DOCSLIB.ORG

Lua Code: Security Overview and Practical Approaches to Static Analysis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Lua Code: Security Overview and Practical Approaches to Static Analysis 2017 IEEE Symposium on Security and Privacy Workshops Lua code: security overview and practical approaches to static analysis Andrei Costin∗† ∗University of Jyvaskyl¨ a¨ Jyvaskyl¨ a,¨ Finland ancostin@jyu.fi †Firmware.RE andrei@firmware.re Abstract—Lua is an interpreted, cross-platform, embeddable, languages’ popularity [2], and above languages such as Go and performant and low-footprint language. Lua’s popularity is on Delphi according to PYPL index [3]. On the one hand, Lua’s the rise in the last couple of years. Simple design and efficient us- lack of sufficient visibility could be explained by a series of age of resources combined with its performance make it attractive for production web applications even to big organizations such factors, such as quantitative and qualitative lack of libraries as Wikipedia, CloudFlare and GitHub. In addition to this, Lua is in LuaRocks compared to RubyGems (for Ruby), PyPI (for one of the preferred choices for programming embedded and IoT Python) and CPAN (for Perl) [4]. On the other hand, Lua’s devices. This context allows to assume a large and growing Lua rise in popularity [2], [5] could be explained by the follow- codebase yet to be assessed. This growing Lua codebase could ing aspects. First, the simple design combined with efficient be potentially driving production servers and extremely large number of devices, some perhaps with mission-critical function performance and resource usage [6], [7] make it attractive for for example in automotive or home-automation domains. production web applications even to big organizations such However, there is a substantial and obvious lack of static as Wikipedia [8], CloudFlare [9] and GitHub [10]. Second, analysis tools and vulnerable code corpora for Lua as compared there is an exploding market and an overwhelming popularity to other increasingly popular languages, such as PHP, Python of extremely low-cost IoT chipsets such as ESP8266 [11] and JavaScript. Even the state-of-the-art commercial tools that support dozens of languages and technologies actually do not that can run Lua code using open-source firmware such as support Lua static code analysis. NodeMCU [12] and NodeLua [13]. Additionally, some of In this paper we present the first public Static Analysis for devices running Lua could be used in mission-critical appli- Security Testing (SAST) tool for Lua code that is currently cations, such as automotive 2, radiation/photon experimental focused on web vulnerabilities. We show its potential with physics 3, home automation and more [14]. good and promising preliminary results that we obtained on simple and intentionally vulnerable Lua code samples that we Within the described context, there are several main moti- synthesized for our experiments. We also present and release our vations for our work. First, there is a substantial lack of static synthesized corpus of intentionally vulnerable Lua code, as well analysis tools for Lua as compared to other increasingly popu- as the testing setups used in our experiments in form of virtual lar languages, such as PHP, Python, and JavaScript [15], [16]. and completely reproducible environments. We hope our work In fact, we are only aware of very few such tools that perform can spark additional and renewed interest in this apparently overlooked area of language security and static analysis, as well as static analysis on Lua code. LuaCheck [17], lualint [18] and motivate community’s contribution to these open-source projects. lua-checker [19] are mainly intended for linting and checking The tool, the samples and the testing VM setups will be released the code style rather than performing static code analysis and and updated at http://lua.re and http://lua.rocks. looking for most common security issues (e.g., OWASP Top10 [20]), such as XSS and SQLi. Second, even the state-of-the- I. INTRODUCTION art commercial tools that support dozens of languages and Lua is an interpreted, cross-platform, embeddable, perfor- technologies actually do not support Lua applications [21], mant and low-footprint language that supports “extensible [22], [23]. Even when they do [24], those tools unfortunately semantics, anonymous functions, full lexical scoping, proper support Lua only in dynamic blackbox analysis mode [25], i.e., tail calls, and coroutines” [1]. While not yet extremely visible static analysis of Lua code is not possible. Finally, there is a in the overall programming languages ecosystem, Lua’s pop- ularity is on the rise in the last couple of years. For example, 2See Mercedes-Benz FOSS licenses used within each car cate- in January 2017 it ranks above languages such as Transact- gory http://www4.mercedes-benz.com/manual-cars/ba/foss/content/en/assets/ 1 FOSS licences.pdf SQL and Scala according to TIOBE index of programming 3See APS ANL EPICS Attocube ANC300 Piezo Motion Con- troller usage https://www1.aps.anl.gov/files/download/SECTOR27/Manual% 1Transact-SQL ranked as most popular language in TIOBE index 2013 [2]. 