[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Lua Security Considerations...
- From: Luiz Henrique de Figueiredo <lhf@...>
- Date: Wed, 11 Mar 2009 15:26:56 -0300
> Still, management is concerned about how hard it would be for some
> hacker who knew we were using Lua to hook the VM and inject Lua code
> into the interpreter.
If your app does not run Lua code provided by outside sources, then it's
pretty safe, as far as Lua is concerned. If your app does run user-provided
code, it does have to take special steps to make sure it does not mess with
your Lua environment, if you care about it. Then it's a matter of sandboxing.
But if your app runs user-provided Lua bytecode, then there are some holes
in the bytecode verifier that have been found recently. So, stick to running
user-provided Lua code in source form in a sandbox.
> They are also concerned about competitors disassembling our binary
> application and gaining access to the Lua byte code that would include
> algorithms our competition would benefit from.
This is harder to avoid. Adobe Lightroom and The Sims don't seem worried about
this, but you can always encrypt the bytecode and decrypt it at load time.
But you're probably just inviting the hard-core hackers to break the encyption.