lua code security overview and practical approaches to
play

Lua Code: Security Overview and Practical Approaches to Static - PowerPoint PPT Presentation

Mar 09, 2024 •138 likes •374 views

IEEE SPW: LangSec'17 (San Jose, CA) Lua Code: Security Overview and Practical Approaches to Static Analysis Andrei Costin ancostin@jyu.fi, andrei@firmware.re University of Jyvaskyla, Finland Agenda Introduction Contributions

  1. IEEE SPW: LangSec'17 (San Jose, CA) Lua Code: Security Overview and Practical Approaches to Static Analysis Andrei Costin ancostin@jyu.fi, andrei@firmware.re University of Jyvaskyla, Finland

  2. Agenda Introduction ● Contributions ● Implementation, examples, results ● Conclusions ● Acknowledgements and Q&A ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 2

  3. Introduction Lua (Moon in Brazilian/Portuguese) ● Ierusalimschy et al., Pontifical Catholic University of Rio de Janeiro in – Brazil (PUC-Rio) [IER96] Interpreted, cross-platform, embeddable , performant and low-footprint ● language Supports “extensible semantics, anonymous functions, full lexical scoping, ● proper tail calls, and coroutines” [IER96] Many Lua resources: https://github.com/LewisJEllis/awesome-lua ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 3

  4. Introduction Lua's popularity is on the rise ● TIOBE Index ● 27th most popular (May 2017) – Par or above: T-SQL , Lisp, Ada, Fortran, Scala, LabVIEW, Prolog, Haskell, – Erlang, Bash PYPL Index ● 19th most popular (May 2017) – Par or above: Go , Delphi, Haskell – 25th May 2017 Andrei Costin, Lua Code, LangSec'17 4

  5. Introduction Lua in numbers ● PHP is 16x-to-20x more „popular“ (PYPL Index, GitHub repository count by – „language:“) Still, around 30k Lua-based GitHub repositories – Several millions ESP8266, ready for NodeLua/NodeMCU Lua firmware – Huge number of other devices with Lua support/APIs – 25th May 2017 Andrei Costin, Lua Code, LangSec'17 5

  6. Introduction Lua in notorious use cases ● Web-facing Projects – Wikipedia, GitHub, CloudFlare ● Tools, Projects – Nmap, Wireshark, OpenWRT ● Conventional Malware – Flamer, EvilBunny, ProjectSauron ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 6

  7. Introduction Lua in notorious use cases ● IoT-specific Malware – LuaBot ● Incredible amount of other important but less known projects – IoT ● Home Automation ● SCADA/ICS ● Automotive ● Wireless/Mobile Chipsets ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 7

  8. Introduction: Motivation Zero SAST tools for Lua code ● Many tools/services for other languages – Coverity, VeraCode, AppScan, CodeClimate, RIPS, etc. – Zero datasets with (intentionally) vulnerable Lua samples for experimentation ● Many datasets/projects for other languages – BugBox, DVWA, WebGoat, SQLol, etc. – Not much systematic research on Lua security, e.g., [DAR14] ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 8

  9. Agenda Introduction ● Contributions ● Implementation, examples, results ● Conclusions ● Acknowledgements and Q&A ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 9

  10. Contributions Develop and open-source the first and only static analysis tool for Lua code ● Build and open-source the first public corpus of synthetic Lua code samples ● Create and release the testing setups used in our experiments in form of ● virtual and reproducible environments 25th May 2017 Andrei Costin, Lua Code, LangSec'17 10

  11. Agenda Introduction ● Contributions ● Implementation, examples, results ● Conclusions ● Acknowledgements and Q&A ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 11

  12. Implementation www.lua.re ● ANTLR4-based Python parser [PAR13] ● Lua.g4 from ANTLR's Grammars-V4 repository [SAK13] ● Built-in unit-tests ● $MSL/tests/test_msl_defaultconfig.py – $MSL/tests/test_msl_VariousTests1.py – $MSL/tests/test_msl_LangSec17.py – Own Python-based unsophisticated taint engine ● $MSL/taint/ – 25th May 2017 Andrei Costin, Lua Code, LangSec'17 12

