search

eburtsev / kahlua

Automatically exported from code.google.com/p/kahlua
0 stars 0 forks source link

Question: Secure Sandbox? #28

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
It looks as if it could be a secure sandbox, but it may just be a coincidence.

As long as i don't expose any dangerous functions can i expect it to be as safe 
as javascript in a web browser?

Are there any things that i might be exposing by accident, or some unusual 
things that are secretly being exposed? (java environment, file access, 
execution)

it looks as if all or most of the dangerous stuff is missing:
"Missing functions"
http://code.google.com/p/kahlua/wiki/KahluaManual

can one LuaState interact with another LuaState?

Original issue reported on code.google.com by ion...@gmail.com on 27 Sep 2010 at 5:44

GoogleCodeExporter commented 9 years ago 
Yes, that's right, it would be a fairly safe sandbox.
The only thing I can think of to break it is:

1) while true do end -- infinite loops to break the program. This can be solved 
by having another thread that monitors and kills it necessary.
2) t = {} while true do t[#t+1] = {} -- eating up memory. This is harder to 
solve, so theoretically someone could attack the system by consuming all memory.

Other than that, check which functions are exposed, and consider if anyone of 
them could be used to exploit anything.

Original comment by kristofer.karlsson@gmail.com on 27 Sep 2010 at 6:02