[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: future of bytecode verifier
- From: Evan DeMond <evan.demond@...>
- Date: Thu, 5 Mar 2009 11:44:26 -0500
On Thu, Mar 5, 2009 at 11:38 AM, Evan DeMond <firstname.lastname@example.org>
On Thu, Mar 5, 2009 at 11:34 AM, Olivier Galibert <email@example.com>
On Thu, Mar 05, 2009 at 02:49:23PM -0000, John Hind wrote:For most lua applications there is nothing to attack. The lua code
> Now you really have me confused! Surely most Lua apps accept "arbitrary user
> code"? After all it is a configuration and customisation language and this
> is the whole point. Sure, I guess most such apps do not *expect* to load
> binary files, but as long as they use the same input stream this will remain
> a possible attack vector.
and the main application come from the same security context and
there's nothing you can do through the application you couldn't do
I think the worry here is more about potential buffer overflow or denial of service crashing type attacks, not malicious actions using the Lua library functions.
Sorry, I think I misunderstood you a bit, ignore my last comment there. You meant that something embedding Lua will run at the same level of security as the host application, correct?