2017 IEEE Symposium on Security and Privacy Workshops Lua code: security overview and practical approaches to static analysis Andrei Costin∗† ∗University of Jyvaskyl¨ a¨ Jyvaskyl¨ a,¨ Finland ancostin@jyu.fi †Firmware.RE andrei@firmware.re Abstract—Lua is an interpreted, cross-platform, embeddable, languages’ popularity [2], and above languages such as Go and performant and low-footprint language. Lua’s popularity is on Delphi according to PYPL index [3]. On the one hand, Lua’s the rise in the last couple of years. Simple design and efficient us- lack of sufficient visibility could be explained by a series of age of resources combined with its performance make it attractive for production web applications even to big organizations such factors, such as quantitative and qualitative lack of libraries as Wikipedia, CloudFlare and GitHub. In addition to this, Lua is in LuaRocks compared to RubyGems (for Ruby), PyPI (for one of the preferred choices for programming embedded and IoT Python) and CPAN (for Perl) [4]. On the other hand, Lua’s devices. This context allows to assume a large and growing Lua rise in popularity [2], [5] could be explained by the follow- codebase yet to be assessed. This growing Lua codebase could ing aspects. First, the simple design combined with efficient be potentially driving production servers and extremely large number of devices, some perhaps with mission-critical function performance and resource usage [6], [7] make it attractive for for example in automotive or home-automation domains. production web applications even to big organizations such However, there is a substantial and obvious lack of static as Wikipedia [8], CloudFlare [9] and GitHub [10]. Second, analysis tools and vulnerable code corpora for Lua as compared there is an exploding market and an overwhelming popularity to other increasingly popular languages, such as PHP, Python of extremely low-cost IoT chipsets such as ESP8266 [11] and JavaScript. Even the state-of-the-art commercial tools that support dozens of languages and technologies actually do not that can run Lua code using open-source firmware such as support Lua static code analysis. NodeMCU [12] and NodeLua [13]. Additionally, some of In this paper we present the first public Static Analysis for devices running Lua could be used in mission-critical appli- Security Testing (SAST) tool for Lua code that is currently cations, such as automotive 2, radiation/photon experimental focused on web vulnerabilities. We show its potential with physics 3, home automation and more [14]. good and promising preliminary results that we obtained on simple and intentionally vulnerable Lua code samples that we Within the described context, there are several main moti- synthesized for our experiments. We also present and release our vations for our work. First, there is a substantial lack of static synthesized corpus of intentionally vulnerable Lua code, as well analysis tools for Lua as compared to other increasingly popu- as the testing setups used in our experiments in form of virtual lar languages, such as PHP, Python, and JavaScript [15], [16]. and completely reproducible environments. We hope our work In fact, we are only aware of very few such tools that perform can spark additional and renewed interest in this apparently overlooked area of language security and static analysis, as well as static analysis on Lua code. LuaCheck [17], lualint [18] and motivate community’s contribution to these open-source projects. lua-checker [19] are mainly intended for linting and checking The tool, the samples and the testing VM setups will be released the code style rather than performing static code analysis and and updated at http://lua.re and http://lua.rocks. looking for most common security issues (e.g., OWASP Top10 [20]), such as XSS and SQLi. Second, even the state-of-the- I. INTRODUCTION art commercial tools that support dozens of languages and Lua is an interpreted, cross-platform, embeddable, perfor- technologies actually do not support Lua applications [21], mant and low-footprint language that supports “extensible [22], [23]. Even when they do [24], those tools unfortunately semantics, anonymous functions, full lexical scoping, proper support Lua only in dynamic blackbox analysis mode [25], i.e., tail calls, and coroutines” [1]. While not yet extremely visible static analysis of Lua code is not possible. Finally, there is a in the overall programming languages ecosystem, Lua’s pop- ularity is on the rise in the last couple of years. For example, 2See Mercedes-Benz FOSS licenses used within each car cate- in January 2017 it ranks above languages such as Transact- gory http://www4.mercedes-benz.com/manual-cars/ba/foss/content/en/assets/ 1 FOSS licences.pdf SQL and Scala according to TIOBE index of programming 3See APS ANL EPICS Attocube ANC300 Piezo Motion Con- troller usage https://www1.aps.anl.gov/files/download/SECTOR27/Manual% 1Transact-SQL ranked as most popular language in TIOBE index 2013 [2]. 