Reputation: 35418
Running plugins in a sandbox
I am designing a system in C/C++ which is extendible with all sort of plugins. There is a well defined C public API which mostly works with (const) char* and other pointer types. The plugins are compiled into .so or .dll files, and the main application loads them upon startup, and later unloads or reloads them upon request.
The plugins might come in from various sources, trustable or not so :)
Now, I would like to make sure, that if one plugin does something stupid (such as tries to free a memory which he was not supposed to free), this action does not bring down the entire system, but merely notices the main system about the misbehaving plugin for it in order to remove it from the queue.
The code calls are being done in the following manner:
const char* data = get_my_data();
for(int i = 0; i<plugins; i++)
{
plugins[i]->execute(data);
}
but if plugin[0] frees "by accident" the data string or overwrites it or by mistake jumps to address 0x0 this would bring down the entire system, and I don't want this. How can I avoid this kind of catastrophe. (I know, I can duplicate the data string ... this does not solve my problem :) )
Upvotes: 8
Views: 1154
Answers (3)
Reputation: 1960
Have a look at http://msdn.microsoft.com/en-us/library/1deeycx5(v=vs.90).aspx
I use /EHa in one of my projects to help me catch exceptions from libraries that do stupid things. If you compile your code with this setting a normal try catch block will catch exceptions like devide by zero, etc.
Not sure if there is some equivalent for this on Linux -- please let me know if there is..
Upvotes: 0
Reputation: 4184
Make a wrapper process for plugin and communicate with that wrapper through IPC. In case of plugin failure your main process would be untouched
Upvotes: 13
Reputation: 24606
Simply put, you can't do that in the same process. If your plugins are written in C or C++, they can contain numerous sources of undefined behavior, meaning sources for undetectable unavoidable crashes. So you should either launch the plugins in their own processes like kassak suggested and let them crash if they want to, or use another language for your plugins, e.g. some intepreted scripting language like lua.
Upvotes: 0
Related Questions
- Need to sandbox application that compiles C++ modules from untrusted sources online
- How to sand box C/C++ projects which use shared libraries
- How to create a lightweight C code sandbox?
- sandboxed python plugins
- C++ Sandboxing dynamic libraries
- Plugins in Cpp - Executing external program functions
- Sandboxing an executable in C
- Best way to implement plugin support
- Sandboxing plugins with Managed Extensibility Framework
- Making wide application (with plugins)