On Sat, Aug 21, 2010 at 9:23 PM, Joshua Jensen
<jjensen@workspacewhiz.com> wrote:
----- Original Message -----
From: Martin Guy
Date: 8/21/2010 9:43 PM
Was this really worth posting to the entire list?
On 8/22/10, Majic<majic.one@gmail.com> wrote:
Very informative, thanks! :o
On Sat, Aug 21, 2010 at 3:22 PM, Peter Cawley<lua@corsix.org> wrote:
> As anyone who has tracked Lua 5.2's development will likely know, the
> bytecode verifier was removed, and the responsibility shifted to the
> end-developer to ensure that bytecode from untrusted sources couldn't
> be loaded. To show just how important this responsibility is, I've
> written up a pure Lua module for the default Lua 5.2 (-work4)
> interpreter which can read and write arbitrary memory locations. The
> only thing standing between this and a generic
> arbitrary-code-execution exploit is DEP (hardware/OS level memory
page
> protection preventing where code can be executed from).
>
> The code is available at:
> http://www.corsix.org/lua/bytecode_abuse_0_1.lua
Your comment was made because you're not interested in the subject or
because you prefer security through obscurity? Or for some other reason?
I read it as in response to Majic, personally...
