studio inside roblox and it would make things much better! keep up the good work

HexadecimalLiker · January 2, 2024, 2:44am

When taking a quick look at this gist, you can see that the file size is GINORMOUS Luau translated to Luau, as a Studio compatible script · GitHub

This is because it is WebAssembly translated back to Lua using Wasynth
Fiu on the other hand is just the Luau bytecode interpreter and is way easier to modify

vParkuu · January 2, 2024, 2:47am

oh alr, thanks for the explanation!

vParkuu · January 2, 2024, 2:49am

also, I tried the testing place and scripts seems to take a bit to actually run, is there any way of speeding it up?

HexadecimalLiker · January 2, 2024, 2:38pm

SLVM Update

Fixed slow execution caused by the SandboxCalls additional setting.
Fixed a possible sandbox-escape vulnerability in the isolate_call_synchronous function

NOTE: It is VERY RECOMMENDED that you enable the SandboxCalls additional setting by adding the following:

LuaVM:EnableAdditionalSetting(SLVM.Enum.AdditionalSettings.SandboxCalls)

Update now: https://create.roblox.com/marketplace/asset/15839058628/Secure-Lua-Virtual-Machine

bluebxrrybot · January 2, 2024, 3:40pm

We really needed a new lua compiler! Thanks for working really hard to make this.

icymanred · January 2, 2024, 5:32pm

doesn’t work on my machine, please fix

HexadecimalLiker · January 2, 2024, 6:22pm

what do you mean???ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ

jahnsdf · January 2, 2024, 6:45pm

Looks good. Now make SLVM so advanced that even my computer’s feelings are protected. I don’t want my pc catching emotions from malicious code.

HexadecimalLiker · January 2, 2024, 10:43pm

SLVM Update

Added warning about CheckCString usage in the topic
Fixed vulnerability that would allow the run_lua_func function to be used in order to bypass restrictions using debug.info - Fix: now errors when returned by any function
Made SandboxCalls setting enabled by default - disabling it will emmit a warning

To get alerted quickly when an updates releases or a vulnerability is found, make sure to join our community server

It is optional but really recommended

Update now: https://create.roblox.com/marketplace/asset/15839058628/Secure-Lua-Virtual-Machine

icymanred · January 2, 2024, 10:46pm

hi this new update crashes my game, please fix this immediately