Re: Bytecode: Safe or not? / luac manual

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Bytecode: Safe or not? / luac manual
From: Peter Cawley <lua@...>
Date: Tue, 1 Nov 2011 17:35:12 +0000

On Tue, Nov 1, 2011 at 5:30 PM, Frank Meier-Dörnberg <frank@md-web.de> wrote:
> Do you want to verify that the (possibly created in bad faith) byte code
> will terminate?
> Or do you want to verify that the bytecode only refer to "allowed"
> ("in-sandbox") variables/functions?

Neither. You want to verify that the bytecode will only interact with
the virtual machine in ways which source code can, and therefore that
the bytecode cannot peform arbitrary native code execution. As I have
example code to prove, Win32 + Lua 5.1.x VM + table.sort + string.gsub
+ bytecode = arbitrary native code execution.

Follow-Ups:
- Re: Bytecode: Safe or not? / luac manual, Frank Meier-Dörnberg

References:
- Re: Bytecode: Safe or not? / luac manual, Stefan Reich
- Re: Bytecode: Safe or not? / luac manual, Jorge
- Re: Bytecode: Safe or not? / luac manual, Stefan Reich
- Re: Bytecode: Safe or not? / luac manual, Paul Hudson
- Re: Bytecode: Safe or not? / luac manual, Frank Meier-Dörnberg

Prev by Date: Re: Bytecode: Safe or not? / luac manual
Next by Date: Re: Bytecode: Safe or not? / luac manual
Previous by thread: Re: Bytecode: Safe or not? / luac manual
Next by thread: Re: Bytecode: Safe or not? / luac manual
Index(es):
- Date
- Thread