[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: future of bytecode verifier
- From: Gabríel "A." Pétursson <gabrielp@...>
- Date: Wed, 04 Mar 2009 20:02:43 +0000
I'd suggest making the current byte-code verifier optional in luaconf.h.
On Wed, 2009-03-04 at 15:58 -0300, Luiz Henrique de Figueiredo wrote:
> Following several bytecode exploits found by the relentless Peter Cawley
> and others, we are considering dropping the bytecode verifier completely in
> Lua 5.2. It seems useless to make a promise that we can't seem to deliver
> without a much more complicated verifier than the current one, and possibly
> with the need for costly runtime checks as well.
> Our impression is that applications that are open to running arbitrary Lua
> code provided by the user should avoid accepting precompiled scripts. So we
> think that adding a flag to load (the Lua function from the base library)
> to check for and reject precompiled scripts is enough for Lua-based apps
> to be able to reject precompiled scripts if they want to. We don't think
> anything else is needed in the C side, since you can always write you own
> lua_Reader function to reject precompiled scripts.
> At the same time, shedding the bytecode verifier would allow applications
> that run their own precompiled scripts that are deemed safe to avoid the
> cost of the bytecode verifier. The checks would be limited to the sanity
> tests done in lundump.c, which should be enough for flagging accidental
> file corruption.
> All feedback is welcome. Thanks.