lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

It was thus said that the Great David Heiko Kolf once stated:
> Sean Conner wrote:
> >   I thought that was clear from the context (this mailing list being about
> > Lua, and the topic of getting address information from Lua leading to OMG
> > Armageddon! but I probably should have been more explicit about it).
> [...]
> >   But so far, all I've seen is "OMG! ASLR is VIOLATED!  Burn the feature!"
> > which to me comes across as cargo cult security, of which I seem to be in
> > the minority.  So let's neuter both tostring() and string.format() to save
> > ASLR!
> > 
> >   -spc (And request, nay!  Demand!  That all modules in C avoid printing an
> > 	address as part of the __tostring() metamethod ...)
> I really don't like the mockery that sometimes pops up when security is
> mentioned.

  And I don't like the "You must do this!  Think of the children!" rhetoric
that comes from the security domain. [1]

> Yes, giving an address on its own does no harm.
> Yes, well written code must never allow write or read access to
> out-of-bounds memory, on the stack or on the heap, no matter whether it
> is the Lua library or any external C bindings for Lua.
> Is everybody writing bindings for Lua always writing perfect code? I
> hope I do so most of the time, but I can't guarantee that I do it all
> the time. And the list of published CVEs (in general, not limited to
> Lua) seems to tell me I am not alone.

  Yeah, I looked up CVEs for Lua.  There aren't many, and what there are
aren't in Lua itself, but in other modules.  And NONE were related to
"knowing" an address.

  Also, if I am to believe some of the hype I've read about securly written
code, NOTHING should be written in C.  Ever. [2]

  So until there is a proof-of-concept of an exploit in Lua because of
tostring() printing addresses, I'm going to oppose any changes.  Think,

  -spc (I'll stop now before I get truely cynical about things)

[1]	Years ago I used to work in web hosting and I've been on the
	business end of PCI compliance.  There's nothing like a 500 page
	report of repeated issues where the fact that we have DNS, and you
	servers, and so on, ad naseum, for 500 pages.  Never mind the fact
	that we were a WEB HOSTING COMPANY!  It's like they thought we
	didn't even know networks existed!  I found it insulting and an
	utter waste of time.

	And frankly, it hasn't gotten better in my opinion, and leads to
	such stupidities as DNS over HTTPS because ENCRYPT ALL THE THINGS! 
	without thought.  Just do it.  No, do it.  I fully expect in twenty
	years time that *everything* will be tunneled through TCP port 443
	because we can't imagine otherwise.

	Damn it we can't be paranoid enough, can we?

	Yes, I'm bitter.

[2]	I toned down the language here.