20ANC300%20v3.1.pdf © 2017, Andrei Costin. Under license to IEEE. 132 DOI 10.1109/SPW.2017.38 lack of knowledge on insecure coding patterns and insecure scripting language. Lua is also used at incredible online API calls for Lua code. Baseline corpora of vulnerable samples scale for example in Massive Multiplayer Online Role-Playing and applications exist for other languages such as PHP (e.g., Games (MMORPG) such as World of Warcraft (WoW) [33]. BugBox [26]), Java (e.g., WebGoat [27]) and Server-Side JavaScript (SSJS) (e.g., TestREx [28]). This still tremendously B. Projects, Tools and Utilities helps in understanding insecure coding practices and (anti- Nmap provides Nmap Scripting Engine (NSE) [34], which )patterns in those languages. However, such corpora do not is one of the Nmap’s most powerful and flexible features. It exist for Lua. This limits the general understanding of how to allows its users to write scripts to automate a wide variety securely code in Lua, or how to detect and prevent insecure of networking tasks and for this it embeds a Lua5.2 inter- Lua coding practices in (preferably) automated ways. preter. Wireshark has an embedded Lua interpreter [35] and In summary, our main contributions with this work are: allows writing dissectors, post-dissectors and taps in Lua. Both • We develop and open-source the first static analysis Wireshark and Nmap provide Lua interpreter to allow quick tool for Lua code that mainly focuses on finding most development of network analysis tools. However, if not written common security issues. with security in mind those Lua scripts can be attacked by • We build and open-source the first public corpus of malicious network nodes and traffic using for example log synthetic Lua code samples containing both vulnerable poisoning, command and code injection. Google StreetView and non-vulnerable examples. For example, it can be used team, and Russ Smith primarily, developed lua-checker to as a baseline for tool evaluation/comparison or for secure validate their Lua scripts [19]. Syhunt is using Lua as part coding practices. of their security tools for web applications. They also recently • We release the testing setups used in our experiments in started using Lua modules for web applications within their form of virtual and reproducible environments. Apache and Nginx web servers [36] The rest of this paper is organized as follows. In Section II C. Security Incidents and Malware we start with summaries of the most notorious uses of Lua, which in our opinion are useful for the overall picture and Below we summarize publicly known instances where mal- to further motivate our work. Section III overviews Lua ware, both classical and embedded/IoT, used Lua one way technologies relevant to our work and Section IV describes or another. Since these malware instances (partly) contain our experimental setup. We detail the covered vulnerabilities Lua code, it is perhaps possible to find vulnerabilities within and the vulnerable Lua code corpus in Section V. Then, the malware itself using our tool. Finding vulnerabilities in Section VI we describe the design, implementation and within malicious code can potentially help the cyber-protection preliminary results. We discuss related work in Section VII, organizations in their efforts of limiting the impact of such and conclude with Section VIII. attacks, and taking down the malware and the botnets [37]. 1) Conventional Malware: II. NOTORIOUS LUA USAGE a) Flamer: (a.k.a. Flame, a.k.a. sKyWIper, a.k.a. Sky- Several web directories aggregate regularly updated lists of wiper) [38] is one of the most sophisticated pieces of malware projects, products and companies that use Lua one way or analyzed to that date. It was compared to Stuxnet and Duqu another [29], [30], [14], [31]. In addition to these web direc- in terms of complexity and its use in mainly targeted attacks. tories, the following Google search query can help discover Flamer is described as an info-stealer malware with highly other (sometimes surprising) uses of Lua: modular structure that incorporates multiple propagation and Copyright Lua PUC-Rio filetype:PDF attack techniques. One important piece of this malware is the We strongly encourage the interested readers to explore and mssecmgr.ocx file which contained a Lua interpreter along contribute to these web directories. However, we will focus on with SSH code, and SQL functionality. The Lua interpreter summarizing the most notorious (at least from our perspective) makes this component highly flexible and configurable, allow- Lua use cases. We believe that providing such a summary ing the attackers to deploy updated commands and functional- strongly adds to the motivation behind our work. ity quickly and efficiently. Crysys Lab released a comprehen- sive list of all Lua modules (pre-compiled .luac files) present A. Web and Internet Projects within the malware, and detailed some interesting ones such Wikipedia added Lua as a templating language [8].
