[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: future of bytecode verifier
- From: Luiz Henrique de Figueiredo <lhf@...>
- Date: Wed, 4 Mar 2009 15:58:22 -0300
Following several bytecode exploits found by the relentless Peter Cawley
and others, we are considering dropping the bytecode verifier completely in
Lua 5.2. It seems useless to make a promise that we can't seem to deliver
without a much more complicated verifier than the current one, and possibly
with the need for costly runtime checks as well.
Our impression is that applications that are open to running arbitrary Lua
code provided by the user should avoid accepting precompiled scripts. So we
think that adding a flag to load (the Lua function from the base library)
to check for and reject precompiled scripts is enough for Lua-based apps
to be able to reject precompiled scripts if they want to. We don't think
anything else is needed in the C side, since you can always write you own
lua_Reader function to reject precompiled scripts.
At the same time, shedding the bytecode verifier would allow applications
that run their own precompiled scripts that are deemed safe to avoid the
cost of the bytecode verifier. The checks would be limited to the sanity
tests done in lundump.c, which should be enough for flagging accidental
All feedback is welcome. Thanks.