  13. Implementation Flexible configurations and taint rules ● $MSL/config/defaultconfig.py – Taint sensitive sinks (e.g., io.write) – Taint unsanitizers (e.g., htmlunescape) – Taint sanitizers (e.g., htmlentities) – Taint propagation/passthru (e.g., strcat and '..' concat operator) – Some combinations of above (e.g., see fake_strcat_print_popen) – 25th May 2017 Andrei Costin, Lua Code, LangSec'17 13

  14. Examples, Results Detects all the simple synthetic TP test-cases and Avoids all the simple ● synthetic FP test-cases $MSL/tests/test_msl_VariousTests1.py – $MSL/tests/test_msl_LangSec17.py – Works on simple real-world code ● CVE-2014-4329: „Cross-site scripting (XSS) vulnerability in – lua/host_details.lua in ntopng 1.1 allows remote attackers to inject arbitrary web script or HTML via the host parameter.“ 25th May 2017 Andrei Costin, Lua Code, LangSec'17 14

  15. Examples, Results CVE-2014-4329 with our tool: „... via the host and page parameters. “ ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 15

  16. Agenda Introduction ● Contributions ● Implementation, examples, results ● Conclusions ● Acknowledgements and Q&A ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 16

  17. Conclusions Lua is a powerful and performant dynamic language ● Lua's popularity is on the rise within the embedded/IoT applications ● Obvious lack of both static analysis tools for Lua code and corpora of ● vulnerable Lua code samples We bridge the gap by open-sourcing: Lua SAST tool, vulnerable code samples ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 17

  18. Conclusions and Future Work Dramatically improve performance ● Improve the parser/lexer (e.g., fails on some real-world code snippets) ● Add missing features (e.g., dofile() and includes) ● Improve taint engine and rules ● Generic configurable taint engine? – Interface with Joern engine [JOER] – 25th May 2017 Andrei Costin, Lua Code, LangSec'17 18

  19. Agenda Introduction ● Contributions ● Implementation, examples, results ● Conclusions ● Acknowledgements and Q&A ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 19

  20. Acknowledgements NLnet.nl Foundation and Binary Analysis Tools (BAT) Project ● This project was supported by the NLnet.nl grant: 2014-09-017e – Michiel Leenaars from NLnet foundation ● Armijn Hemel from Tjaldur Software Governance Solutions ● LangSec'17 reviewers, shepherds and organizers! ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 20

  21. Q&A Questions, suggestions, ideas? ● www.lua.re ancostin@jyu.fi andrei@firmware.re Twitter: @costinandrei 25th May 2017 Andrei Costin, Lua Code, LangSec'17 21

  22. References [IER96] R. Ierusalimschy, L. H. De Figueiredo, and W. Celes Filho, “Lua – an ● extensible extension language”, 1996 [PAR13] T. Parr, "The definitive ANTLR 4 reference". Pragmatic Bookshelf, ● 2013 [SAK13] K. Sakamoto, A. Alexeev, ● https://github.com/antlr/grammars-v4/blob/master/lua/Lua.g4 [JOER] F. Yamaguchi, "An Intelligent and Robust Code Analysis Platform for ● C/C++" [DAR14] F. Daragon, „Lua Web Application Security Vulnerabilities“ ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 22

  23. IEEE SPW: LangSec'17 (San Jose, CA) Lua Code: Security Overview and Practical Approaches to Static Analysis Andrei Costin ancostin@jyu.fi, andrei@firmware.re University of Jyvaskyla, Finland

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Practical Approaches to Advection Difficulties in a Multi- material, Multi-physics Code Brad

Practical Approaches to Advection Difficulties in a Multi- material, Multi-physics Code Brad

UCRL-PRES-150024 Practical Approaches to Advection Difficulties in a Multi- material, Multi-physics Code Brad Wallin, Albert Nichols, Richard Sharp Lawrence Livermore National Laboratory Presented to workshop on Numerical Methods for

656 views • 21 slides
Towards a Taxonomy of Approaches Towards a Taxonomy of Approaches for for Mining of Source Code

Towards a Taxonomy of Approaches Towards a Taxonomy of Approaches for for Mining of Source Code

