[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Reducing Lua's Trusted Computing Base
- From: Dimitri DeFigueiredo <dimitridobrasil@...>
- Date: Tue, 27 Jul 2010 15:15:54 -0700
Hey Folks,
I think Lua's small size give it a significant advantage over other languages when it comes to security. It is also (likely deceptively) easy to setup a sandbox to run untrusted code in Lua. In my mind, this makes Lua a very strong candidate for implementing server-side software. This is especially true when multiple users collaborate using their own automated scripts in the server as in massive multi-player online games or trading platforms.
The only shortcoming I see is that Lua's VM (as described in
http://luaforge.net/docman/view.php/83/98/ANoFrillsIntroToLua51VMInstructions.pdf)
was not designed to run malicious code.
For example, what happens when a "malicious" chunk specifies an invalid opcode? Does the VM halt or just ignore it?
Therefore, when I want to sandbox code using Lua, I must trust not only the VM but also the "compiler" (lexer, parser,etc). There's a lot of extra C code outside the VM that also needs to be trusted.
To be sure I can sandbox malicious code with Lua, I need to verify the platform. It is much easier to just verify the C code in the VM than in all of Lua. Is there a way to reduce the size of Lua's "trusted computing base" to the VM only? Is this at all in the roadmap? I understand that the internals of the Lua VM still change significantly at each release.
Thanks!
Dimitri