How to stop


Today we use Lua to let 3rd party developers add driver-like modules to our application.

The advantages to using Lua compared to DLL:s etc. are that:

1) the same driver binary can be used on all OS:es and processor architectures etc.

2) We can provide a small API to the Lua drivers and they _cannot_ call any other external functions.

3) A buggy driver cannot crash our application. (Almost true statement.)

I'm looking into using LLVM and the bitcode format for this instead. The additional, very important advantages are:

4) 3rd parties can port existing (huge amounts of) C / C++ code much easier - no need to rewrite all code in Lua.

5) Performance. We will use the LLVM JIT.

Problem: I can't figure out how to do (2) with the LLVM JIT.

It is very important that the driver does not have access to any other function in the application except those I provide. It's not OK for our application to abort if a driver calls an undefined function - I want to just disable _that driver_ in that event.

I can use DisableSymbolSearching() but that causes application to abort for unknown symbols.

Please advice!


There are 3 parts to what you are looking for, I think:

1) Isolating the driver from your application so that it cannot crash your app;

2) Preventing the driver from calling prohibited functions; and

3) Being able to use the same driver binary on all(?) OS'es and processor architectures.

LLVM itself cannot give you #3: you need to put many restrictions on the source program (e.g., limiting system headers; limiting pointer-integer conversions, etc.) to achieve that.

SAFECode (our project) gives you #1 and #2 if you can recompile the driver code along with the application. If you're willing to adding some restrictions, you might be able to get those benefits compiling the driver alone but I'd have to think about it.

Associate Professor, Computer Science
University of Illinois at Urbana-Champaign