本文分享了Lua社区关于Bytecode在移动应用中的安全性争议,包括Pluto持久化技术、源代码输出的可能性及Bytecode验证的问题。讨论了如何安全地在不同设备间迁移Lua状态,并涉及了Halting问题、代码漫游革命的挑战以及移动应用现状的对比。
Lua-L最近发生了点趣事与大家分享下。
Stefan是一个想把lua引向mobile的人,他发帖
《1》Let's make Lua mobile!
-- Persistence: Uses Pluto.
-- Safety:
-- Untrusted non-frozen scripts should be fine (b/c of sandboxing).
-- Untrusted frozen scripts should not be run.
-- (No protection against bad bytecode or malformed Pluto images)
其中提到了Persistence 和Safety
Pluto作持久化不仅可以持久化常规的的数据对象,还包括functions,thread;
但是发现Pluto 生成的是byte code而不是source ocde;于是他发帖:
《2》Pluto generating source code?
Here's another little idea:
I could imagine a Pluto-like library outputting pure Lua source code.
You would need a few special functions to recreate the coroutine stack
frames - but other than that, I don't see a real obstacle here. Or is
there?
Outputting source code would be quite elegant and certainly more
readable than bytecode.
Comments?
他轻描淡写的说何不生成source code呢,你可能需要一些步骤来重建coroutine ,这也没啥大不了嘛。(不知大家怎么想,我顿时耳赤了,我是做不来的)。
有人回到:
我看这个问题有点愚蠢,我喝着咖啡也不明白——老外很幽默的。
后来有人解释了各种lua类型的持久化,他不是pluto的作者但是造了个差不多轮子persistencehttp://code.google.com/p/corsix-th/wiki/Persistance.
这段故事3段就结束了,看来使用bytecode是绕不过的,于是Stefan开始质疑Lua的Bytecode
《3》Bytecode: Safe or not? / luac manual
"Lua always performs a thorough integrity test on precompiled chunks"?
I thought everybody agreed that bytecode is unsafe in 5.1.
How can the contradiction be solved?
我认为所有人都承认5.1的bytecode是不安全的,这个矛盾怎么解决?
Lua的作者说5.2去掉bytecode verifier就没事了,Peter Cawley在之前指出5.1的bytecode verifier有些漏洞
Stefan回复Lua的作者
Ah. So the manpage is basically in error because it doesn't know about
the exploits yet.
I really do hope that lbcv covers all the possible violations. Having
a safe way of loading untrusted bytecode is quite crucial to what I
want to be able to do with Mobile Lua.
Once we have safe deserialisation of Lua states - we can achieve total
mobility for all Lua code.
I don't know about you guys, but I for one am really excited about
that perspective.
啊哈,这么说手册基本上是错误的,因为它还不知道有这个漏洞,lbcv(这个我恕我无知)
一旦我们做到安全的持久化Lua states,我们就完全的实现了Lua Code的漫游。你们这些家伙怎么想我不知道,反正我一想到这个就鸡冻鸭冻。
然后他解释了什么叫漫游
Let me explain the principle once more.
Script S is run on machine A until it calls freeze().
It is then serialized into a Pluto image (or an image made by a future
library that is even better than Pluto).
The image is sent to machine B - which may or may not "trust" machine
A, it doesn't matter much.
There, it is deserialized and script S continues to compute. (Safely,
because of sandboxing.)
Later, the script may travel somewhere else again, of course.
Pluto requires saving and loading bytecode, so we need that ability
for this to work.
Script S在A机上运行直到call freeze()。然后持久化到Pluto Image(或者另一个未来的,比pluteo更好的库的image),然后该image发送到B机,在B机上还原为S继续运行(安全),这样,script可以自由的去她向往的地方。然后解释,Pluto通过bytecode来存取,所以需要这个功能(bytecode safe)
有人回:
Even a flawless byte code verifier is not the right tool to verify a Lua-State, by all I'm able to imagine
我用尽想象,即时是一个完美无瑕的bytecode verifier也无法验证Lua-State
Stefan回:
Well, it's one part. The other part would be a Pluto image verifier
which, among other things, calls the bytecode verifier for all
bytecode chunks.