Load more

Recommended publications
  • Oracle Communications Policy Management Licensing Information User Manual Release 12.5 Copyright © 2011, 2019, Oracle And/Or Its Affiliates
    Oracle® Communications Policy Management Licensing Information User Manual Release 12.5.1 F16918-02 October 2019 Oracle Communications Policy Management Licensing Information User Manual Release 12.5 Copyright © 2011, 2019, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are “commercial computer software” pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
    [Show full text]
  • Avaliação Do Site Sitecheckdoctoronline.Net
    Avaliação do site sitecheckdoctoronline.net Gerado a 02 de Setembro de 2020 05:08 AM O resultado é de 44/100 Conteúdo SEO Título Pro WebSite SEO Rank DocTor - Anlyze Tools Cumprimento : 43 Perfeito, o Título contém entre 10 e 70 caracteres. Descrição Site DocTor ProRank helps to check your web page online, anlyze contents for a better search engine ranking and boot your visitors. Cumprimento : 131 Perfeito, a Descrição META contém entre 70 e 160 caracteres. Palavras-chave Mau. Não detetámos palavras-chave META na sua página. Propriedades Og Boa! Esta página tira vantagens das propriedades Og. Meta Propriedade Conteúdo image http://sitecheckdoctoronline.net/assets/images/ facebook_banner.jpg Cabeçalhos H1 H2 H3 H4 H5 H6 1 5 6 0 0 0 [H1] ProRank Optimize Your Website [H2] 2,484 sites has been analyzed by ProRank [H2] Latest Updated Sites [H2] About Us [H2] Contact Info [H2] Follow Us [H3] In-Depth Reviews [H3] Recommendations Checklist [H3] SEO Analysis [H3] Top Technologies [H3] Top Web Servers [H3] Top Web Frameworks Conteúdo SEO Imagens Encontrámos 61 imagens nesta página. 41 atributos ALT estão vazios ou em falta. É recomendado adicionar texto alternativo de modo a que os motores de busca identifiquem melhor o conteúdo das suas imagens. Rácio Texto/HTML Rácio : 2% O rácio de texto para código HTML desta página é menor que 15 porcento, o que significa que provavelmente é necessário de adicionar mais conteúdos em forma de texto. Flash Perfeito, não foi encontrado conteúdo Flash nesta página. Iframe Excelente, não foram detetadas Iframes nesta página. Ligações SEO Reescrita de URL Perfeito.
