
Lua in the Kernel? - signa11
https://lwn.net/Articles/830154/
======
pansa2
> _Scripts should not be able to crash the system, run indefinitely, or
> corrupt other parts of the system. To ensure that, Lunatik uses the Lua VM
> facilities for sandboxing the scripts so that they run in a safe execution
> environment [...] the number of instructions can be limited, so that
> infinite loops are not possible._

Lua's sandbox should be able to prevent scripts from crashing or corrupting
the system, but I'd be surprised if it could prevent a script from running
indefinitely. In particular, limiting the number of Lua bytecode instructions
is insufficient - even a single call to `string.find` can lock up the CPU [0].

> _They are using the standard Lua, rather than the LuaJIT fork, Neto said, in
> answer to another question._

Using LuaJIT would make sandboxing significantly more difficult, because it's
much more complex than regular Lua and hence more likely to have exploitable
bugs. This is the reason that game consoles disallow JIT-compilation - and
hence games tend to use regular Lua rather than LuaJIT.

[0] [http://lua-users.org/lists/lua-l/2011-02/msg01595.html](http://lua-
users.org/lists/lua-l/2011-02/msg01595.html)

~~~
0x76
You can't prevent infinite loops unless you've solved the halting problem
right?

They could of course just limit the run time if they really wanted to make
sure scripts don't run indefinitely.

~~~
coldtea
> _You can 't prevent infinite loops unless you've solved the halting problem
> right?_

Only in general arbitrary turing complete runtimes. For restricted subsets of
instructions and specific implementations of runtimes you can. E.g. one could
trivially disallow "jump" control flow, and limit loops to N iterations.

~~~
DarkWiiPlayer
It's more simple than that: pull the plug on the entire turing machine. Lua
runs in a VM, so you can stop it from the outside, which wouldn't be possible
if the code was running directly in the CPU (Without an OS underneath it, that
is).

~~~
mikevin
You could argue this doesn't really count as preventing though. It's
preventing a symptom instead of the underlying problem.

------
moonchild
Freebsd has used lua in its bootloader for a few years now.

[https://wiki.freebsd.org/SummerOfCode2014/LuaLoader](https://wiki.freebsd.org/SummerOfCode2014/LuaLoader)

[https://lists.freebsd.org/pipermail/freebsd-
current/2018-Feb...](https://lists.freebsd.org/pipermail/freebsd-
current/2018-February/068464.html)

~~~
d33
Wow, it actually sounds like a very elegant idea. I always viewed GRUB as
overly complex and rather unpleasant to configure. I wonder why they hadn't
gone this way.

~~~
kevans91
Note that we haven't yet introduced .lua configuration capabilities (that's a
project branch off to the side), but it does certainly make modifying menu
entries and other fun stuff a lot more palatable in my experience.

------
pmarin
NetBSD supports Lua in the kernel since 2012.

[https://www.netbsd.org/gallery/presentations/mbalmer/fosdem2...](https://www.netbsd.org/gallery/presentations/mbalmer/fosdem2012/kernel_mode_lua.pdf)

~~~
sanxiyn
It's in fact exactly the same thing, since NetBSD Lua started as a port of
Lunatik, which is the topic of this article.

------
7373737373
It's only a matter of time until we have metered WebAssembly in the kernel :)

~~~
moring
Actually, why not? The main reason that "in the kernel" is concerning is
because untrusted code needs some kind of sandboxing, either by static
analysis or by run-time checks. (Most modern systems do a combination of
both).

After all, the whole "in the kernel" vs. "in userland" distinction only exists
because we get hardware-accelerated sandboxing from the CPU and OS combined.

~~~
7373737373
Yeah, my comment is actually unironic :)

There are a few ways to limit the execution time of wasm programs:

\- inject code after a set of instructions with a certain duration and in each
loop that calls an external function which meters and destroys/suspends
execution when a limit is reached (e.g. [https://github.com/ewasm/wasm-
metering](https://github.com/ewasm/wasm-metering))

\- use a VM which counts instructions (e.g. [https://github.com/perlin-
network/life](https://github.com/perlin-network/life))

\- use hardware interrupts

More random thoughts:
[https://esolangs.org/wiki/RarVM](https://esolangs.org/wiki/RarVM)

------
pansa2
> _Investigation of a "typed Lua" for compilation is something on the roadmap.
> That is the approach that the main Lua project is taking to compete with
> LuaJIT on performance._

I haven't heard anything about an official "typed Lua". Is there information
about it somewhere?

~~~
soapdog
* Typed Lua: [https://github.com/andremm/typedlua](https://github.com/andremm/typedlua) (not actively maintained)

* tl: [https://github.com/teal-language/tl](https://github.com/teal-language/tl) a compiler for Teal a typed dialect of lua. (actively maintained)

~~~
darek
Indeed, Teal looks like it has the right brains behind it (author was involved
with several earlier attempts at typed Lua) and is actively maintained. I'm
personally watching it for future game development usage.

------
donatj
Smells like an attack vector waiting to happen to me. Malformed network
request, sandbox escape, front page of Hacker News like 8-10 years from now?

I am often irrationally paranoid about this sort of thing however.

~~~
DarkWiiPlayer
The neat thing about Lua is: It's simple. It's reasonable to expect that a
sandbox can be proven to be inescapable considering there's only a very
limited set of features that would allow this sort of thing in the first place
(mainly the `debug` library, which I doubt will be exposed)

------
gnufx
What happened to the implementation of a Scheme interpreter in Linux from
quite a while back? I can't immediately find a reference, and don't remember
details. I vaguely remember there was something similar for SunOS too (in the
'90s?).

------
ivzhh
ZFS compiles a modified version Lua 5.2 into zfs.ko and loaded into Linux
kernel.

~~~
magicalhippo
To expand slightly, it's used for "channel programs", scripts that can
interact with ZFS to create or modify datasets and similar tasks. There's a
write-up here[1] about the feature.

Main advantage is that it allows for multiple operations to be applied
atomically, as well as better error handling.

[1]: [https://www.delphix.com/blog/delphix-engineering/zfs-
channel...](https://www.delphix.com/blog/delphix-engineering/zfs-channel-
programs)

