lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Sun, Oct 10, 2010 at 9:45 PM, Samuel Greear <lua@evilcode.net> wrote:
> I didn't like the fact that the only option for loading a script into
> the kernel was to load the script source. I would make loading
> pre-compiled scripts the preferential method. In fact, I would
> probably tear eval out of the kernel lua implementation and only
> support loading of precompiled byte-code into the kernel.

This sounds like a *really bad* idea. It's been shown in the past that
loading precompiled bytecode is a security hole (by Peter Cawley et
al.). The Lua authors have removed the bytecode verifier because it is
too difficult to verify bytecode integrity. I haven't looked at this
project much (even though it sounds very cool) but if it is possible
for userland processes to specify scripts to run in a kernelland
sandbox, then you do *not* want to load precompiled bytecode.

-- 
- Patrick Donnelly