Security News
Weekly Downloads Now Available in npm Package Search Results
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
RuffVM is a light-weight VM environment designed for DApps(Decentralized applications). It provides secure, isolated execution environment as well as resource control (e.g Memory and CPU) for Dapps. It lowers the barrier of Blockchain application development by significant amount via JavaScript based abstraction (But not limited to JS).
RuffVM's build-in,plug-in mechanism allows developers to customize DApp runtime depends on their need, these modules will be completely independent to a public chain base and will be compatible with any Blockchain platforms(e.g EOS,Ethereum,ruffchain).
RuffVM integration for node.js, aim to provide usable, secure sandbox in order to run untrusted javascript code in nodejs, Resource control abilities supported in this version (e.g. cpu time and memory). RuffVM leverage jerryscript(a lightweight JavaScript engine) as javascript runtime, it is isolated with Node V8 engine naturally. Refer some idea from duktape.node.
Currently enabled build on Macos & Linux with C++1y support
build
git clone --recurse-submodules https://github.com/ruffchain/RuffVM.git
cd RuffVM
npm install
build manually
node-gyp configure
node-gyp build
npm run test
bridge
code
<string> code to compile and evaluate in VMuserCode
<string> script to run in VM after code
options
cpuCount
<number> cpu count to limitmemSizeKB
<number> memory size in KBsandbox
<Object> will be the global object in vmresolve
return value from scriptreject
error status (boolean)code
<string> code to compile and evaluate in VMExample
Host return no Promised
value to VM
const assert = require('assert')
const { createScript } = require('ruffvm')
const code = `
function helloFun(parameterString) {
var buf = new Uint8Array(20)
buf[0] = 1
buf[1] = 2
return hello(buf.buffer)
}`
let isTriggered = false
const sandbox = {
hello: function(resolve, param) {
isTriggered = true
const u8 = new Uint8Array(param, 0, param.byteLength)
assert(u8.length === 20)
assert((u8[0] = 1 && u8[1] === 2))
return true
}
}
;(async () => {
const res = await createScript(code)
.setUserCode(`helloFun("ruffVM")`)
.setSandbox(sandbox)
.setOption({ cpuCount: 1, memSizeKB: 200 })
.runAsync()
assert(isTriggered)
assert(res === true)
})()
Host return Resolved Promised
value to VM
const assert = require('assert')
const vm = require('ruffvm')
function bufferToArrayBuffer(b ){
return b.buffer.slice(b.byteOffset, b.byteOffset + b.byteLength);
}
const code = `
function helloFun(parameterString) {
var buf = new Uint8Array(20)
buf[0] = 1
buf[1] = 2
return hello(buf.buffer)
}`
const sandbox = {
hello: function(vmResolve, name) {
return new Promise(function(resolve) {
let ab1 = bufferToArrayBuffer(Buffer.from('this is hostapi test'))
const u8 = new Uint8Array(ab1, 0, ab1.byteLength)
setTimeout(() => {
vmResolve(u8) // send resolved value to VM
resolve()
}, 20)
})
}
}
;(async () => {
const res = await createScript(code)
.setUserCode(`helloFun("ruffVM")`)
.setSandbox(sandbox)
.setOption({ cpuCount: 1, memSizeKB: 200 })
.runAsync()
const expectBuffer = bufferToArrayBuffer(Buffer.from('this is hostapi test'))
const expectU8 = new Uint8Array(expectBuffer, 0, expectBuffer.byteLength)
const resU8 = new Uint8Array(res, 0, res.byteLength)
assert.deepStrictEqual(resU8, expectU8)
})()
For more example please refer to test/basic.test.js
ruffchain
use ruffvm as its smart contract execute engine, provide the ability for user develop their smart contract by JavaScript.
Following code will escape node vm sandbox
and do exit on host
const vm = require('vm');
vm.runInNewContext('this.constructor.constructor("return process")().exit()');
console.log('Never gets executed.');
ruffvm-node support set limit on CPU and Memory comparing to duktape.node
XS
JavaScript EngineDoes not support multiple instance of vm run simultaneously. Communication between VM and Host is not optimized for heavily usage scenario.
FAQs
Ruff VM
The npm package ruff-vm receives a total of 0 weekly downloads. As such, ruff-vm popularity was classified as not popular.
We found that ruff-vm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
Security News
A Stanford study reveals 9.5% of engineers contribute almost nothing, costing tech $90B annually, with remote work fueling the rise of "ghost engineers."
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.