Towards a Taxonomy of Approaches Towards a Taxonomy of Approaches for for Mining of Source Code Repositories Mining of Source Code Repositories Huzefa H. Kagdi, Michael L. Collard, Jonathan I. Maletic Software Development Laboratory

430 views • 5 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
Approaches Based on guided code generation Based on exploring existing code Based on

Approaches Based on guided code generation Based on exploring existing code Based on

Approaches Based on guided code generation Based on exploring existing code Based on spreadsheet interaction Using R for teaching statistics to nonmajors: Comparing experiences of 2.5 different approaches Thomas Baier University of

639 views • 7 slides
Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code Regardless of user running the code Regardless of whether the code is in the same application with other code Other code can be more, less, or

695 views • 21 slides
Practical Methods and Approaches to Evaluating Your ADR Program Russell Saltz & Zachary Miller

Practical Methods and Approaches to Evaluating Your ADR Program Russell Saltz & Zachary Miller

How Are We Doing and Where Do We Go From Here? Practical Methods and Approaches to Evaluating Your ADR Program Russell Saltz & Zachary Miller Center for Alternative Dispute Resolution Annual Conference June 27, 2014 Presentation Overview

891 views • 16 slides
Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework)

Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework)

Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework) John Sonchack, Adam J. Aviv, Eric Keller, and Jonathan M. Smith Outline Introduction Overview of OFX Using OFX Benchmarks 2 Basic Networking:

604 views • 35 slides
Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io http:/ /safestack.io caution: fast paced field ahead watch for out of date

1.06k views • 66 slides
Challenges to Practical End-to-end Implementation of Quantum Optimization Approaches for

Challenges to Practical End-to-end Implementation of Quantum Optimization Approaches for

Challenges to Practical End-to-end Implementation of Quantum Optimization Approaches for Combinatorial problems QTML Workshop Verona, Nov 6 (2017) - Davide Venturelli davide.venturelli@nasa.gov Challenges to Practical End-to-end

1.08k views • 79 slides
Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Cambridge Innovation Centre Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas Gutmann, Steven J. Mudoch, WAY19 | @kryptoandi PLEASE RAISE YOUR HAND Have you ever received a security code via SMS

289 views • 24 slides
Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software

Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software

Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software Developer at the company Tieto Recently done Master Thesis on the

940 views • 82 slides
Practical Security and Key Management Management University of Amsterdam Introduction SNE -

Practical Security and Key Management Management University of Amsterdam Introduction SNE -

Practical Security and Key Practical Security and Key Management Management University of Amsterdam Introduction SNE - Research Project 2 Research Question Security levels Secure elements By: Key Magiel van der Meer management PGP

778 views • 20 slides
Practical informations Practical informations Send source code to:

Practical informations Practical informations Send source code to:

Practical informations Practical informations Send source code to: christophe.leblanc@ulg.ac.be p g 2D and 3D curves: curvature 2D and 3D curves: curvature Compute the curvatures of two curves: 2D: (Semi) circle of radius r=1 ( )

237 views • 6 slides
Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST

Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST

www.liberouter.org Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST Regional Symposium for Europe Security Tools as a Service Flow monitoring overview Flow monitoring extended by application layer

1.99k views • 184 slides
Practical Approaches to Atrial Fibrillation Management Answ ers to Your Everyday Questions H.

Practical Approaches to Atrial Fibrillation Management Answ ers to Your Everyday Questions H.

Practical Approaches to Atrial Fibrillation Management Answ ers to Your Everyday Questions H. Mark Guo, MD, FACC, FHRS Clinical Cardiac Electrophysiology Oregon Heart & Vascular Institute hguo@ peacehealth.org Disclosure SYSTEMS OF

1.4k views • 40 slides
Practical Approaches to the Treatment of Obesity March 11, 2012 David C.W. Lau, MD, PhD, FRCPC

Practical Approaches to the Treatment of Obesity March 11, 2012 David C.W. Lau, MD, PhD, FRCPC

Practical Approaches to the Treatment of Obesity March 11, 2012 David C.W. Lau, MD, PhD, FRCPC Depts. of Medicine, Biochemistry & Molecular Biology and Cardiac Sciences Julia McFarlane Diabetes Research Centre University of Calgary

