On Thu, Nov 22, 2012 at 11:58 AM, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: > On Thu, 22 Nov 2012 09:30:41 -0430 > Andres Perera wrote: > >> i'm not sure how using js for configuration files, as opposed to using >> a language commonly deployed for the same purpose, such as lua, >> presents an innate constraint on security. > > Firstly the article mentioned JIT preventing true randomisation. > > Secondly pulling in JS as a dependency even on servers is rediculous and > is a language very familiar to attackers and unfamiliar to many users. > It would be especially, shall we say kind to attackers utilising rop > attacks.
but jit isn't irreparably interleaved with js am i compromising by running luajit in interpreter mode instead of the reference implementation, moreover, would that imply that lua the language is insecure or is the specific implementation at fault? why would the runtime be attractive for rop? what configuration vm needs syscalls that would be attractive to an attacker that can change the address of a jump? does the runtime really need to open sockets, or spawn processes? (i'm not even talking about languages) > > >> >> then i would point out that, if anything, a popular js implementation >> receives broader testing than sudo's dsl. > > And it needs it and turns up bugs every week and grows constantly. Are > you serious! > i'm completely serious. i can use a js vm and write a trivial systrace sandbox like ssh's which only allows read() what now?
