Re: Secure tables in Lua: Summary

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Secure tables in Lua: Summary
From: Roberto Ierusalimschy <roberto@...>
Date: Thu, 3 Jul 2008 13:15:24 -0300

> In general, Lua's not terribly good at this stuff because it lacks the  
> rigour necessary to make sure that you get everything right, all the  
> time --- it's far too easy to make a mistake and expose something, at  
> which point an attacker can fairly easily unravel your whole security  
> system. For example, in your sample code, your exposed object's  
> metatable's __index field points directly at the underlying data store,  
> which means that given a secured table t, this:
>
> data = getmetatable(t).__index
>
> ...undoes all the security.

You can avoid this particular attack using the __metatable field. But
your general analysis still aplies.

-- Roberto

References:
- Secure tables in Lua: Summary, Dr. Markus Walther
- Re: Secure tables in Lua: Summary, David Given

Prev by Date: RE: LuaInterface version that works with LuaBinaries?
Next by Date: Re: bug of GC "step"
Previous by thread: Re: Secure tables in Lua: Summary
Next by thread: Re: Secure tables in Lua: Summary
Index(es):
- Date
- Thread