Hi there! I’m doing some research about running untrusted C# code in a sandbox. I’ve hit some roadblocks, and I’m hoping someone here could point me in the right direction.
I’m building a game that builds upon user code. You should be able to download code from other creators and run it on your machine, without risk of bad things happening to your computer. I need to make sure there’s no file operations, no network communication, etc. It’s been done many times before, but usually you see devs using Lua or some own script language for this. I prefer C# for a lot of reasons, so I’m trying to find a solution for using it safely.
I took a look at Unity (http://unity3d.com/). They use C# for scripting. For web applications, I think they made a stripped version of Mono that excludes any functionality that could let you mess with the user’s computer. I’m trying to get exactly that, but with CoreCLR as base instead. Does this seem like a reasonable approach?
Also, is it possible to sandbox code somehow in CoreCLR? AppDomains seems to be missing so I’m not sure how you’d do it.
For anyone curious, here’s my setup so far, using the desktop CLR:
- Process A:
- Application: Main game application. Handles rendering, playing sounds, etc.
- Process B:
- Host: Builds the mod using Roslyn, then executes it in a sandboxed AppDomain. Mod talks to Host, then Host communicates with Application (and reverse for user input).
- Mod: Untrusted code. Has access to an API for drawing, playing sounds, sampling input, etc, but not allowed to do file operations or anything else dangerous.
I’m running the mod on a separate process so the user code cannot shut down the main process by a stack overflow. It’s okay that they can crash the mod/host process, as long as the main application lives.
My problems with this approach, and why I’m thinking about a switch from the desktop CLR to CoreCLR:
- Sandbox: Unsure if the sandbox is good enough. I get the vibes from the warning at the top of https://msdn.microsoft.com/en-us/library/bb763046(v=vs.110).aspx that I cannot trust the sandbox completely. Not sure if this is any different on CoreCLR, but at least I’d have the means to look under the hood.
- Stability: I want to be very sure that the user can use my program without trouble, even if there are big future changes in the desktop CLR. I also want to be completely sure that any such future changes won’t poke holes through my sandbox. Bundling a fixed version of the CLR seems like a good idea.
- Portability: This solution runs on windows, but AFAIK there’s no working sandbox in Mono. I really would like multiplatform support.