Suppose we have a Rust server and we want to run untrusted user written scripts, and per script, allow:
- N cpu cycles / second,
- 10MB memory total.
- no sys calls, only list of function ptrs we approve
One way to do this is to use wasm -- and force them to either write raw wasm or produce their own compiled wasm.
Are there any more friendly routes? (For example, is it easy to do a "locked down" JS with V8 or Deno) ?
Server is x86_64. We have full control of server. User input is untrusted and likely malicious (trolls).
I think a few services use firecracker for that kind of thing. I think the rust playground uses that or something similar.
For something that lets you limit things like the number of instructions executed, accessible memory, or ways the code can interact with the outside world, I'd say WebAssembly is your best bet. You've already got control over things like the linear memory size and the concept of gas. The only way for your WebAssembly to interact with the outside world is via host functions, and most WASI implementations provide ways to specify what is accessible (e.g. only certain directories).
You don't say anything about the scripting language needed, but if your case allows you to nail that down, then you could always compile to wasm for them.
You can do it with V8 isolates, though you sometimes need to add process boundaries. It's way beyond my security knowledge, but there's a bit of discussion on that here: Ask HN: Pros and cons of V8 isolates? | Hacker News
You can do an awful lot with firecracker in terms of locking down syscalls, setting limits etc, from what I've read. It's how fly.io does their isolation.