958 views • 38 slides
Dependence and Data Flow Models (c) 2007 Mauro Pezz & Michal Young Ch 6, slide 1 Why Data

Dependence and Data Flow Models (c) 2007 Mauro Pezz & Michal Young Ch 6, slide 1 Why Data

Dependence and Data Flow Models (c) 2007 Mauro Pezz & Michal Young Ch 6, slide 1 Why Data Flow Models? Why Data Flow Models? Models from Chapter 5 emphasized control Models from Chapter 5 emphasized control Control flow

375 views • 33 slides
Behavior-Based Detection The old way match syntactic signatures: One-to- one < 50%

Behavior-Based Detection The old way match syntactic signatures: One-to- one < 50%

Behavior-Based Detection The old way match syntactic signatures: One-to- one < 50% detection The new way examine underlying behavior: One-to- many 1 Specifying Behaviors NtOpenKey \CurrentVersion\Run NtDeleteValueKey

1.58k views • 102 slides
Abstraction via the OS Device Drivers Jonathan Misurda jmisurda@cs.pitt.edu Software Layers

Abstraction via the OS Device Drivers Jonathan Misurda jmisurda@cs.pitt.edu Software Layers

Abstraction via the OS Device Drivers Jonathan Misurda jmisurda@cs.pitt.edu Software Layers Device Drivers User User space program User User level I/O software & libraries Kernel space Device independent OS software Operating

765 views • 5 slides
Discover vulnerabilities with CodeQL Boik Su Security Researcher @ CyCraft CHROOTs member

Discover vulnerabilities with CodeQL Boik Su Security Researcher @ CyCraft CHROOTs member

Discover vulnerabilities with CodeQL Boik Su Security Researcher @ CyCraft CHROOTs member Programming lover qazbnm456 @boik_su Agenda Brief introduction to CodeQL CodeQLs Tricks Replicate CVEs to find you CVEs More

2.1k views • 63 slides
Project TALC Interviews with Developers of Evidence-Based Programs for Teen Pregnancy Prevention

Project TALC Interviews with Developers of Evidence-Based Programs for Teen Pregnancy Prevention

A WORD FROM THE EXPERTS Project TALC Interviews with Developers of Evidence-Based Programs for Teen Pregnancy Prevention 1 This webinar was developed by Child Trends under contract #GS-10F-0030R for the Office of Adolescent Health; US

306 views • 15 slides
TALx86: A Realistic Typed Assembly Language TALx86: A Realistic Typed Assembly Language Dan

TALx86: A Realistic Typed Assembly Language TALx86: A Realistic Typed Assembly Language Dan

TALx86: A Realistic Typed Assembly Language TALx86: A Realistic Typed Assembly Language Dan Grossman, Fred Smith Cornell University Joint work with: Greg Morrisett, Karl Crary (CMU), Neal Glew, Richard Samuels, Dave Walker, Stephanie Weirich,

447 views • 20 slides
ITS INCORPORATION INTO SPARSE UNMIXING FOR MINERAL IDENTIFICATION Thanh Bui 1,2 , Beate Orberger

ITS INCORPORATION INTO SPARSE UNMIXING FOR MINERAL IDENTIFICATION Thanh Bui 1,2 , Beate Orberger

BUILDING A HYPERSPECTRAL LIBRARY AND ITS INCORPORATION INTO SPARSE UNMIXING FOR MINERAL IDENTIFICATION Thanh Bui 1,2 , Beate Orberger 3,4 , Simon B. Blancher 1 , Ali Mohammad- Djafari 4 , Henry Pilliere 5 , Anne Salaun 1 , Xavier Bourrat 6 ,

659 views • 30 slides
Minerals 1 Minerals Minerals are: Naturally occurring, Inorganic, Solid, Have

Minerals 1 Minerals Minerals are: Naturally occurring, Inorganic, Solid, Have

Minerals 1 Minerals Minerals are: Naturally occurring, Inorganic, Solid, Have a definite chemical composition, and Have a definite crystal structure Mineral: Quartz, Pyrite Not Mineral: cement, steel 2 Minerals

475 views • 23 slides

More recommend