[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Making LUA safe to execute untrusted scripts [replay]
- From: Luiz Henrique de Figueiredo <lhf@...>
- Date: Mon, 17 Apr 2000 22:23:36 -0300 (EST)
[listproc choked on this one. --lhf]
>From: Bennett Todd <bet@rahul.net>
>Date: Mon, 17 Apr 2000 20:03:13 -0400
>To: Luc Van den Borre <luc@nuclide.com>
>Cc: Multiple recipients of list <lua-l@tecgraf.puc-rio.br>
2000-04-17-18:32:48 Luc Van den Borre:
> I'm interested in mobile code - (LUA) code received by an
> application from an external, perhaps untrusted source.
A very, very tough problem.
> - restrictions on file-access
> - cpu usage limitations (which would probably mean pre-emptive
> multitasking between scripts)
> - memory limitations (no more than a fixed amount of memory to
> play with)
> - time limitations (run no longer than fixed amount of cycles or
> get killed)
> - doesn't crash - or at least crashes nicely without taking down
> the host program
Noble goals, and nicely specified. A couple more to add:
- restrictions on memory access within the program (can't read or
write arbitrary locations in memory within the process)
- restrictions on other syscalls --- e.g. connect, kill, ...
I've no idea whether Lua is well-suited to applying such
restrictions, but I'll say this: if its designers felt that it was,
I'd be a _lot_ liklier to trust it in a role like this than any
competitor I've seen, including most especially Java and Javascript.
Simplicity is a virtue. Doubly so when security is a goal.
-Bennett
