[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Lua Security Considerations...
- From: Grant Robinson <jgrantr@...>
- Date: Wed, 11 Mar 2009 12:11:47 -0600
On Wed, Mar 11, 2009 at 11:16 AM, Rogers, Doug
> They are properly concerned. My advice would be to add some sort of
> encryption to the byte code loader and compiler. If you're only worried
> about authentication then the encryption could be limited to a hash of
> the byte code stream at the end of each chunk being loaded. That would
> allow post-processing of the compiled Lua byte codes.
> I see a lot of other posts about "if they can get to the Lua they can
> get to the C". That is not always true.
I agree. Lua bytecode contains a lot more information about the
original program than GCC code that has been stripped and compiled
without debugging symbols. For example, I just used LuaDec to get a
pretty decent re-creation of a Lua script. It was missing comments,
but other than that, it was pretty dang close.
I should add that this is not just using Lua for configuration, or for
game control, or any such thing. This is an entire application
written in mostly Lua (there are some parts written in C for speed,
but the core of the IP in this application will be in Lua, and not in