[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: sandboxing security, lua bytecode, metatables and string library
- From: Mildred <ml.mildred593@...>
- Date: Fri, 23 Feb 2007 04:30:06 +0100
Hi,
I'm creating an application that will run untrusted lua files. And I
wonder if it is possible to access metatables with lua bytecode.
My concern is that every lua chunk has access to strings, and if lua
bytecode permit access to metatables, every lua chunk has now access to
the string library. Of course the string functions are not that
threatening BUT if untrusted code has access to the table containing
the string functions, it can replace the usual string functions by
malicious code. And the code running afterwards would be affected. of
course if the access to the metatable is not possible, there is no
problem.
For example I could run some untrusted code in a sandbox using setfenv,
the code changes for example string.gsub(), and the trusted code then
send the result of string.gsub (called with trusted parameters) to the
dofile() function.
So a malicious code would change string.gsub to something that points
to a malicious file, and then gain enough right to damage what they
want.
One solution would be to change the string metatable before calling
untrusted code and changing it back afterwards but it slow down the
whole process (saving every function in a separate table then restore
them back afterwards seems to me much to do). So I wonder if I really
need to do it.
I know I can change that easily with some C code but I prefer not to
touch the standard lua interpreter.
Do you have any thoughts on that ?
Mildred.
--
Mildred <xmpp:mildred@jabber.fr> <http://mildred632.free.fr/>
Clef GPG : <hkp://pgp.mit.edu> ou <http://mildred632.free.fr/gpg_key>
Fingerprint : 197C A7E6 645B 4299 6D37 684B 6F9D A8D6 [9A7D 2E2B]