Geek Answers Handbook

Is there anyway to avoid this security issue in Lua?

I was just working on a localizable linear Lua solution when I came up with this hack, the problem is that I don’t know how to avoid hacking it. :) So I was wondering if anyone did something like this and knows how to protect from this kind of attack. (in user code)

So how can we do this:

=("foo"):upper() -->output: FOO

It can be hacked as follows:

 getmetatable("foo").__index.upper = function() print("bye bye sucker");os.exit() end =("foo"):upper() -->output: bye bye sucker (application quits) -- or this way =string.upper("bar") -->output: bye bye sucker (application quits)

Any ideas?

+6
security lua
source share
6 answers

First of all, execute untrusted code only in an isolated environment - as was said by other posters. With the exception of loading bytecode blocks, Lua allows you to cover all other sandbox issues. (And problems with bytecode blocks are fixed quickly, as detected.)

See Lua Live Demo for an example of a sandbox. Sources are available here .

Your specific problem with metatables is solved by setting the __metatable field:

If you set the __metatable field in a meta, getmetatable will return the value of this field, while setmetatable will setmetatable error.

- Roberto Ierusalimschy, Programming in Lua 1st Edition, 13.3 - Methods defined by the library

For example:

 > mt = { __metatable = true } > t = {} > setmetatable(t, mt) > setmetatable(t, mt) stdin:1: cannot change a protected metatable stack traceback: [C]: in function 'setmetatable' stdin:1: in main chunk [C]: ?

So all you have to do is:

 getmetatable("").__metatable = true
+8
source share

If your hacker has the ability to add code, and you need to allow this code to call things like os.exit, then you're still out of luck.

You can limit the functions that their code can call. It depends on what you still want the user code to be able to do. See Document for setfenv and google for "lua sandbox"

+6
source share

I'm not sure why you have a problem, as you probably already know about sandboxes: you can remove dangerous functions like io.exit, and you can ensure that overridden functions are only those listed in the global user table , i.e., the Lua functions used inside your application will remain unchanged.
In any case, if a hacker can directly call os.exit, the fact that he can shoot himself in the foot by pumping up an innocent function that he will use later is his problem.
In addition, this is a problem only if you run user-defined functions on your server, for example: if a hacker destroys his system, then again, what is his problem!
Now there is also the problem of spreading dangerous code: you need to limit the privileges of user scripts. After all, what browsers do with JavaScript.

+2
source share

This safety issue is typically illustrated by this sentence, said by Ford Prefect in the brilliant Hitchhikers of the Galaxy books: This is more likely due to the fact that the other side of this airtight hatch

My ability to write code cannot be considered a security vulnerability, and if you cannot control your code, this is your security problem, not what this code can do.

There are tons and tons of things you can do if you can just get the machine to execute part of your code. Security is to avoid getting code in the first place. Everything after that is just collateral damage.

A way to avoid hacking this problem is to avoid getting unknown code in your application.

+2
source share

I see no way to redefine upper as a problem. The ability to see os.exit is a problem.

As suggested by others, create an isolated environment for your scripts. Each script can get a new one; then a person can redefine the top or something like that, and all that they ruin is their own thing.

Creating Lua states is so quick and easy that it will not cause any problems.

Another thing to watch out for is eternal loops. Creating a watchdog that kills the script after, say, 10,000 instructions takes about 10 lines of C code. I can send you a sample if you need to.

+1
source share

I don’t have a solution (I don’t use Lua, I'm just interested in it from afar), but what you need is called a sandbox. Google for Lua sandbox , I found some seemingly interesting pages this way. For example: http://lua-users.org/wiki/SandBoxes .

0
source share

More articles:


All Articles