Method whitelisting
Posted: Sun Jan 11, 2009 4:18 pm
The legacy script engine, AI system and shader uniform bindings are all implemented by letting plists call Objective-C methods directly. This is very convenient to implement, but has two major problems:
Whitelisting is now implemented for AIs in the trunk. Initially, it just prints a warning for unknown methods, in order to help find all the methods actually used by AIs. The warning will look like this in 1.73:
Posting reports to this thread is an acceptable alternative to mailing a report. From 1.74, bad selectors will be ignored in accordance with the threat.
I intend to implement similar systems for scripts and uniform bindings before 1.73. Scripts are a bit tricky because of the various loose script conditions found in plists, but it’s not an insurmountable problem. Shaders are easier.
Whitelist violations will probably also be reported by the OXP verifier in 1.73.
The whitelist processing has some fringe benefits: first, it allows simple renaming of methods with backwards compatibility. (Previously, we'd have to add a wrapper method, which added bloat.) See ai_method_aliases at the bottom of whitelist.plist. Second, it makes it easy to convert AIs to a slightly more efficient internal representation.
- It’s insecure. Although not every Objective-C method can be called through this mechanism, it’s impossible to guarantee that nothing dangerous can be done. It’s definitely possible to crash the game by calling unexpected methods.
- It paves the way for bugs. Because there’s no clear distinction between script/AI methods and private methods, any change in Oolite can potentially cause scripts or AIs to stop working. I know of several cases where this has happened already. There are probably several we haven’t noticed.
Whitelisting is now implemented for AIs in the trunk. Initially, it just prints a warning for unknown methods, in order to help find all the methods actually used by AIs. The warning will look like this in 1.73:
Code: Select all
[ai.unpermittedMethod] Handler "UPDATE" for state "GLOBAL" in AI "badAI.plist" uses "naughtyMethod:", which is not a permitted AI method. In a future version of Oolite, this method will be removed from the handler. If you believe the handler should be a permitted method, please report it to <e-mail address redacted>.
I intend to implement similar systems for scripts and uniform bindings before 1.73. Scripts are a bit tricky because of the various loose script conditions found in plists, but it’s not an insurmountable problem. Shaders are easier.
Whitelist violations will probably also be reported by the OXP verifier in 1.73.
The whitelist processing has some fringe benefits: first, it allows simple renaming of methods with backwards compatibility. (Previously, we'd have to add a wrapper method, which added bloat.) See ai_method_aliases at the bottom of whitelist.plist. Second, it makes it easy to convert AIs to a slightly more efficient internal representation.