    [Show full text]
  • Towards Left Duff S Mdbg Holt Winters Gai Incl Tax Drupal Fapi Icici
    jimportneoneo_clienterrorentitynotfoundrelatedtonoeneo_j_sdn neo_j_traversalcyperneo_jclientpy_neo_neo_jneo_jphpgraphesrelsjshelltraverserwritebatchtransactioneventhandlerbatchinsertereverymangraphenedbgraphdatabaseserviceneo_j_communityjconfigurationjserverstartnodenotintransactionexceptionrest_graphdbneographytransactionfailureexceptionrelationshipentityneo_j_ogmsdnwrappingneoserverbootstrappergraphrepositoryneo_j_graphdbnodeentityembeddedgraphdatabaseneo_jtemplate neo_j_spatialcypher_neo_jneo_j_cyphercypher_querynoe_jcypherneo_jrestclientpy_neoallshortestpathscypher_querieslinkuriousneoclipseexecutionresultbatch_importerwebadmingraphdatabasetimetreegraphawarerelatedtoviacypherqueryrecorelationshiptypespringrestgraphdatabaseflockdbneomodelneo_j_rbshortpathpersistable withindistancegraphdbneo_jneo_j_webadminmiddle_ground_betweenanormcypher materialised handaling hinted finds_nothingbulbsbulbflowrexprorexster cayleygremlintitandborient_dbaurelius tinkerpoptitan_cassandratitan_graph_dbtitan_graphorientdbtitan rexter enough_ram arangotinkerpop_gremlinpyorientlinkset arangodb_graphfoxxodocumentarangodborientjssails_orientdborientgraphexectedbaasbox spark_javarddrddsunpersist asigned aql fetchplanoriento bsonobjectpyspark_rddrddmatrixfactorizationmodelresultiterablemlibpushdownlineage transforamtionspark_rddpairrddreducebykeymappartitionstakeorderedrowmatrixpair_rddblockmanagerlinearregressionwithsgddstreamsencouter fieldtypes spark_dataframejavarddgroupbykeyorg_apache_spark_rddlabeledpointdatabricksaggregatebykeyjavasparkcontextsaveastextfilejavapairdstreamcombinebykeysparkcontext_textfilejavadstreammappartitionswithindexupdatestatebykeyreducebykeyandwindowrepartitioning
    [Show full text]
  • Prologin System Administration Release 2020
    Prologin System Administration Release 2020 Association Prologin Sep 28, 2020 CONTENTS 1 Infrastructure overview 3 1.1 Needs ................................................... 3 1.2 Network infrastructure .......................................... 4 1.3 Machine database ............................................. 4 1.4 User database ............................................... 4 1.5 File storage ................................................ 5 1.6 DHCP and DNS ............................................. 5 1.7 Matches cluster .............................................. 6 1.8 Other small services ........................................... 6 2 Setup instructions 7 2.1 Step 0: hardware and network setup ................................... 7 2.2 Step 1: setting up the core services: MDB, DNS, DHCP ......................... 8 2.3 Step 2: file storage ............................................ 19 2.4 Step 3: booting the user machines .................................... 20 2.5 Step 4: Concours ............................................. 22 2.6 Step 5: Setting up masternode and workernode .............................. 23 2.7 Step 6: Switching to contest mode .................................... 24 2.8 Common tasks .............................................. 24 3 Misc services 27 3.1 /sgoinfre ............................................... 27 3.2 doc .................................................... 28 3.3 paste ................................................... 28 3.4 Redmine ................................................
    [Show full text]
  • Automatic Fingerprinting of Websites Automatisk Fingeravtryckning Av
    DEGREE PROJECT IN COMPUTER ENGINEERING, FIRST CYCLE, 15 CREDITS STOCKHOLM, SWEDEN 2020 Automatic fingerprinting of websites Using clustering and multiple bag-of-words models Automatisk fingeravtryckning av hemsidor Med användning av klustring och flera ordvektormodeller ALFRED BERG NORTON LAMBERG KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ENGINEERING SCIENCES IN CHEMISTRY, BIOTECHNOLOGY AND HEALTH Automatic fingerprinting of websites Using clustering and multiple bag-of-words models Automatisk fingeravtryckning av hemsidor Med användning av klustring och flera ordvektormodeller Alfred Berg Norton Lamberg Examensarbete inom Datateknik, Grundnivå, 15 hp Handledare: Shahid Raza Examinator: Ibrahim Orhan TRITA-CBH-GRU-2020:060 KTH Skolan för kemi, bioteknologi och hälsa 141 52 Huddinge, Sverige Abstract Fingerprinting a website is the process of identifying what technologies a website uses, such as their used web applications and JavaScript frameworks. Current fingerprinting methods use manually created fingerprints for each technology it looks for. These fingerprints consist of multiple text strings that are matched against an HTTP response from a website. Creating these fingerprints for each technology can be time-consuming, which limits what technologies fingerprints can be built for. This thesis presents a potential solution by utilizing unsupervised machine learning techniques to cluster websites by their used web application and JavaScript frameworks, without requiring manually created fingerprints. Our solution uses multiple bag-of-words models combined with the dimensionality reduction technique t-SNE and clustering algorithm OPTICS. Results show that some technologies, for example, Drupal, achieve a precision of 0.731 and recall of 0.485 without any training data. These results lead to the conclusion that the proposed solution could plausibly be used to cluster websites by their web application and JavaScript frameworks in use.