20ANC300%20v3.1.pdf © 2017, Andrei Costin. Under license to IEEE. 132 DOI 10.1109/SPW.2017.38 lack of knowledge on insecure coding patterns and insecure scripting language. Lua is also used at incredible online API calls for Lua code. Baseline corpora of vulnerable samples scale for example in Massive Multiplayer Online Role-Playing and applications exist for other languages such as PHP (e.g., Games (MMORPG) such as World of Warcraft (WoW) [33]. BugBox [26]), Java (e.g., WebGoat [27]) and Server-Side JavaScript (SSJS) (e.g., TestREx [28]). This still tremendously B. Projects, Tools and Utilities helps in understanding insecure coding practices and (anti- Nmap provides Nmap Scripting Engine (NSE) [34], which )patterns in those languages. However, such corpora do not is one of the Nmap’s most powerful and flexible features. It exist for Lua. This limits the general understanding of how to allows its users to write scripts to automate a wide variety securely code in Lua, or how to detect and prevent insecure of networking tasks and for this it embeds a Lua5.2 inter- Lua coding practices in (preferably) automated ways. preter. Wireshark has an embedded Lua interpreter [35] and In summary, our main contributions with this work are: allows writing dissectors, post-dissectors and taps in Lua. Both • We develop and open-source the first static analysis Wireshark and Nmap provide Lua interpreter to allow quick tool for Lua code that mainly focuses on finding most development of network analysis tools. However, if not written common security issues. with security in mind those Lua scripts can be attacked by • We build and open-source the first public corpus of malicious network nodes and traffic using for example log synthetic Lua code samples containing both vulnerable poisoning, command and code injection. Google StreetView and non-vulnerable examples. For example, it can be used team, and Russ Smith primarily, developed lua-checker to as a baseline for tool evaluation/comparison or for secure validate their Lua scripts [19]. Syhunt is using Lua as part coding practices. of their security tools for web applications. They also recently • We release the testing setups used in our experiments in started using Lua modules for web applications within their form of virtual and reproducible environments. Apache and Nginx web servers [36] The rest of this paper is organized as follows. In Section II C. Security Incidents and Malware we start with summaries of the most notorious uses of Lua, which in our opinion are useful for the overall picture and Below we summarize publicly known instances where mal- to further motivate our work. Section III overviews Lua ware, both classical and embedded/IoT, used Lua one way technologies relevant to our work and Section IV describes or another. Since these malware instances (partly) contain our experimental setup. We detail the covered vulnerabilities Lua code, it is perhaps possible to find vulnerabilities within and the vulnerable Lua code corpus in Section V. Then, the malware itself using our tool. Finding vulnerabilities in Section VI we describe the design, implementation and within malicious code can potentially help the cyber-protection preliminary results. We discuss related work in Section VII, organizations in their efforts of limiting the impact of such and conclude with Section VIII. attacks, and taking down the malware and the botnets [37]. 1) Conventional Malware: II. NOTORIOUS LUA USAGE a) Flamer: (a.k.a. Flame, a.k.a. sKyWIper, a.k.a. Sky- Several web directories aggregate regularly updated lists of wiper) [38] is one of the most sophisticated pieces of malware projects, products and companies that use Lua one way or analyzed to that date. It was compared to Stuxnet and Duqu another [29], [30], [14], [31]. In addition to these web direc- in terms of complexity and its use in mainly targeted attacks. tories, the following Google search query can help discover Flamer is described as an info-stealer malware with highly other (sometimes surprising) uses of Lua: modular structure that incorporates multiple propagation and Copyright Lua PUC-Rio filetype:PDF attack techniques. One important piece of this malware is the We strongly encourage the interested readers to explore and mssecmgr.ocx file which contained a Lua interpreter along contribute to these web directories. However, we will focus on with SSH code, and SQL functionality. The Lua interpreter summarizing the most notorious (at least from our perspective) makes this component highly flexible and configurable, allow- Lua use cases. We believe that providing such a summary ing the attackers to deploy updated commands and functional- strongly adds to the motivation behind our work. ity quickly and efficiently. Crysys Lab released a comprehen- sive list of all Lua modules (pre-compiled .luac files) present A. Web and Internet Projects within the malware, and detailed some interesting ones such Wikipedia added Lua as a templating language [8].