[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: tostring userdata
- From: Sean Conner <sean@...>
- Date: Sat, 6 Jul 2019 02:20:25 -0400
It was thus said that the Great David Heiko Kolf once stated:
> Sean Conner wrote:
> > I thought that was clear from the context (this mailing list being about
> > Lua, and the topic of getting address information from Lua leading to OMG
> > Armageddon! but I probably should have been more explicit about it).
> > But so far, all I've seen is "OMG! ASLR is VIOLATED! Burn the feature!"
> > which to me comes across as cargo cult security, of which I seem to be in
> > the minority. So let's neuter both tostring() and string.format() to save
> > ASLR!
> > -spc (And request, nay! Demand! That all modules in C avoid printing an
> > address as part of the __tostring() metamethod ...)
> I really don't like the mockery that sometimes pops up when security is
And I don't like the "You must do this! Think of the children!" rhetoric
that comes from the security domain. 
> Yes, giving an address on its own does no harm.
> Yes, well written code must never allow write or read access to
> out-of-bounds memory, on the stack or on the heap, no matter whether it
> is the Lua library or any external C bindings for Lua.
> Is everybody writing bindings for Lua always writing perfect code? I
> hope I do so most of the time, but I can't guarantee that I do it all
> the time. And the list of published CVEs (in general, not limited to
> Lua) seems to tell me I am not alone.
Yeah, I looked up CVEs for Lua. There aren't many, and what there are
aren't in Lua itself, but in other modules. And NONE were related to
"knowing" an address.
Also, if I am to believe some of the hype I've read about securly written
code, NOTHING should be written in C. Ever. 
So until there is a proof-of-concept of an exploit in Lua because of
tostring() printing addresses, I'm going to oppose any changes. Think,
-spc (I'll stop now before I get truely cynical about things)
 Years ago I used to work in web hosting and I've been on the
business end of PCI compliance. There's nothing like a 500 page
report of repeated issues where the fact that we have DNS, and you
can ping (PING! OH MY GOD OUR COMPUTERS ARE ON THE INTERNET!) our
servers, and so on, ad naseum, for 500 pages. Never mind the fact
that we were a WEB HOSTING COMPANY! It's like they thought we
didn't even know networks existed! I found it insulting and an
utter waste of time.
And frankly, it hasn't gotten better in my opinion, and leads to
such stupidities as DNS over HTTPS because ENCRYPT ALL THE THINGS!
without thought. Just do it. No, do it. I fully expect in twenty
years time that *everything* will be tunneled through TCP port 443
because we can't imagine otherwise.
Damn it we can't be paranoid enough, can we?
Yes, I'm bitter.
 I toned down the language here.