I mean, this is an engineering task. No more no less. I don't know
exactly how much work it is, but I don't think it would take all that
long if a skilled engineer gets to work on it.
And I know there are some real Lua internals experts even on this very list :)
我想,不管多少难易,这就是个工作量。虽然我无法确切知道坑多深,但是我想一个娴熟的工程师要不了那么长时间就能填平。
况且这里就不正好有很多Lua专家。
有人回:
No amount of engineering will solve the Halting problem.
停机问题可不是什么工作量
Stefan回:
Sorry, but what does this have to do with anything discussed before?
Don't you rather want to contribute something related to the topic?
但是,这个跟前面讨论的有关系吗?拜托有点建设性?
有人(Rob)回:
He did. And as a bonus, he didn't bring up some fantasy about us not
using money by next year. *That* is off-topic.
怎么说他没有建设性呢?他没有整来一些什么的到明年都不花钱的幻想。(作者,整不对这个翻译)
Stefan回:
Haha. No it's not. It's extremely important and very real. Because
many people believe - wrongly - that money is something that will
continue to exist. And base their lives on this fantasy.
I offer you reality. Are you ready for it? Seems like you're a little
outside of it, Rob.
And since you chose to attack me: Who are you anyway? All I found on
your homepage is:
"Rob Kendrick has no website design skills."
Sounds... uhm, "impressive" :)
既然你选择攻击老子,你哪颗葱啊?我看了你的主页,那里只有“Rob 没啥网页设计能力”
很多人讨论停机问题,我想也是,verify bytecode你必须按照程序流程走啊,lua当然可以给你构造一个无限循环。
有人拿出General Magic
Stefan回:
Let me ask you this: How many of the apps you're running right now are mobile?
Say that your battery is running out within 5 minutes and you have
another machine sitting on your desk.
Can you transfer all your running apps over to that machine within 5
minutes - with all their unsaved data etc.?
Hmm... you can't?
Well then the mobile code revolution has obviously not engulfed your
computer yet.
Q.E.D. - it has not happened yet. But it sure can. :)
好吧,现在你的手机中运行这多少个app,假如电池将在5分钟耗尽,而旁边有另一台机,你在这5分钟能把所有的app传送到这台机上吗?包括所有没有存的数据?
你不行吧?
这说明代码漫游的革命尚未吞噬你的计算机
Q.E.D. –这一切尚未发生,但是必将到来。
有人回:
别人也曾经尝试过,也许你可以从他们的失败中汲取教训。
Stefan回:
Well to tell you the truth: I don't know why they failed. Maybe they
were commercial and that killed them. For example, Telescript doesn't
seem to exist in the open - at least I didn't see a download link
anywhere after a quick search.
I have spent some years thinking about mobile code, and I believe I
have experienced all the possible traps myself by now and I know now
how to realize such a system. I'm ready to overcoming some unplanned
challenges if any should present themselves. But actually the road
ahead looks pretty clear as of now.
Thanks for the input though :)
实话实说,我不知道他们为何失败,也许因为商业原因,比如Telescript没有开放,至少我没找到下载。
我思考代码漫游有些年头了,能碰到的坑都踩过了,我现在确信明白如何实现这样一个系统。我时刻准备着克服未知的困难,路在脚下,清晰可见。
有人回:
Rob没有对你人身攻击,但是你却对他人身攻击。你在lua的地盘撒野也不是第一次了。
有人回:
小屁孩就是小屁孩
“合理的人自己适应世界;不合理的人在努力适应自己的世界仍然存在,因此,所有的进展取决于不合理的男子。”- 萧伯纳
Stefan回:
I am neither arrogant nor stupid. I am far from both. I defend myself
when attacked, and sometimes strongly so, but always in proportion to
the attack. In this, I follow the same principle as all peaceful men
before and after me.
You seem unable to see some attacks for what they are. Why that is, I
don't know. Maybe a problem in perception.
Sorry to disappoint you, but I have nothing to change in my conduct.
我既不傲慢也不愚蠢,而且恰恰相反,我是正当防卫,有时过当但是遵循以牙还牙。而对于和平的人我是克制的。
看起来你没有看到他们的攻击,我也不知道这是为什么,也许是选择性失明。。
让你失望了,但是我行我素,走自己的路让别人说去吧。
未完待续。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
