Is there a hardening guide for Luau?

[Ono-Sendai]

Hi all,
Soon I will be deploying some code to execute Luau scripts on my metaverse server. Since the scripts will be user-created (e.g. untrusted), I would like the sandboxing to be as effective as possible.
Is there a guide for this somewhere?
So far I have done:

• calling lua_newstate and luaL_sandbox on scripts. (https://github.com/glaretechnologies/glare-core/blob/533531267d2b3bfac955993964355d3e4eef41a9/lua/LuaVM.cpp#L147)

• Limited memory use by supplying a custom memory allocator (https://github.com/glaretechnologies/glare-core/blob/533531267d2b3bfac955993964355d3e4eef41a9/lua/LuaVM.cpp#L19)

• Limiting script execution CPU time by counting interrupts and throwing an exception if some threshold is exceeded. (https://github.com/glaretechnologies/glare-core/blob/533531267d2b3bfac955993964355d3e4eef41a9/lua/LuaVM.cpp#L62)

Is there anything else I need to do?
What about freezing or protecting metatables?

[HaroldCindy]

Freezing metatables is sensible.

You might prefer using a lightweight timer (something like rdtsc on x86) over interrupt numbers to make sure that expensive C calls still count towards the script limits as much as they should, rather than just counting as a single interrupt.

I don't recall the specifics, but I believe there's also a way to throw a lua memory error on alloc failures so that it can be caught in a pcall() and handled by user code, and I'm not sure that throwing a C++ exception would allow you to do the same.

Do you have a luaL_sandboxthread() call in addition to luaL_sandbox()? That's what gives you a mutable layer over the "real" globals table so user code can still set their own globals / shadow globals within their own code.

[Ono-Sendai]

Hi Harold,
The problem with a timer is that it's non-deterministic, so some scripts will randomly exceed the execution time limit if there happen to be context switches etc. I would strongly prefer a deterministic solution.

I'm not currently worried about user Lua code being able to handle out of memory errors.

Yes I do call luaL_sandboxthread.

Can you explain why freezing metatables is a good idea?