6533b827fe1ef96bd1286680

RESEARCH PRODUCT

Lua Code: Security Overview and Practical Approaches to Static Analysis

Andrei Costin

subject

JavaComputer sciencevulnerabilityStatic program analysis02 engineering and technologyLuaJavaScriptSecurity testingohjelmointikielet020204 information systemsprogramming languages0202 electrical engineering electronic engineering information engineeringWeb applicationtietoturvadata securityhaavoittuvuuscomputer.programming_languageCodebaseta113business.industryComputingMilieux_PERSONALCOMPUTING020207 software engineeringPython (programming language)Static analysisAbstract syntax treeSoftware engineeringbusinesscomputer

description

Lua is an interpreted, cross-platform, embeddable, performant and low-footprint language. Lua's popularity is on the rise in the last couple of years. Simple design and efficient usage of resources combined with its performance make it attractive for production web applications even to big organizations such as Wikipedia, CloudFlare and GitHub. In addition to this, Lua is one of the preferred choices for programming embedded and IoT devices. This context allows to assume a large and growing Lua codebase yet to be assessed. This growing Lua codebase could be potentially driving production servers and extremely large number of devices, some perhaps with mission-critical function for example in automotive or home-automation domains. However, there is a substantial and obvious lack of static analysis tools and vulnerable code corpora for Lua as compared to other increasingly popular languages, such as PHP, Python and JavaScript. Even the state-of-the-art commercial tools that support dozens of languages and technologies actually do not support Lua static code analysis. In this paper we present the first public Static Analysis for Security Testing (SAST) tool for Lua code that is currently focused on web vulnerabilities. We show its potential with good and promising preliminary results that we obtained on simple and intentionally vulnerable Lua code samples that we synthesized for our experiments. We also present and release our synthesized corpus of intentionally vulnerable Lua code, as well as the testing setups used in our experiments in form of virtual and completely reproducible environments. We hope our work can spark additional and renewed interest in this apparently overlooked area of language security and static analysis, as well as motivate community's contribution to these open-source projects. The tool, the samples and the testing VM setups will be released and updated at http://lua.re and http://lua.rocks.

10.1109/spw.2017.38http://juuli.fi/Record/0331885117