SecureLuaVirtualMachine - Controlled Execution Environment

KinderHSPVA · February 4, 2024, 12:03am

Is there a way I can allow players to require a specific ModuleScript and run a specific ModuleScript function?

HexadecimalLiker · February 4, 2024, 11:41am

Yes, using hooks and read hooks it is possible:

-- Assuming VM is a LuaVM object
local allowedModule = ... -- whatever module
local requiredAllowedModule = require(allowedModule)

VM:ReplaceClosure(require, function(module)
    assert(module == allowedModule, "module cannot be required")

    return requiredAllowedModule
end)

VM:AddReadHook(requiredAllowedModule, function(self, Index, NormalValue)
	if type(Index) == "string" then
		--// CheckCString should not be used in non c function hooks  
		if "someFunc" == Index then --> Replace someFunc with the function's index in the module
			return NormalValue
		end
	end
	
	error("cannot use function '" .. Index .. "' from module", 2)
end)

fares14213 · February 20, 2024, 7:51am

So my problem is Signal.__index = Signal because when i remove this line, this unlocks the script but it gives me error cause __index is important after. Any solution?
i enabled this settings:

LuaVM:EnableAdditionalSetting(SLVM.Enum.AdditionalSettings.ThrottleLoopInstructions)
	LuaVM:EnableAdditionalSetting(SLVM.Enum.AdditionalSettings.ThrottleRecursiveCalls)
	LuaVM:EnableAdditionalSetting(SLVM.Enum.AdditionalSettings.SandboxCalls)

HexadecimalLiker · February 21, 2024, 12:08pm

I ran exactly the script you gave me, however if you did not find a solution to your problem, disable SandboxCalls although that is not recommended.

fares14213 · February 21, 2024, 12:11pm

I found a solution I have put the __index script inside of a module script.
But do you have a idea how to optimize the lua vm? Because i run a lot of script inside of the lua vm and i takes 4-5 minutes to load (very annoying)

HexadecimalLiker · February 22, 2024, 4:44pm

I am no longer actively updating this module. However feel free to give suggestions and I will do my best to implement them. I sadly cannot do much regarding the VM’s speed.

KinderHSPVA · March 7, 2024, 5:59pm

Any way to allow Instance.new(), but only for GuiObjects?

bluebxrrybot · March 7, 2024, 7:10pm

Set Instance to a new local variable before the rest of the script runs. You can regulate it yourself that way!

HexadecimalLiker · March 7, 2024, 7:22pm

For some reason I cannot send my answer

KinderHSPVA · March 7, 2024, 8:54pm

That’s ok! Send it when you can.

KinderHSPVA · March 19, 2024, 11:39pm

Hi, are you able to send the answer now?

HexadecimalLiker · March 20, 2024, 7:09am

Sorry for the delay;

One can use the roblox api dump https://github.com/MaximumADHD/Roblox-Client-Tracker/blob/roblox/Full-API-Dump.json and check if the object requested’s superclass is “GuiObject”. I cannot send a code snippet example right now, but I’ll send one when I’ll be available.

fares14213 · March 26, 2024, 4:43am

Have you any idea to improve performance in the slvmrules.AdditionalSettings.SandboxCalls function, cause when i disabling it, it runs more faster. But i want security?

SomeScripter3 · March 26, 2024, 6:08pm

If disabling that gives you performance then don’t worry about security

HexadecimalLiker · March 26, 2024, 9:36pm

No I sadly cannot make it any faster.

You could however block getfenv and debug.info

fares14213 · March 27, 2024, 4:11am

Ok no problem, your module is very nice, back to back my loadstring module was sht and lagging all the times and now with your module the situation has improved!

RadiatedExodus · March 27, 2024, 4:47am

Unless you made a bridge to expose Roblox API to the Luau VM created in LuauInLuau, theres practically no need to sandbox LuauInLuau as it essentially runs code in a vanilla Luau environment. Hell you can literally further control it using the C api provided you know what you’re doing.

Additionally, as @HexadecimalLiker has said, it is practically just the vanilla Luau project compiled into WebAssembly, translated into Luau, and with extra modifications to expose a usable api and setup. The perfomance would be quite hampered.

The best use case you’re probably looking right now is to use the Luau compiler in LuauInLuau and combine it with Fiu.

Now looking back at this project, I really need to update it to the latest Luau so I’ll do that when I have time

@HexadecimalLiker Also, consider uploading source to GitHub (either repo or gists) to allow users with no Studio access to view the script

HexadecimalLiker · March 27, 2024, 11:40am

Okay, I’ll try that when I’ll rewrite SLVM which should be pretty soon. I’ll also try making a method to choose a module so users can use custom made vms, for example Fiu.

KinderHSPVA · April 13, 2024, 10:13pm

Hi, another question: Is there a way to get the client’s code, processit on the server and then if the SLVM module doesn’t return any errors(ex. Instance.new is found and is blocked by SLVM), it runs normally on the client?

HexadecimalLiker · April 14, 2024, 5:39pm

You cannot do that as SLVM operates at runtime, which means if the script consists of creating a part in workspace, the part will stay there on the server until :DeleteCreatedInstances is called. You could however use SLVM on the client, however I didn’t test if it worked locally yet.