SecureLuaVirtualMachine - Controlled Execution Environment

KinderHSPVA · April 14, 2024, 5:41pm

You could, but then exploiters could just delete the restrictions, and mess up the entire game. (I tested SLVM locally a while ago, and yes, it works)

HexadecimalLiker · April 14, 2024, 6:54pm

Exploiters could just run code without any restriction anyway, as they use their executors which allow them to do so

KinderHSPVA · April 14, 2024, 7:10pm

wait im dumb i forgot lol sorry

icymanred · April 14, 2024, 7:51pm

not dumber then liker dw dont feel so down

matt0matics · April 27, 2024, 4:51pm

As far as I’m aware, you can add globals in the env but not set the env. (whitelist instead of a blacklist) How can I do this?

KinderHSPVA · May 24, 2024, 8:20am

~~Hi - I am having some trouble running SLVM client sided, I forgot how I did it lol.~~

Ok never mind.

Liker:

Yes, using hooks and read hooks it is possible:

-- Assuming VM is a LuaVM object
local allowedModule = ... -- whatever module
local requiredAllowedModule = require(allowedModule)

VM:ReplaceClosure(require, function(module)
    assert(module == allowedModule, "module cannot be required")

    return requiredAllowedModule
end)

VM:AddReadHook(requiredAllowedModule, function(self, Index, NormalValue)
	if type(Index) == "string" then
		--// CheckCString should not be used in non c function hooks  
		if "someFunc" == Index then --> Replace someFunc with the function's index in the module
			return NormalValue
		end
	end
	
	error("cannot use function '" .. Index .. "' from module", 2)
end)

@HexadecimalLiker, Could you please explain this in a little more detail with an example or something along the lines of that? I’m having trouble with it.

HexadecimalLiker · June 10, 2024, 9:10pm

Security Advisory

SecureLuaVirtualMachine had two important security vulnerabilities.

SecureLuaVirtualMachine had a security vulnerability that could be used to disable every AdditionalSetting , including SandboxCalls .

Alongside this change, we have also fixed an vulnerability with TFORLOOP allowing you to bypass virtualization.

Technical Details Vuln #1 (AdditionalSettings overwrite)

The first vulnerability was possible because the SLVMEnums table was accessible through the shared global, allowing malicious actors to write to the AdditionalSettings table inside SLVMEnums.

An attacker could have executed something along the lines of:

shared.SLVMEnums.AdditionalSettings.SandboxCalls = 0 --> Disable SandboxCalls
shared.SLVMEnums.AdditionalSettings.ThrottleRecursiveCalls = 0 --> Disable ThrottleRecursiveCalls
shared.SLVMEnums.AdditionalSettings.ThrottleLoopInstructions = 0 --> Disable ThrottleLoopInstructions

This was patched by making the SLVMEnums table (and all other tables within it) read-only via table.freeze.

Technical Details Vuln #2 (SandboxCalls Bypass)

The second vulnerability was possible because TFORLOOP didn’t sandbox what iterator was being called, resulting in potential malicious actors to be able to do something like this:

local func do
    for f in debug.info, 2, "f" do --// Calls debug info without sandboxing (callstack exposed)
        func = f
        break --// Break to avoid error
    end
end

warn(debug.info(func, "slnaf")) --// Would return the actual function instead of generic ``pcall`` (indicating call was sandboxed)

This was patched by making TFORLOOP’s iterator function called through isolate_call_synchronous.

Please update ASAP: Secure Lua Virtual Machine.

Additionally I’d like to point out that you cannot bypass AFAIK the Blocked Globals and Hooks. So forbidden services would STILL be blocked. You normally aren’t vulnerable to being bypassable regarding the Blocked Globals and Hooks if you have set up SLVM correctly.

On another note, SLVM V2 will be coming soon. It will be safer, faster and easier to integrate.
Big thanks to @CodedJer and @Unlimited_Objects for testing.

I now finally get to sleep.

CodedJer · June 10, 2024, 9:11pm

I cannot emphasize how important it is to update, please update immediately, as soon as you can!

Coasterteam · June 27, 2024, 6:58pm

Anyway to put this resource on an external site like GitHub? Roblox has this resource private on the catalog and am unable to access it. Thanks!

CodedJer · June 29, 2024, 3:30am

Seems like the asset was unfairly removed removed from the catalog

@HexadecimalLiker has just appealed this, thanks for letting us know

HexadecimalLiker · June 29, 2024, 12:07pm

The Roblox moderation team still doesn’t want to put back the model onsale. I will upload the SLVM rbxm file to github and link it there.

They took one single minute to review my report, which makes me feel like it was completely ignored.

EDIT: Here is the github link GitHub - AstonishedLiker/SLVM

Time_Director · July 16, 2024, 4:04am

Any Update?
Great resource but I’d personally like to know if it can be used in production without going against TOS

HexadecimalLiker · August 28, 2024, 1:17am

Sorry for the very late reply. No, SLVM doesn’t break ToS, it just appears that SLVM simply goes against Roblox’s Creator Store policies, besides being totally safe.

Keyword: “LuaVMs”

JohnathanGarner · August 31, 2024, 5:06am

anyway i can use requires but still keep sandbox?

HexadecimalLiker · August 31, 2024, 2:28pm

No, you can’t, as it is out of the VM scope.

DukeAunarky · October 8, 2024, 10:52pm

Hi! I’ve been really confused about completely banning instances from being accessed, returned, and possibly just not being accessed outright because the current Rule system seems specific for only certain commands! How could I aim to completely ban instances? My use-case would be to make a custom wrapper API that handles the work so the users would call our predefined global tables and functions.