Sign in to follow this  
NullSeraph

Lua Security Issues?

Recommended Posts

NullSeraph    122
I've only recently gotten into Lua programming, but I've noticed something that's a little worrisome. The topic of security in Lua was only discussed in one wiki page, and even that was very incomplete. Does Lua have any fundamental security issues I should be aware of? Has anyone looked into this? I apologize if this question is clearly answered elsewhere, but I could not seem to find a definitive resource for this information in my searches. Thanks in advance for any information you guys might have.

Share this post


Link to post
Share on other sites
Sneftel    1788
The Lua VM is not secure against malformed bytecode. If an attacker is allowed to submit arbitrary malformed bytecode, it could crash the VM or even provide arbitrary code execution. There's some bytecode checking that occurs, but AFAIK it's not intended to be comprehensive.

Lua, however, CAN be made secure against source-based attacks. A properly sandboxed Lua VM can be trusted to execute arbitrary attacker-provided source without doing anything bad outside the VM. Sandboxing basically consists of not exposing unsafe C functions to the VM (including some of the OS functions from the built-in library) and enforcing quotas on memory usage and (if necessary) processor time.

Lua as an application development language is no more or less secure than any other application development language, except inasmuch as it avoids exploits from raw memory access, and has a fairly clear barrier between code and data.

Share this post


Link to post
Share on other sites
corysama    342
You clearly do not want to link in the "OS" or "IO" libraries. os.execute("del *.* /S /F") is not a good option to have.

You might also consider overwriting the standard functions dofile, loadfile, loadlib, loadstring and require with do-nothing functions.

There is an explanation in the "etc" directory of the standard distribution that explains how to easily remove the parser and thereby the ability of the interpreter to compile text to bytecode at runtime.

I'm not aware of any other Lua-specific security issues.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this