Re: tostring userdata

[David Heiko Kolf <david@...>]

Sean Conner wrote:
>   I thought that was clear from the context (this mailing list being about
> Lua, and the topic of getting address information from Lua leading to OMG
> Armageddon! but I probably should have been more explicit about it).

[...]

>   But so far, all I've seen is "OMG! ASLR is VIOLATED!  Burn the feature!"
> which to me comes across as cargo cult security, of which I seem to be in
> the minority.  So let's neuter both tostring() and string.format() to save
> ASLR!
> 
>   -spc (And request, nay!  Demand!  That all modules in C avoid printing an
> 	address as part of the __tostring() metamethod ...)

I really don't like the mockery that sometimes pops up when security is
mentioned.

Yes, giving an address on its own does no harm.

Yes, well written code must never allow write or read access to
out-of-bounds memory, on the stack or on the heap, no matter whether it
is the Lua library or any external C bindings for Lua.

Is everybody writing bindings for Lua always writing perfect code? I
hope I do so most of the time, but I can't guarantee that I do it all
the time. And the list of published CVEs (in general, not limited to
Lua) seems to tell me I am not alone.

Is ASLR worth it or just some useless obfuscation we don't need to care
about? I can't judge.

If I would want to write a project that executes untrusted code, I guess
I would probably provide my own versions of string.format and tostring,
assuming I remember this issue.

Best regards,

David