Securely sharing Mun Libraries

[Wodann]

The Mun Runtime's ability to securely plug-n-play Mun Libraries at runtime can be used for more than just hot reloading. It also makes it a good candidate for modding systems in games, or similar extensible systems in other domains.

Even though the Mun Runtime can give runtime-linking guarantees, a malicious entity could provide a Mun Library that executes any machine code. As such, we'll need to provide a way of verifying that a Mun Library can be trusted.

Possible options are:

[Option 1] Signing Mun Libraries An online binary repository contains audited (and consequently signed) versions of Mun libraries. When runtime linking a Mun Library, the Mun Runtime verifies that the library is signed and wasn't modified.

This is a tried and tested method that is also used for other software and drivers. A downside about this approach is that some workload is required for the auditor of the binary repository.

[Option 2] Locally compiling Mun source An interpreted language can guarantee safety by restricting execution to the available byte code. As Mun is compiled ahead of time, we can not do so at runtime. However, we can provide "security checks" at compile time by limiting the machine code that Mun can generate. Thus, if we compile Mun source on a local machine, the consequent Mun Library is guaranteed to only contain Mun-authorised function logic. (This model is similar to how cargo dependencies work.)

Note that it is still possible to add external functions, as the Mun Runtime allows the end user to insert extern "C" functions. This is however fully within the end users control.

[Option 3] ??? Please let us know if you have other ideas on how to securely share Mun Libraries between publishers.