Re: Bytecode: Safe or not? / luac manual

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Bytecode: Safe or not? / luac manual
From: Stefan Reich <stefan.reich.maker.of.eye@...>
Date: Sun, 30 Oct 2011 20:50:03 +0000

Ah. So the manpage is basically in error because it doesn't know about
the exploits yet.

I really do hope that lbcv covers all the possible violations. Having
a safe way of loading untrusted bytecode is quite crucial to what I
want to be able to do with Mobile Lua.

Once we have safe deserialisation of Lua states - we can achieve total
mobility for all Lua code.

I don't know about you guys, but I for one am really excited about
that perspective.

-Stefan

On Sun, Oct 30, 2011 at 7:29 PM, Luiz Henrique de Figueiredo
<lhf@tecgraf.puc-rio.br> wrote:
>> "Lua always performs a thorough integrity test on precompiled chunks"?
>> I thought everybody agreed that bytecode is unsafe in 5.1.
>>
>> How can the contradiction be solved?
>
> It was solved in 5.2 by removing the bytecode verifier,
> mainly because Peter Cawley has shown several exploits
> of flaws in the bytecode verifier of Lua 5.1. See also
> http://lua-users.org/lists/lua-l/2011-10/msg00214.html

Follow-Ups:
- Re: Bytecode: Safe or not? / luac manual, Frank Meier-Dörnberg

References:
- Bytecode: Safe or not? / luac manual, Stefan Reich
- Re: Bytecode: Safe or not? / luac manual, Luiz Henrique de Figueiredo

Prev by Date: Re: luac -l -l
Next by Date: Re: luac -l -l
Previous by thread: Re: Bytecode: Safe or not? / luac manual
Next by thread: Re: Bytecode: Safe or not? / luac manual
Index(es):
- Date
- Thread