lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


 ----- Original Message -----
From: Martin Guy
Date: 8/21/2010 9:43 PM
Was this really worth posting to the entire list?

On 8/22/10, Majic<majic.one@gmail.com>  wrote:
Very informative, thanks! :o

  On Sat, Aug 21, 2010 at 3:22 PM, Peter Cawley<lua@corsix.org>  wrote:
  >  As anyone who has tracked Lua 5.2's development will likely know, the
  >  bytecode verifier was removed, and the responsibility shifted to the
  >  end-developer to ensure that bytecode from untrusted sources couldn't
  >  be loaded. To show just how important this responsibility is, I've
  >  written up a pure Lua module for the default Lua 5.2 (-work4)
  >  interpreter which can read and write arbitrary memory locations. The
  >  only thing standing between this and a generic
  >  arbitrary-code-execution exploit is DEP (hardware/OS level memory page
  >  protection preventing where code can be executed from).
  >
  >  The code is available at:
  >  http://www.corsix.org/lua/bytecode_abuse_0_1.lua
Your comment was made because you're not interested in the subject or because you prefer security through obscurity? Or for some other reason?

I'm very interested in this. The question I would ask at this point is whether the built-in Lua 5.1 bytecode verifier could have prevented this?

Josh