    [Show full text]
  • Omid Raha Mystack Documentation Release 0.1
    Omid Raha MyStack Documentation Release 0.1 Omid Raha Oct 28, 2019 Contents 1 Aircrack-ng 3 1.1 Install...................................................3 1.1.1 Install aircrack-ng 1.2-beta1 from source............................3 2 APPLE 5 2.1 Tips....................................................5 2.1.1 Apple ID............................................5 2.1.2 Hackintosh...........................................5 3 Astronomy 7 3.1 astronomical unit (AU, or au)......................................7 3.2 What Is the Distance Between Earth and Mars?.............................7 3.3 What is the Distance to the Moon?....................................7 3.4 What Is the Distance Between Earth and sun?..............................7 3.5 Software.................................................8 3.6 Galaxy..................................................8 4 Atlassian 9 4.1 Tips....................................................9 4.1.1 Atlassian installation approach.................................9 4.1.2 Atlassian license Prices..................................... 10 4.1.3 Run Jira with docker...................................... 11 4.1.4 Run Confluence with docker.................................. 12 4.1.5 Run Bitbucket Server with docker............................... 12 4.1.6 JIRA is Unable to Start due to Could not create necessary subdirectory............ 12 4.1.7 Atlassian Docker compose file................................. 13 4.1.8 Backup atlassian product.................................... 15 4.1.9 Bamboo............................................
    [Show full text]
  • Open Source Disclosure
    Open source disclosure Last updated June 2020 When we talk about transparent managed security it includes being transparent about the open source software we use to deliver our service. After all, how we secure ourselves (including the security of our code and third-party code we integrate into our Workbench) is a key part of our customers’ security posture. System Open Source Software Name Description Type of Open Source License CentOS Operating System Various Fedora Project Extra Packages Additional applications for CentOS Various for Enterprise Linux (EPEL) Confluent Kafka Stream Processing Apache License Version 2.0 Zookeeper Service Discovery Apache License Version 2.0 Consul Service Discovery Mozilla Public License 2.0 Redis NoSQL DB Three Clause BSD Burrow Kafka monitoring Apache License Version 2.0 Timesketch Collaborative forensic timeline analysis Apache License Version 2.0 Vault Managing secrets Mozilla Public License 2.0 oauth2_proxy Authentication MIT Gravitational Teleport SSH proxy Apache License Version 2.0 Postgres Database PostgreSQL License Packer Image building Mozilla Public License 2.0 Terraform Infrastructure Management Mozilla Public License 2.0 OpenResty Web server Three Clause BSD, Two Clause BSD, MIT, OpenSSL ElasticSearch Document indexing and search Apache License Version 2.0 snoopy Command logging GNU General Public License v2.0 ship_it Python RPM building MIT 1 www.expel.io Python Open Source Software Name Description Type of Open Source License simplejson Simple, fast, extensible JSON encoder/decoder for Academic Free License, MIT Python aiohttp Async http client/server framework (asyncio) Apache License Version 2.0 ansible-tower-cli A CLI tool for Ansible Tower and AWX.
    [Show full text]
  • Cloud Native Core Licensing Information User Manual
    Oracle® Communications Cloud Native Core Licensing Information User Manual Release 2.1.0 F22873-02 January 2020 Oracle Communications Cloud Native Core Licensing Information User Manual, Release 2.1.0 F22873-02 Copyright © 2019, 2020, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
    [Show full text]