C#脚本和安全性
[英]C# Scripting and Security
问题描述
In my game (that is also written in C#) I want to include some kind of customization support. 
在我的游戏中(也用C#编写)我希望包含某种自定义支持。 Speed is a great concern as I plan to offload major parts of the gameplay to scripts. 速度是一个很大的问题因为我打算将游戏的主要部分卸载到脚本中。 As a result I choose to use C# for scripting ingame events and stuff. 因此,我选择使用C#来编写游戏事件和内容的脚本。 Users should also be able to write scripts and addons for the game in C#. 用户还应该能够在C#中为游戏编写脚本和插件。 (I know that C# is NOT a scripting language btw.) (我知道C#不是一种脚本语言。)
I will provide the users with a (static) class that contains all the functions needed to interact with the game. 我将为用户提供一个(静态)类,其中包含与游戏交互所需的所有功能。 The users will also be able to provide the code as source (the game will compile it in that case). 用户还可以提供代码作为源代码(在这种情况下游戏将编译它)。 Compiled user "scripts" can / will also be transmitted to other players in some cases. 在某些情况下, 编译的用户“脚本”也可以/将被传输给其他玩家。 For example a user can build in scripted traps in his home or whatever. 例如,用户可以在他的家中或其他任何地方构建脚本陷阱。
Here are my questions: 这是我的问题:
Security
安全 How can I ensure that the provided code is forced to ONLY call stuff of the provided API (class) ?
如何确保所提供的代码仅被强制调用所提供的API(类)的内容? To prevent cheating with scripts, malicious activities... 为了防止欺骗脚本,恶意活动...... Is there a way to maybe run the compiled code(s) in a sort of VM or low-trust environment ??
有没有办法在某种VM或低信任环境中运行已编译的代码? Speed
速度 Will this approach be fast enough ?
这种方法会足够快吗? (Calling functions from up to 100 custom assemblys every or every second frame). (每隔一帧或每隔一帧调用多达100个自定义程序集的功能)。 Any tips on this? 关于这个的任何提示? Maybe it's possible to get a speed advantage by compiling all user content into one big assembly or whatever ??
也许通过将所有用户内容编译成一个大型组件或其他任何东西来获得速度优势? Size
尺寸 How can I make the compiled code small in size (besides compressing it) ?
如何使编译后的代码变小(除了压缩它)? Because players might need to download tens of scripts... 因为玩家可能需要下载数十个脚本...... Is there a way to strip stuff that isn't absolute necessary ?
有没有办法去除不是绝对必要的东西? Like debug information or classnames and the likes... 像调试信息或类名等...
Runtime compilation is fairly new to me (That's why I ask here). 运行时编译对我来说是相当新的(这就是我在这里问的原因)。 So it would be nice to have some major beginner mistakes and / or security concerns pointed out. 因此,指出一些重大的初学者错误和/或安全问题会很好。
Edit: 编辑:
Just for clarification: A user plugin/script or whatever you would like to call it will be a class (also written in C#) that has to implement specific functions like "GetAddonInfo", "Init", "Update" ... Just like a normal C# class that is derived from my abstract "Addon" class. 只是为了澄清:用户插件/脚本或任何你想要调用它的类将是一个类(也用C#编写),它必须实现特定的功能,如“GetAddonInfo”,“Init”,“Update”...就像一个普通的C#类,派生自我的抽象“Addon”类。
2 个解决方案
解决方案1
5 已采纳 2011-08-22 02:13:54
You want to take a look at this rework of an old Microsoft example project 您想看一下旧的Microsoft示例项目的这种返工
http://terrarium2.codeplex.com/ http://terrarium2.codeplex.com/
It basically does everything you want. 它基本上做你想要的一切。
Compiles code into DLLs and runs them in the environemnt 将代码编译为DLL并在environemnt中运行它们
Checks for allowed API calls. 检查允许的API调用。
etc. 等等
Version 2 was re-written to make use of web services and a number of other features. 重写了第2版以利用Web服务和许多其他功能。 From your question it sounds like you might be more interested in Terrarium 1. However, I can't seem to track it down so you may have to "settle" for the more complicated 2.0 release. 从您的问题来看,您可能对Terrarium 1更感兴趣。但是,我似乎无法追踪它,因此您可能必须“解决”更复杂的2.0版本。
解决方案2
3 2011-08-22 02:57:20
Look into MEF and MAF -- they are both frameworks designed to add C# and VB scripting to existing applications. 查看MEF和MAF - 它们都是旨在将C#和VB脚本添加到现有应用程序的框架。 You can create an appdomain for your scripts and then use code access security to severely restrict what those scripts can do. 您可以为脚本创建appdomain,然后使用代码访问安全性严格限制这些脚本可以执行的操作。
This question might help. 这个问题可能有所帮助
Choosing between MEF and MAF (System.AddIn) 在MEF和MAF之间选择(System.AddIn)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.