[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Some thoughts on security
- From: "Soni L." <fakedme@...>
- Date: Sun, 11 Dec 2016 22:11:37 -0200
On 11/12/16 09:21 PM, Samuel Groß wrote:
[snip]
Here's some food for thought: Let's say you write a Lua VM that turns
Lua source code directly into x86 assembly.
1. How do you string.dump this? The easiest way would be to just dump
the whole x86 assembly, and as far as I'm aware the Lua reference manual
allows this.
2. When loading a raw x86 assembly bytecode, how do you validate it?
Well, you can't, unless you include a whole static analysis framework in
your VM, and even then you won't be able to validate that it's Lua - the
"bytecode" could in theory use sockets or something.
Lua bytecode is not and has never been safe. Lua bytecode has always
been implementation-defined. Don't rely on it, and don't trust it.
--
Disclaimer: these emails may be made public at any given time, with or without reason. If you don't agree with this, DO NOT REPLY.
