2

So I'm working on a program wherein I am storing Lua scripts as text in a file to be loaded by an application later to execute (doText is the function I beleive) and return a value. What I expect from the Lua code is to take a float from C, do (only) mathematical operations on the float, and return another float back to C.

I quickly realized that a malicious actor could inject Lua code into the files that makes it behave like a macro virus such as in Microsoft Word/Excel/PowerPoint; it could open a Lua file and replicate, or worse, inject code into a PE file for example making the PE file virulent and malicious.

Is there a way to block Lua functionality useful for a malicious actor (such as file io operations) or implement functionality to preclude this behavior?

pmg
  • 106,608
  • 13
  • 126
  • 198
Steve Mucci
  • 212
  • 1
  • 11
  • Sure. Just don't expose the relevant functions to the script. And then add a watchdog, so it won't take forever. – Deduplicator Feb 06 '19 at 21:25
  • Lua has file io capabilities. I was thinking to parse the script for functions (such as file io) relevant to an attacker with C and then not running the script if those functions are found. – Steve Mucci Feb 06 '19 at 21:37
  • I suggest you never underestimate the ingenuity that people will throw at figuring out how to run malicious code. I continue to be amazed that people will bother but they certainly will. I was looking at Lua as well as JavaScript for scripting an application and I put it aside after deciding it was just opening up the box too much. – Richard Chambers Feb 06 '19 at 22:04
  • Can you un-require portions of the Lua library? That would make this so much easier. And yeah @RichardChambers embedding Lua in my program was the difference between a gradeschool playground and Disney World. Unfortunately Disney World needs security... – Steve Mucci Feb 06 '19 at 22:12
  • @SteveMucci this may be helpful, [How to drop all code and memory space of a Lua module](https://stackoverflow.com/questions/18097333/how-to-drop-all-code-and-memory-space-of-a-lua-module) one answer of which is to a Lua-users archive which discusses a home brewed `unrequire()` function. – Richard Chambers Feb 06 '19 at 22:41

1 Answers1

4

My impression is that you want to create a Lua sandbox in which the Lua scripts are run. By controlling the sandbox environment, you can limit what the scripts can do.

There are a number of similar questions in Stackoverflow.

Then Mozilla has a github that you may find useful. Lua Sandbox Library.

It looks like there was a change from Lua 5.1 to Lua 5.2 which caused a number of the older sandbox techniques to not work so well. Here is a description of approaches for Lua 5.1, Sand Boxes however a function used, setfenv() is no longer available in Lua 5.2.

There is also Safe Lua which may be helpful.

This article, Sandboxing Lua from C mentions picking libraries to load one at a time to create a specific running environment.

This is how the proposed quasi-sandbox is implemented: normally after creating new Lua state, host code should call luaL_openlibs() function to load standard libraries provided by the Lua language, however this will pull-in many functions which might be unwanted in certain situations. Therefore, this sandbox pulls-in each library individually by calling luaL_requiref() and exploits the fact that this function leaves a table of loaded functions on the top of the Lua stack. The unwanted functions are then undefined by giving them nil value, ...

However there is also a warning about this approach, unknown dependencies that cause runtime errors.

It is neccessary to give some final notes regarding the proposed solution: it is not clear whether Lua interpreter will preserve full functionality in all aspcts outside the unwanted functionality, when only subset of standard libraries are loaded, however it did worked well for my solution. In any case some testing is advised. This is due to the the fact, that some seemingly core functionality of the language (e.g. ipairs()) is actually provided by the base library.

The best approach is to lock down the scripts so that you can run them as a trusted script even when using sandbox techniques.

Richard Chambers
  • 16,643
  • 4
  • 81
  • 106
  • I appreciate the thorough answer, but I think sandboxing at this level is like using a nuclear weapon where one well aimed sniper shot could do the trick if you catch my drift. Incredible answer though, still going straight to my noggin. :) – Steve Mucci Feb 06 '19 at 22:16
  • @SteveMucci what stopped me was that opening up my application meant any body who threw in a Lua script that broke something would be calling me assuming it was my application and not their Lua script. The horror of all those calls and having to chase after closing loopholes was enough to stop me from pursuing the idea. – Richard Chambers Feb 06 '19 at 22:33