Friday, July 24, 2009

Lua, Javascript, and the Object Capability Model

I had mentioned Lua to Mark S. Miller in a private email message, and he asked me how similar it was to Javascript. I thought I'd turn the reply into a blog post along with a short discussion of the Object-Capability Model as it relates to Lua.

Let's run off a quick comparison with Javascript first. Similarities in both: imperative, dynamic typing, run-time eval, first class functions, inner functions, closures, variadic functions, exceptions and exception handling.

Differences. Well, first off, Lua isn't an object-oriented language. However, you can implement OO programming with tables and meta-tables in Lua, so that is similar to Javascript's associative arrays which are used to implement objects. Notably though, it is possible to implement single-inheritance, multiple inheritance, and information hiding.

Of great concern to the obj-cap community is how well you can lock down the programming language. Meaning that a particular piece of code only has access to the information and procedures that it really needs to do its job, and nothing further. This is related to the Principal of Least Authority.

I think this is an area where Lua really shines. It is easy enough to execute a function in a restricted environment. So you can just take all the "dangerous" modules out of the function's global environment, and leave nothing, or put in place safe versions of things like 'print()'. Everything you use, from importing libraries to IO to C interfaces are accessed via functions in the global environment.

Restricting execution time is also possible. For some game AI, I am exploring the use of the Lua Debug Interface. So you can set a limit on the number of bytecodes a Lua routine uses. There is some question as to whether this works properly with continuations. But even if it doesn't right now, it should be possible to fix that. I don't know if there are any explicit hooks to control the memory allocation at the level of functions, though you can restrict the amount of memory used at the thread level.

So I haven't done a full analysis, but there does seem to be the potential to use Lua for object-capability security without any changes to the core language. It all depends on how you initialize it.

Edit: Some discussion of all this is going on over on the cap-talk mailing list.

Edit 2: There seems to be some consensus that the o-cap model will probably work in Lua, with appropriate taming of the standard library. I think it is pretty neat that the core language seems to provide all we need to implement o-cap security without any drastic changes.

No comments: