lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


>From my experience of trying to abuse Lua bytecode, I've decided to
attack the other side of the problem, and attempt to write a module
which verifies Lua 5.2 bytecode as non-malicious. The fruits of this
effort are the following module, which I've named lbcv:

http://code.google.com/p/lbcv/

lbcv is MIT licensed, and hence comes with no warranty of correctness,
but has correctly classified all the malicious bytecode I've thrown at
it, as well as correctly classifying as non-malicious all the
code-generator generated code I've thrown at it. The approach used is
to trace the execution of the bytecode, keeping track of the state of
each virtual machine register at every possible reachable instruction.