[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Lua hits OSDI 2010
- From: Patrick Donnelly <batrick@...>
- Date: Wed, 6 Oct 2010 09:27:17 -0400
On Wed, Oct 6, 2010 at 8:54 AM, Luiz Henrique de Figueiredo
<lhf@tecgraf.puc-rio.br> wrote:
>> but Lua was more or less at the center of one of the talks given today
>> at the tech session in the OSDI 2010 conference.
>
> Very nice. Thanks for letting us know.
>
> The paper says:
>
> "Lua compiles to simple bytecode, which makes it relatively easy to sandbox."
>
> Tell that to Peter Cawley, aka Corsix :-)
They also say some other concerning things. In particular:
"We sandbox ASOs by removing all but the core libraries from the
runtime, leaving only a math package, string manipulation, and table
manipulation. As a result, handlers are extremely restricted: they
have no direct network access, no system execution capabilities, no
thread creation capabilities, and no file system access."
They apparently don't know Lua threads are coroutines and are
basically harmless for their sandbox needs. :( It sounds like they use
hooks for bytecode count limits and a custom allocator for memory
limits.
All that aside, it looks like an interesting paper. Thanks for the notice.
--
- Patrick Donnelly